PLocker Security
How PLocker protects your passwords with AES-256 encryption, offline storage, and a privacy-first architecture
AES-256 Encryption
The gold standard in data encryption, trusted by governments and military organizations worldwide
What Is AES-256 Encryption?
AES (Advanced Encryption Standard) is a symmetric block cipher established by the U.S. National Institute of Standards and Technology (NIST) in 2001. The "256" in AES-256 refers to the key size of 256 bits, making it the strongest variant of the AES family. AES-256 is approved by the NSA for protecting information classified up to the TOP SECRET level and is used by governments, military organizations, financial institutions, and intelligence agencies worldwide to safeguard their most sensitive data.
In PLocker, AES-256 operates in CBC (Cipher Block Chaining) mode with a unique, randomly generated initialization vector (IV) for each encryption operation. This ensures that even if you encrypt the same password twice, the resulting ciphertext will be completely different, preventing pattern analysis and making cryptanalysis significantly more difficult.
Why AES-256 Matters
Without encryption, your passwords would be stored as plain text, readable by anyone who gains access to your device. AES-256 transforms your data into an unreadable, mathematically scrambled format that can only be unlocked with your master password. Even if an attacker physically extracts the database file from your phone, the data remains completely useless without the correct decryption key.
2256 Possible Keys
That's 1.15 × 1077 combinations
To put this number into perspective: a 256-bit key has more possible combinations than there are atoms in the observable universe (estimated at 1080). Even if you could build a computer using every atom on Earth, each trying a billion keys per second, and ran it for the entire age of the universe (13.8 billion years), you still wouldn't come close to breaking a single AES-256 key through brute force.
Key Derivation: PLocker uses PBKDF2 (Password-Based Key Derivation Function 2) with HMAC-SHA256 and 100,000+ iterations to derive your 256-bit encryption key from your master password. This makes dictionary and rainbow table attacks computationally infeasible.
Military-Grade Protection
AES-256 is the encryption standard used by the U.S. government, NATO, and intelligence agencies to protect classified and sensitive data at the highest levels.
CBC Mode with Unique IV
Every encryption operation uses a cryptographically secure random initialization vector, ensuring identical plaintext produces different ciphertext every time.
PBKDF2 Key Derivation
Your master password is never used directly. It goes through 100,000+ rounds of PBKDF2-HMAC-SHA256 key derivation, making brute force attacks impossible.
Local Device Storage
Your encrypted database lives exclusively on your Android device
SQLite Encrypted Database
Your vault is stored in a single encrypted SQLite file on your device's internal storage
SQLite Database with Full Encryption
PLocker stores all your passwords, secure notes, categories, and settings in a single SQLite database file located in the app's private internal storage directory. This directory is sandboxed by the Android operating system and cannot be accessed by any other application on your device. The entire database file is encrypted at rest using AES-256, meaning the raw file on disk is already ciphertext—even without the app running, the data is protected.
Android's application sandboxing provides an additional layer of security. The PLocker database file resides in a directory that only the PLocker app can read and write. No other app, including file managers, can access this directory without root access. Combined with Android's built-in file-based encryption (FBE) on modern devices, your data is protected by multiple independent layers of encryption.
No Internet Permission
PLocker does not request the INTERNET permission in its Android manifest. The app has zero network capabilities—it cannot send or receive data over any network. This is not a setting or a policy; it is an architectural guarantee. Even if a malicious developer were to modify the app, they would need to recompile it with new permissions, which would change the app's signature and prevent it from being installed as an update.
No Cloud. No Sync. No Servers.
There are no PLocker servers to hack, breach, or compromise
Why Offline Is More Secure
Cloud-based password managers introduce a fundamental security paradox: to sync your passwords across devices, they must store your encrypted vault on their servers. While the vault itself may be encrypted, the very existence of a centralized server infrastructure creates an attack surface. Servers can be breached, APIs can be exploited, employees can be compromised, and government subpoenas can compel access.
PLocker eliminates this entire category of risk by design. There is no cloud infrastructure to attack. No server to breach. No API to exploit. No employee to compromise. No database of user vaults to leak. Your passwords exist in exactly one place: the encrypted SQLite database on your Android device. This radically simple architecture means there is no central point of failure, no honeypot of user data, and no third party that can be compelled to hand over your information.
No Server Infrastructure
PLocker doesn't operate any servers. There is no backend, no database, no API, and no authentication service. The entire application runs entirely on your device. This means there is no infrastructure to maintain, secure, or monitor—and no infrastructure that can be attacked.
No Tracking. No Analytics. No Telemetry.
Your behavior inside PLocker is known only to you
No User Tracking
Most free apps, including many password managers, embed tracking SDKs, analytics frameworks, and telemetry code that silently monitor how you use the application. These trackers collect data about which features you use, how often you open the app, how long you spend on each screen, and even what you tap on. This data is then transmitted to third-party analytics platforms, advertising networks, and the developer's own servers.
