Security

ExpanDrive versions 2025 and earlier do not ever store your credentials (such as passwords, keys, and authentication tokens) in the Cloud. They are always securely stored on your machine in the macOS keychain or the Windows Credential Vault. We never have access to your credentials.

We are working on a Web-based client for ExpanDrive that we intend to release in 2026, and when we do that, we will begin to store your credentials in the Cloud. We will provide clear notice when this transition occurs.

Encryption

ExpanDrive utilizes Transport Layer Security (TLS) wherever possible to ensure secure encrypted data transport.

The only exception is plain unencrypted FTP, which transports data and credentials in plain text. It is strongly recommended you use FTPS or SFTP (SSH transport) as opposed to unencrypted FTP.

Understanding OAuth2

Many cloud storage services utilize the OAuth2 protocol to authenticate users and provide applications like ExpanDrive an API key for usage.

ExpanDrive opens an embedded web browser connecting you to directly to Microsoft, Google, Box, Dropbox, and others so that you authenticate directly with them, and the ExpanDrive app never accesses your credentials.

After the embedded web-based authentication, the OAuth2 server issues a key that is securely stored on your machine.

OAuth authentication supports multi-factor authentication (MFA) flows and SSO like ADFS, Okta, Duo and others with no additional setup.

Security

After authentication, we store the new credentials created by Google in your secure system repository. For Mac, this is the system keychain, and on Windows, the data is stored in the Microsoft Windows Credential Manager.

ExpanDrive never has access to the credentials you supply during the OAuth authentication process.

OAuth2 Walk-Through

In this example we are showing Google Drive but the process is the same for OneDrive, OneDrive for Business, SharePoint, Dropbox, and Box.

Authentication is performed using an embedded browser.

ExpanDrive starts the authentication by connecting directly to Google via an embedded web browser view. The ExpanDrive app never captures the user’s credentials.

After authentication a user authorizes ExpanDrive to have API access

The web-based authentication grants the ExpanDrive app access to read and write from the user’s Google Drive account on behalf of the user.

New credentials (tokens or API keys) are created by Google to represent this grant.

This is how ExpanDrive is able to transform for Google Drive account into a virtual drive.

PreviousWebDAVNextOffline Sync

Last updated

Was this helpful?