← Blog · App Features ·

Automatic Backups and Syncing

#Privacy #Syncing
Automatic Backups and Syncing

TrackMyStack is able to sync your portfolio and assets between different devices, such as your phone and tablet. A lot of other apps and services compromise on privacy in their implementation of syncing. We are committed to keeping our promise that your net worth and portfolio details belong only to you and are never shared with us.

Access your net worth anywhere, with complete privacy

When people talk about cloud syncing, they often bundle together very different privacy models. In practice, there are multiple categories of data sharing, and the differences matter.

Categories of data sharing

  • Full sharing: A service gets your name, email, and other personal details and stores your data on its own servers in accessible form. It may have protections in place, but the provider is still holding your data.
  • Anonymous sharing: A service does not necessarily know your identity, but your data is still uploaded in a retrievable form and can often be recovered by resetting a password.
  • Fully private: A service does not get your name, email, or credit card details, and your data stays under your control. If syncing uses a server, the data is encrypted with your own key before it is uploaded, and only your devices can decrypt it.

TrackMyStack is designed around the fully private model.

Technical details of TrackMyStack’s syncing mechanism

The syncing system is designed so that our service helps devices exchange encrypted data without gaining access to the financial data itself.

  • The app generates a 256-bit AES key and securely stores it on your device.
  • The app takes a SHA256 hash of that key, which becomes your user id.
  • Each portfolio and asset has its own unique GUID.
  • To back up or sync, the app uploads only the user id, the portfolio or asset GUID, a last-update timestamp, the type of data, the encrypted contents, and the initialization vector used by the AES key.
  • When another device syncs, it requests the records for that user id, compares timestamps, then downloads and decrypts what it needs while uploading any newer encrypted data from the device.

At least one device using that key and user id must have a premium subscription for syncing to work. The app verifies purchase receipts from Apple or Google by sending the user id, an installation id, and the receipts to our service. That lets us confirm an active premium subscription without receiving identifying information about the user.

This approach allows you to access your net worth across devices while preserving the privacy guarantees that TrackMyStack is built around.