PLocker contains absolutely zero tracking code. There are no analytics SDKs (no Google Analytics, no Firebase Analytics, no Mixpanel, no Amplitude), no crash reporting frameworks (no Firebase Crashlytics, no Sentry), and no telemetry of any kind. Combined with the fact that PLocker has no internet permission, it is physically impossible for the app to transmit any information about your usage to anyone. We don't know how you use PLocker, and we never will.
You Are Not the Product
Many free apps monetize their user base by collecting and selling behavioral data. PLocker has no monetization strategy at all—it is genuinely free, supported only by voluntary donations. Your privacy is not a feature; it is the foundation of the entire application.
Zero Data. Zero Collection. Zero Sharing.
We don't want your data. We don't need your data. We don't collect your data.
No Data Collection
PLocker does not collect, store, process, or transmit any personal information whatsoever. We don't ask for your name, email address, phone number, or any identifying information. There is no account creation process, no registration form, and no sign-up required. You can download, install, and use PLocker without ever providing a single piece of personal data.
Beyond personal information, PLocker also does not collect any device information, usage statistics, crash reports, feature preferences, or behavioral data. Even anonymized or aggregated data collection is off the table. The app simply does not have the capability to collect or transmit any data, thanks to its complete lack of internet permissions and networking code. Data collection is not just avoided—it is architecturally impossible.
No account creation
No email required
No device fingerprinting
No location data
No crash reports
No usage analytics
Privacy First Architecture
A complete overview of how PLocker's security architecture protects your data at every layer
Layer 1: Android Sandbox
The Android operating system isolates each app in a private sandbox. PLocker's database file resides in its own internal storage directory, inaccessible to any other app. Android's permission system ensures that no application can read another app's private files without explicit user consent or root access.
Layer 2: File-Based Encryption
On Android 7.0+ devices with file-based encryption (FBE) enabled, the operating system encrypts each file individually with a key derived from the user's lock screen credentials. This means the PLocker database is encrypted at the OS level before PLocker even applies its own AES-256 encryption.
Layer 3: AES-256 Database Encryption
PLocker encrypts the entire SQLite database using AES-256 in CBC mode with a unique IV. Even if an attacker bypasses the OS sandbox and extracts the raw database file, they would face AES-256 encrypted ciphertext requiring your master password to decrypt.
Layer 4: PBKDF2 Key Derivation
Your master password is never stored anywhere on the device. It is used to derive a 256-bit encryption key through PBKDF2-HMAC-SHA256 with 100,000+ iterations. This salted, iterated key derivation process makes dictionary and brute force attacks prohibitively expensive.
Layer 5: Biometric Authentication
PLocker supports fingerprint unlock through the Android Biometric API, which authenticates at the OS level. Your fingerprint data is never stored, transmitted, or accessible by PLocker. The app only receives a yes/no authentication result from the system.
Layer 6: Zero Network Permissions
PLocker does not request the INTERNET permission. It contains no networking code, no HTTP clients, no socket connections, and no cloud SDKs. Even if the database encryption were somehow broken, there is no way for the app to transmit data off the device.
Defense in Depth
Each layer of security independently protects your data. Even if one layer is compromised,
the remaining layers continue to prevent unauthorized access to your passwords.
Security Comparison
How PLocker's security architecture compares to cloud-based password managers
| Security Feature | PLocker | Cloud-Based Managers |
|---|---|---|
| Encryption Standard | AES-256 CBC |
AES-256 (varies) |
| Data Storage Location | Device only |
Cloud servers |
| Internet Permission Required | No |
Required |
| Server Infrastructure | None |
Multiple servers |
| Cloud Sync | None |
Enabled by default |
| Risk of Server Breach | Impossible |
Possible |
| User Tracking | None |
Common |
| Data Collection | Zero |
Significant |
| Account Required | None |
Mandatory |
| Third-Party SDKs | Zero |
Multiple |
| Biometric Unlock | Yes |
Yes |
| Key Derivation | PBKDF2 100k+ |
PBKDF2 (varies) |
| Price | Free | Free / Paid |
Privacy by Design, Not by Policy
PLocker doesn't rely on a privacy policy to protect your data—it's architecturally impossible for the app to share anything because it has no internet access. Most password managers collect telemetry and store your vault on their servers; PLocker eliminates those risks entirely by design.
You Are Not the Product
Free password managers often monetize through data collection, analytics, or selling anonymized usage patterns. PLocker collects absolutely nothing. No crash reports, no usage statistics, no feature analytics. What you do inside your vault is known only to you.
Experience True Privacy
Download PLocker and start using a password manager that genuinely respects your privacy. AES-256 encryption, 100% offline, no tracking, no data collection, and completely free.
Free · Android 7.0+ · 12 MB · v1.0.0 · No Sign-up Required