Was poking around the source and noticed webdav_password and the AI provider keys (ai_api_key, openai_api_key, etc.) get written straight to config.json in plaintext — no encryption, no OS keychain.
Confirmed this holds across all platforms (Windows/Mac/Linux/Android/iOS), since save_app_config just does a plain std::fs::write regardless of target — the mobile builds just change where the folder lives, not how it's stored. Not a huge deal on iOS/Android since the app sandbox limits who can read it, but on desktop any process running as your user (or an unencrypted backup) can just cat the file and get your WebDAV creds + API keys.
Would be nice to see these go through something like the keyring crate (Keychain/Credential Manager/Secret Service) instead of the config struct — seems like a fairly contained change, just swapping the read/write path for those specific fields.
Was poking around the source and noticed webdav_password and the AI provider keys (ai_api_key, openai_api_key, etc.) get written straight to config.json in plaintext — no encryption, no OS keychain.
Confirmed this holds across all platforms (Windows/Mac/Linux/Android/iOS), since save_app_config just does a plain std::fs::write regardless of target — the mobile builds just change where the folder lives, not how it's stored. Not a huge deal on iOS/Android since the app sandbox limits who can read it, but on desktop any process running as your user (or an unencrypted backup) can just cat the file and get your WebDAV creds + API keys.
Would be nice to see these go through something like the keyring crate (Keychain/Credential Manager/Secret Service) instead of the config struct — seems like a fairly contained change, just swapping the read/write path for those specific fields.