AliasVault: Open-Source E2EE Password & (Email) Alias Manager

Goed om te weten/ good to now about the pricing. It only makes it more interesting.

AliasVault 0.17.0 is out now!
Hi everyone! As hinted in my previous update from April, I’m excited to announce that the iOS app for AliasVault is now finally live in the App Store!

It took quite a lot of hard work… and a few rounds in the ring with Apple’s App Review team (spoiler: they claimed the first few rounds). But after tweaking the app and jumping through the necessary hoops, AliasVault is now live on iOS!

Download link to App Store: AliasVault for iPhone.

(You can also build the iOS app yourself from source, all client apps are part of AliasVault’s GitHub monorepo.)

The iOS app integrates with native iOS autofill capabilities and secures your encrypted vault contents with on-device biometrics (Face ID / Touch ID).

iOS app preview as part of the new 0.17.0 release1440×1098 141 KB

Here are the full release notes for this new release:

AliasVault 0.17.0:

1. Native iOS App Launched!: release 0.17.0 marks a major step forward by introducing the official AliasVault native iOS app, now available on the iOS App Store! This new app enables native autofill features for iOS and protects your vault contents with on-device biometrics. The app is compatible with both cloud-hosted and self-hosted environments.
2. Browser extension improvements: added extra setting toggles to the browser extensions which allow you to enable/disable the context menu and hide the autofill popup on a certain website for a specified time. Added support for shortcuts so you can trigger the autofill popup via a keyboard shortcut (works best in Chrome). Also improved autofill popup reliability so it works on more websites.
3. Quality-of-life improvements: various other smaller improvements in the web app and browser extensions to align how credentials are displayed to better match it on all platforms.
4. License change to AGPLv3: From this release forward, AliasVault is licensed under the AGPLv3, replacing the previous MIT license. This change is made to protect the intellectual property and long-term vision of AliasVault, while keeping it fully open and transparent. For end-users and self-hosters, nothing changes: you can continue to use, self-host, and customize AliasVault freely for personal or internal use. The new license only restricts commercial use by third parties who may otherwise profit from AliasVault without contributing back.

With this release AliasVault is now available on all major platforms : Web, Chrome, Firefox, Edge, Safari, Brave, and now on mobile starting with iOS!

I’m working on making the app available on Android next, which I expect will be ready somewhere in the coming weeks.

What a fantastic new update!

AliasVault is quickly turning out to become my go to recommendation after Proton Pass but before Bitwarden now.

Edit: I installed the app and logged in - very smooth for a brand new app. Will keep testing and using it more to see how it fairs.

Congrats. Out of curiosity, When premium features are released will subscription be available through the App Store?

@JG Thanks for your appreciation and support! Really means a lot to me and makes me smile to read that ! If you run into any issues or hick-ups with the app or have ideas for improvement, feel free to let me know.

@Banter8905 Good point. I think it might be worth adding support for subscriptions through the app store for convenience options to the user. Although I’m not fully up-to-date on the current status in terms of how much % the App Store takes on sales and if referring to payment options outside the app (with a discount) are now allowed.

Do you have a personal preference on this? I.e. preferring to use in-app purchases for subscriptions vs. doing it via the website of the service (if offered)?

@lanedirt I thought in reference to commision its 30% commission the first year and 15% second year is what the App Store takes.

I personally would be ok with in App Subscriptions which I am sure would be convenient to most. Though I have also subscribed for services via websites of services. You may have to gauge further feedback from users on this.

Hi! I finally got around to creating an AliasVault account so I could try it out. Looking forward to playing with it.

@lanedirt, do you have a backup plan for the aliasvault.net email domain someday being blocked for new registrations by certain websites? Like protonmail users and some other email domains are currently experiencing?

Good question! Yes, AliasVault already supports multiple private email domains under the hood. For the official cloud-hosted version, it currently offers only aliasvault.net for aliases. But if this domain ever gets blocked or added to blacklists, I’ll roll out additional domain variations that users can switch to seamlessly. The software already supports this (and for self-hosted installs, people can already configure multiple domains for themselves).

The reason I didn’t launch aliasvault.net with multiple private domains right away is mainly due to cost, as maintaining many active domains can quickly get (relatively) expensive. For example, with SpamOK.com (the predecessor to AliasVault), I started with 10+ domains which seemed like a fun idea at the time, but now it costs me hundreds of euros yearly just to keep them alive because users started to rely on them. Depending on how you look at it, it might not sound like much, but as I’m running that site for over 10 years already, it does add up.

So in short: AliasVault is designed to scale to dozens or even hundreds of domains in the future, but my current approach is to add them incrementally, based on need. This keeps things more sustainable while still ensuring continuity for users if any single domain gets blocked.

That’s great! You are all over this rollout. I don’t think I’ve ever seen anyone as responsive as you to a privacy project. Kudos!

Where did Proton aliases get blocked?

Ticketmaster, Playstation and Chime to name a few. If you can stand going over to Reddit (the fart of the internet, I hate Reddit with a passion) you can see many people discussing this.

