This is basically the main reason why I built uFincs (https://ufincs.com/) without any sort of bank integration. As a Canadian myself, the privacy implications of letting a third party like Plaid take my bank password to get my data were, indeed, rather sketchy. I've been looking forward to the day that open banking gets pushed here, so this is definitely good news that uFincs (and every other personal finance app) nmight eventually get some secure bank integrations.
Although, knowing how these things usually go, I'm sure the "2023" target is a little optimistic...
I built uFincs (https://ufincs.com) basically because I got fed up with GnuCash's UX. It only supports importing CSVs right now, but I'm open to adding other formats. It's also a web app rather than a desktop app, but you're free try it out/use it without an account (https://ufincs.com/noaccount) and all of your data will just be kept in your browser.
I can definitely see where you're coming from regarding the whole syncing thing. Personally, I've gotten into a habit of recording my transactions right after they happen (or at worst, at the end of the day), but somehow I get the feeling that I'm particularly crazy for doing that.
In any case, I agree that we could do better as far as showing examples/features altogether, but I figured (at least for the time being), just letting people use the app without an account (https://ufincs.com/noaccount) is as good a demo as any.
The marketing site (https://ufincs.com) uses React + NextJS + Tailwind. The app itself (https://app.ufincs.com) uses a design system that I built completely custom (with plain old Sass).
Hey HN! I'm excited to (officially) show off the project I've been working on (for far too long): uFincs, a privacy-first personal finance app! https://ufincs.com
Yes, it's another personal finance app. Yes, there sure are a lot of them. But when I got tired of using GnuCash a couple years ago, I figured I should try something a little different and throw my hat in the ring.
The result? No banks, no budgets, no data collecting. Just a clean UI, a privacy-first attitude, and good old double-entry accounting.
The main thing that makes us so 'privacy-first' is the fact that we do client-side encryption: all of the financial data that you enter is encrypted before it leaves your browser and hits our servers. That way, you maintain sole ownership of your data. Want more of the juicy technical details? Check out our security overview: https://ufincs.com/policies/security
If you want to skip past all of the marketing fluff, feel free to drop into using the app right away: https://ufincs.com/noaccount. Since uFincs is offline-first and a PWA, we can offer the ability to use the app completely without an account, for free! Of course, if you want to easily access your data on all your devices, that's where a paid account comes in handy :)
Finally, since I know some people were hesitant about the pricing, I decided to throw together a special coupon just for you guys: "HN15". It's 15% off, forever, on any of the plans, for the first 100 new sign-ups.
If you have any questions, feel free to check out out the FAQ (https://ufincs.com/faq), but I'll be here all day to respond to any comments!
Privacy-first finance app should really have a self-hosted option front and center. That's not even negotiable.
That's because otherwise the privacy property of the app hinges on a trust in vendor and the assumption that they won't serve some funny JS on the next page reload. The one and only way to address this is to provide a self-hosted, completely self-contained version. There's really no way around this. It's not a matter of encrypting things or storing them locally, it's a matter of divorcing yourself as a developer from users' data. Right now, it's a packaged deal.
PS. Looks very nice though. Clearly lots of thought went into the design and UX elements. This part is really well done!
Yep, I agree. If you want perfect security and a 100% trust-less solution, then uFincs certainly isn't it.
But I like to think that, at least when put in contrast with other products on the market, choosing to do these privacy/security related things is better than not.
Well, the thing is that if you say "privacy-first", you are pitching to people who care about this sort of thing. For these people the fact that uFincs is not self-hosted is an instant no-go. And for people who don't see it as a problem, the privacy angle doesn't matter much either. See the disconnect? You have a good product, for sure, but the pitch needs a revision.
Oh I'm well aware of the disconnect. I just disagree that there are only people who care about privacy to the degree that they have to self-host everything. I believe there's room to ride the line between being 'privacy-first' (in that we care about privacy, first and foremost) and offering convenience (i.e. providing a web app).
I'm sure my customers who signed up with ProtonMail and Fastmail addresses can attest to that fact.
And for those who do fall all the way to the self-hosting side, well, there's plenty of other options on the market! Of course, there's nothing stopping us from being one of those options, it's just not our priority at this very moment.
