Security

ExpanDrive utilizes Transport Layer Security (TLS) wherever possible to ensure secure encrypted data transport. The only exception is plain unencrypted FTP, which transports data and credentials in plain text. It is strongly recommended you use FTPS or SFTP (SSH transport) as opposed to unencrypted FTP.

Authentication

Security is a critical component of ExpanDrive. ExpanDrive is client-only software, so it lives only on your computer and it communicates directly with your server or to your cloud storage service of choice.

We never have access to any of your credentials or login tokens. Passwords and API tokens are securely stored on your machine in the macOS keychain or the Windows Credential Vault.

Understanding OAuth 2

Many cloud storage services utilize the OAuth 2 protocol to authenticate users and provide applications like ExpanDrive an API key for usage.

ExpanDrive opens an embedded web browser connecting you to directly to Microsoft, Google, and others so that you authenticate directly with them, and the ExpanDrive app never accesses your credentials.

After the embedded web-based authentication, the OAuth server issues an API key that is securely stored on your machine.

OAuth authentication supports multi-factor authentication (MFA) flows and SSO like ADFS, Okta, Duo and others with no additional setup.

Security

After authentication, we store the new credentials created by Google in your secure system repository. For Mac, this is the system keychain, and on Windows, the data is stored in the Microsoft Windows Credential Manager.

ExpanDrive never has access to the credentials you supply during the OAuth authentication process.

Permissions

The storage service API enforces all of the permissions and settings for a given user. ExpanDrive can only see files and folders a user has access to.

Authentication walk-through

In this example we are showing Google Drive but the process is the same for OneDrive, Dropbox, Box, Hubic, OneDrive for Business.

ExpanDrive starts the authentication by connecting directly to Google via an embedded web browser view. The ExpanDrive app never captures the user’s credentials.

The web-based authentication grants the ExpanDrive app access to read and write from the user’s Google Drive account on behalf of the user. New credentials (tokens or API keys) are created by Google to represent this grant. This is how ExpanDrive is able to transform for Google Drive account into a virtual drive.