Hey, dev here.
Since the target audience of the app is people who take security seriously, it was my goal to make the app as simple as possible. I cannot make guarantees, and the app has not been officially professionally reviewed β but I'd like to argue that it has been designed in a manner that at least provides a minimal attack surface in the first place.
Could it hide a backdoor?
The application is simple, small and I made an effort to provide plenty of code documentation. Those with basic programming knowledge should be able to look through the code and determine that nothing purposefully malicious has been put into place. It shouldn't take more than a couple hours to read through the entirety of the codebase, and an LLM can probably help you make sense of it.
There's still a risk of supply chain attacks though β ie. there could be a backdoor within the app's dependencies. I tried to minimize the chance of this by making use of as few external libraries as possible. You'll find the list of dependencies in the build.gradle.kts file. Everything used there is pretty much standard android/androidx and Google's material and tink libraries.
Could it be vulnerable?
No official professional security review has been done. But the attack surface has been kept minimal: If nothing is being shared the app is basically inactive β aside from checking whether another profile is sharing something new. Even when encryption is turned off, the app only exposes files that have been explicitly selected for sharing across profiles. Nothing should be able to access what is being shared from outside the device. Files cannot be "pushed into" other profiles, when a file is shared other profiles actively have to download it from there.
The biggest risk that comes to mind is the following: You visit a malicious website on your browser that bypasses cross-origin restrictions and is able to communicate with the app's exposed local port and download a currently shared file. I believe this to be very unlikely because (1) the app does not use HTTP as the communication protocol but a raw socket connection with JSON objects and (2) when encryption is enabled, it is not only the shared file's contents that are being encrypted but those JSON objects required for specifying which file you want to download in the first place are encrypted too. So with encryption enabled a malicious website or app would need to have the encryption password to be able to even find out what is currently being shared β and at the point where they have that, your phone is probably pwned already anyway.
Why could encryption make it "less reliable"?
It's simply due to the additional complexity that is introduced by having to encrypt and decrypt every single chunk of data that is being sent. Note that the app is a Kotlin application, so it comes with memory safety and things such as buffer overflows shouldn't become an exploitable issue even if there's a programming issue.
Encryption also causes an overhead for the processor and, particularly on weaker devices, this could cause issues when the app makes cpu usage spike for a big file. The worst that should happen here is that the download fails though.
Anyone with some Android App security experience is encouraged to take a look. I'm available for any questions.
I don't think that it's necessary to disable the entire app after each usage. Just hitting "Stop Sharing" after being done should be sufficient. That's what I personally do.
Hope that helps, cheers