Netlify also blocked proton, sl and addy address. Free privacy respecting email and alias service would obviously be abused and being treated as suspicious by sites and services. Its a neverending cat and mouse game if to keep buying new domain until it eventually be abused and be blocked again, plus unsustainable monetarily. You’d end up with 1000 domains in no time. Proton and addy resorted to allow users to report such sites to them and they’ll contact the site owner to persuade them to allow their domain on the site. Plus they specifically forbid multiple accounts creation on the same site by the same user on their tos.

Wow. I expected it to take much longer for Proton to get blocked. This is why it’s important to have a wide range of domains.

Proton’s alias service is not free. But I get your point. Unless it’s companies with a lot of brand name recognition, I don’t necessarily think it’s a good idea for Proton to plead with them. Especially when it’s companies whose entire business model is surveillance capitalism. I also personally question how pervasive the so-called “abuse” is.

Companies get to define abuse however they want. Case in point for Proton, having more than one alias per third party website is abuse. Also, companies get away with abusing their users privacy and consumer rights daily, but they get away with it because it is often legal.

I am so glad somebody else is finally recognizing this. As I’ve previously said, it it is one thing for Proton to have this very impractical rule, and it’s another to hide it, and not state it clearly upfront.

Because let me remind everyone here, this rule is not clear and explicit in their TOS. The TOS is vague. You only learn about the explicit details of the rules when you disobey them.

Multiple domains won’t do anything since dns records are public info. Theres even some service that outright block registration via custom domain added to sl or addy by inspecting the domain mx records.

Sl tried to be smart via the 2 or 3 premium domain only for paid users hoping there won’t be much abuse with it but they got blocked either way due to blanket ban on sl mx and ip.

Yes I can confirm that some websites or blacklists tend to blanket ban all domains that are on the same IP. I’ve had that happen with SpamOK too, where a certain blacklist that LinkedIn was using simply added all domains that were also using the SpamOK IP to their blacklist. This caused the website of my consulting company and various other services to be blocked as well as they were all sharing the same IP. Even though these other websites had nothing to do with the SpamOK service itself.

One idea I have to combat this with AliasVault is to also have certain premium “hidden” domains only available to certain segments of paying users. Then I want to host these domains on entirely separate IP’s not affiliated with AliasVault, and let these mail servers proxy all emails to the main AliasVault server. This would prevent third parties from being able to link domains based on MX DNS or IP. But as was mentioned before, in the end this unfortunately is and stays a cat and mouse game and will cost (more) money.

We’ll have to see how this plays out exactly, but my vision is to do have these kind of mitigating measures in place as long as it’s financially feasible, and as long as (certain) users accept the premium.

I mean if both you and paying users are fine with the added cost to allow them using the alias comfortably, segregation via combination of premium domain, separate mx, separate ip and proxying sounds superb. Even proton and addy doesn’t go that far.

Okay. So I have been using AliasVault fully for the past week on macOS on Brave via the extension and on iOS via the app. Here are all my thoughts and experiences thus far as the app/product stands:

Right off, I want to mention what I want to see absolutely and immediately improve:

1. Please, please, please - I need the ability to change/amend/edit/etc details on any entry of any account/alias via and within the extension itself. Having to log in on the website and clicking more things than really needed is just so frustrating when you’re trying to update very important, sensitive and time sensitive info (that may be autoremoved from your clipboard if you don’t paste it fast enough). Not having this is kinda stressful to be honest. It feels like a major part of the product functionality is missing.
2. When popping out the extension in a new window/web app like window, I want to continue to see the ability to edit any and all entries including a better and a more window filling email view so the email renders bigger and better for easy viewing.

These two are most important as I see it now from a usability and user experience POV.

More feedback/views/issues/recommendations/etc:

