We launched Userbase 1 year ago promising the easiest way to create secure and private web apps — and it's gotten way easier!

• Share data between users securely with granular access controls, or share globally.
• Store and stream end-to-end encrypted files.
• Enable users to reset their password if they forget it!
• Accept payments through your app via Stripe in just a few clicks.
• Build iOS and Android apps using the Userbase Cordova mobile plugin.
• Use the Admin API or userbase-js-node to interact with Userbase from a server.

Along with a number of optimizations and bug fixes to maximize Userbase’s performance and safeguard reliability.

We also added a free Starter tier with the following limits:

• 1 web app.
• 100 users.
• 100 MB storage.
• Limited support.

We listened, heard, and worked hard to make sure Userbase has everything you need to build powerful, secure, private apps. And there's plenty more to come!

Cossack Labs has completed a security audit of Userbase!

Userbase is a database-like product, purpose-built for web app user data. Unlike regular databases, user data is end-to-end encrypted using an encryption key that is never exposed to the Userbase server. Users own their own databases which are partitioned from databases of other users on the server-side, and can share their databases with other users, without exposing private keys to the server. Userbase is accessible through a very simple JavaScript SDK, directly from the browser.

We picked Cossack Labs because they specialize in cryptographic data security tools (both developer tools and bespoke solutions) for modern applications. Cossack Labs' experts that participated in this audit have decades of hands-on practical experience and formal backgrounds in information security and cryptography.

Cossack Labs found that Userbase prevents an adversary with privileged access to the Userbase server from accessing protected user data under the chosen set of assumptions and constraints. They also provided us with a list of findings and recommendations to strengthen Userbase. We have already implemented a number of their recommendations, and will continue implementing the rest as we work to improve Userbase.

Here is Cossack Labs’ public security audit report.

Here are our supporting documents:

• Our report on actions taken and planned.
• Our detailed initial request to Cossack Labs. This includes:
  • Our risk statement.
  • The protected data scope.
  • The trust model.
  • Links to a demo and code for the security review team.
  • Lower level descriptions of the Userbase design and cryptographic protocol.
• Userbase’s detailed architecture spec as of August 20, 2020.

Userbase can be contacted at support@userbase.com or via Twitter @UserbaseHQ. If you believe you've found a security-related issue, please drop us an email at security@userbase.com - bug bounty program may apply.

Cossack Labs can be contacted at cossacklabs.com or info@cossacklabs.com.