TrackMyStack is able to sync your portfolio and assets between different devices (eg. your phone and tablet). A lot of other apps or services compromise on your privacy in their implementation of syncing. We are committed to keep our promise that your net worth and portfolio details belong only to you and it will never be shared with us.
Categories of data sharing
- Full sharing: A service gets your email, name, last name and maintains a service where they keep your data. Your data is kept on their server. There can be various protections against unauthorized usage, however it is still stored on their server in an accessible form and when you log in they show you your data.
- Anonymous sharing: A service does not get your private information. They may get your email, which can be anonymous. Then your data is uploaded to their server and can be retrieved by your username and password. If you lose your password, you can reset it and then access your data again. That is because the data is shared with the service, with proper protections
- Fully private: A service does not get any of your private information. Not your name, not your email, not your credit card. Your data stays on your device. In order to sync with other devices with the help of the service provider’s servers it is fully encrypted with your own key, then uploaded to the server with a unique identifier derived from your key. You cannot reset your password if you lose your key, because your data is uploaded in encrypted form, it just can be stored on the service and retrieved by your devices, but can only be decrypted by your devices with the use of your key.
As you might have guessed TrackMyStack’s goal is to offer net worth and investment tracking with full privacy to our users so we are using the last mechanism.
Technical details of TrackMyStack syncing mechanism
- The app generates a 256 bit AES key, which is securely stored on your device
- The app then takes a SHA256 hash of your key, which is your user id.
- Each of your portfolios and assets has a unique GUID. In order to backup or sync the app uploads the following data to our services: Your user id, the portfolio or asset GUID, a last update timestamp, the type of the data (portfolio, asset), the encrypted contents of your portfolio or asset and the initialization vector of the AES key.
- When another of your devices wants to sync, it queries for the data that has your user id, then your local data is compared with the timestamps of the uploaded data. Some data may need to be downloaded and decrypted, other data will be encrypted and uploaded.
- At least one of your devices that is using a specified key (and user id) must have a premium subscription. When the app starts up it verifies the purchase receipts that are provided by the App Store or Play Store, by sending your user id, a unique installation id and your receipts to our service. That way we can track that some of your installations that use your user id has a valid premium subscription.
- The purchase receipts that are given to the app by the App Store or Play store only allow us to verify that there is an active premium subscription, Apple or Google does not provide any identifying information about the user.
We are soon going to provide details to access your data programmatically via an API, as well as provide libraries and code samples.