1. Software passkey support (literally how Proton Pass does it, ideally) is much needed. This means, being able to add and use passkeys when websites prompts and the extension pops up for you to add the passkey should all work as it does on and with Proton Pass.
2. Import functionality can be significantly improved. All entires from Proton Pass are added but in an imperfect manner. Ideally, you want it to be 1:1 import but it looks a little haphazard after import is completed in AliasVault. I had to manually change a few things on all my entries which is not a good import experience and could turn some people away as soon as they begin to try it. Giving specifics would be too much to say here but I’ll say this - if a Proton Pass entry has username, email, password, 2FA, note, etc - I want to see the same in the same manner in AliasVault too with the right title for each item within each entry. I know, no import feature of any mature password manager app is this good but this is or should be the goal. And given the FOSS nature of AliasVault and Proton Pass, this is surely doable. This is not time sensitive as it may require a lot of work but as long as it is done before a full stable release with paid options, this level of “maturity” would be fantastic to see.
3. Being able to turn off (but not delete) Alias email of any entry/account would be a great addition. But in this case, not like how Proton Pass does it. It want the email alias to appear within the entry details along with other details - unlike how Proton Pass has it where the email alias appears separate from the account details of that alias. This would truly be a unique functionality with such an implementation because no other password manager does this. So, I hope you seriously consider this.
4. Email view improvements - when viewed in a new pop up window, I want the email to appear as it does with any other email view from any other email. This means, email list of the left, email content on the right (1:3 ratio of window size of each section.. if this makes sense) and other toggles for delete, read, unread, etc options on the bottom.
5. Being able to resize the extension pop up to you liking would be great! (not to be confused with a separate window but just clicking on the extension on the top right and the pop up that appears)
6. Passkey authentication on iOS (and Android when the app comes out or when the app begins to mature on Android) within apps or on the web just like you can do on/through Proton Pass would be the smoothest way to go about it. Please replicate the user experience from Proton Pass with this one on AliasVault.
7. Improve autofill recognition on web: here’s the issue. AliasVault currently identities any entry field and shows its icon on the side of the entry field. This is incredibly annoying and distracting when you’re filling out your address details or any other details when shopping online because the pop of on each text box blocks what you have actually typed and you can’t see anything. It also shows up on the side of all drop down menus (so when I am editing a doc online on OnlyOffice for example, it shows up on the each down down menu option of the ribbon up top on the font size, font, formatting options, etc. In other ways, AliasVault needs to better identity what are authentication text boxes (that is username, password, and 2FA) and what are other non sign in/sign up/authentication text boxes on the web. I hope I have explained the issue with this clearly. This is really annoying right now.
8. Ability to add other entry items in any account is also much needed. I may have notes or any other details I want to add but cannot via the extension. I think the lesson with all my points here to consider the extension as the main app on desktop and it needs all the functionality an app would have. One should not be forced to open AliasVault on the web to do select things if they exclusively want to use the extention only. And this consequently means, the extension needs to significantly improve with how it functions and with the number of features it has.

–

Please take all my comments are constructive criticism. I have only expressed what I have and the way I have in an honest manner from a user experience and usability POV. I know AliasVault is still pretty new and is under active development and most if not all of the things I have mentioned will eventually end up happening in time. So I am not holding any shortcomings against you or the product.

I had fully turned off Proton Pass and gave AliasVault and complete and honest try for all that it can do today so these views come from that experience. This practically makes these “opinions” objective facts for what AliasVault is, how it works, and what doesn’t/is missing. I only say this because anyone (as I write this) can run the same user experiment I did and come to same conclusions. None of what I have said is really wrong or false.

@lanedirt - I hope these comments, suggestions, recommendations are useful to you and I sincerely want to see it become as good as Proton Pass is (from its usability and user experience POV atleast) if not better (if you can come up with better ways).

Please reach out here or privately if you have any follow up questions with specificity in case you don’t fully follow anything I have said above.

That’s my review of AliasVault as of today. Thanks! I continue to look forward to new improvements. But please fix the first two as soon as you can.

Hi @JG,

Thanks a lot for your very detailed feedback and for giving AliasVault a full try! I really appreciate your effort and honesty, this really helps a lot for me to improve AliasVault! I’m glad to say that a lot of your suggestions are already in scope for the 1.0 roadmap (published on GitHub), and I wanted to quickly highlight the ones that match your suggestions:

Already included in the v1.0 roadmap:

• Full client capability for the browser extension (to match the main app, being able to edit credentials etc.)
• Passkey support (storage + usage)
• Improved import functionality
• Ability to group credentials (folders)
• Passkey login on mobile apps (iOS & Android)
• Platform-specific improvements, including browser extension resizing, more responsive layout, email view UI enhancements.

I completely agree with your point on making the browser extension a fully functional client with full edit capabilities. For context: the iOS app (and the upcoming Android app, which should be ready in ~2 weeks) share a lot of tech with the browser extension and already support full editing. Once the Android version is out, I’ll be focusing on bringing these capabilities to the extension so it can function as a complete standalone client. This work is already on the roadmap and will be prioritized after the Android release.

Quick clarification needed:

1. Improve autofill recognition on web:
The browser extension uses a custom algorithm to detect username/password/email fields, but unfortunately many websites implement things in non-standard ways which makes this pretty complicated. There’s also the added complexity where AliasVault tries to both detect traditional username/password fields (for login/signup), but also standalone email fields (e.g. signing up to newsletters).

I already maintain a growing test suite with ~20 website variations that the algorithm is tested against on every build. I’m extending this test suite as we go along and (new) issues are detected. Would you be able to (privately) share which websites (besides OnlyOffice) are giving you issues with field detection or annoying overlay icons? That would help a lot in improving this feature for everyone.

2. Turn off (but not delete) email aliases:
When you say you’d like to “turn off” an alias, would you expect:

• The alias to still receive emails silently in the background, and show them when re-enabled?
• Emails to be hard rejected with a bounce-back message to the sender?
• Or, just silently dropped — not stored in AliasVault but also not alerting the sender?

Thanks again for taking the time to give AliasVault a full try with your workflow, and taking the time for sharing your feedback! It really helps a lot in improving AliasVault and helps me to better understand various usecases people might have.

AliasVault has already come a long way in terms of improved and new features in the last few months. And I’m positively hopeful to have the v1.0 release ready before the end of this year with all of the aforementioned features, which include your suggestions, included.