Thing is anyone even passingly interested in privacy will start questioning it - is it open-source? Can it be self-hosted? Is it available as a desktop app? It's privacy theatre unless the privacy can be proven.
Why not team up with the ProtonMail people to build a browser extension that verifies and logs javascript sigs/hashes? Corporate clients may like it. Gives them an IOC for the next big supply chain issue.
I don't know enough about browsers or js to know if its difficult or not.
Ah, I really like how clean the UI feels and also the e2ee. I'd love if this also could have a mobile app, as I then could document transactions on the go more easily.
Others have already mentioned how it's a non-starter if there isn't an option to self-host so I won't bring that up: instead, for those who don't mind that I'd suggest easier means to import data from existing formats. Offer an on-ramp for people who too are fed up of GnuCash or have been using Ledger up until now and could use something friendlier. Best of luck in your project!
Not having integrations is a deal breaker for me. All of my financial information lives in other systems that I need to be able to import it into a single view that I can manage. There is no way I'm going back and manually entering all of that info. A privacy centric solution would store credentials for systems like plaid, bank accounts, etc. in the client on the OS keychain and open source that part of the code to be audited. The data then would be stored preferably on a self-hosted server or your cloud provider of choice. There is some sweet spot here at the intersection of the personal cloud server movement and local client credential storage that none of the current finance apps have yet addressed. Once someone does I think they may have a real hit on their hands.
I totally understand that. And I knew, when making the decision to not do any integrations, that there's a ton of people just like you that value automating everything as much as possible.
But I also made the bet that there would be people just like me who value entering things manually. Certainly far fewer people, but hopefully still people.
In any case, I also hope that the app you described eventually gets built; certainly never hurts to have more privacy-friendly options available!
privacy in what sense? the bank owns your data already, if you don't store any user data in the cloud, then is private by design, right? I was looking for something like this, but I do need auto import my transaction data, across all banks and brokers, etc. Offline first and only, ala Personal Capital, but secure and safe. Paying 20 bucks a month for the privilege of manual data entry is a bit much. There is a bunch of open source alternatives(GNU Cash, etc...), that let you manually enter your data. That said, this is my particular use case. I do wish you the best, and the app does look pretty.
Privacy in the sense that, while the bank may own your data already, third-parties like Plaid do not. And at least up in here Canada, we're a bit weaker on the whole 'bank API' system, so it generally turns into a wonderful game of "hand over your bank account credentials".
Anyways, I definitely understand where you're coming from. Plenty of other products that do have bank integrations though, so at least of there's lots of options for you!
The deal did not go through. Plaid just got valued at close to triple what Visa was going to spend on it in a recent fund raise at around $14B post money.
I agree. The trend of handing over all your data (especially your financial data) to some nebulous service isn't exactly my favourite. Which is why I built https://ufincs.com, a nebulous service where you hand over all your financial data!
Yes, that was a joke.
In reality, uFincs is more of a stop-gap between what you seek (native app where you own the data) and what the status quo is (web-based app where your data ownage is dubious). Yes, uFincs is a web app, but we take the extra step to do client-side encryption so that the only financial data being stored in our database is a jumble of base64; I don't want to touch your actual financial data with a 10-foot pole.
Of course, like some other people in this thread have mentioned, having a completely client-side app is also pretty important. Well, we have exactly that: https://ufincs.com/noaccount. You can use uFincs right away, without any account, and the app works completely client-side, completely offline. You can even export your data and then re-import it later if you so prefer!
Of course, the tech that enables this 'no account' option is also what makes the logged-in app work offline-first, so I think it's pretty cool :)
And if anyone asks "Well, why a web app at all then?", it's because I wanted a web app. Yes, I do enjoy accessing my finances on all my devices, thank you very much. But we do have plans to build out standalone desktop/mobile apps in the future.
That is a huge "living paycheck to paycheck" upcharge!
I get the incentive, but considering how financial planning can be most vital to folks with spotty income, I'd strongly encourage you to bring the price of the monthly plan down. Or perhaps a bare-bones "free" tier folks can use between paid months?
Yep, I agree, it's a pretty big upcharge. That's precisely why our 'free tier' is the 'no account' option (https://ufincs.com/noaccount). I'm not kidding when I say it's the full version of uFincs; the only (real) difference is that you don't have an account to sync to. And if you make sure to never log out (or take the time to export/import your data every time), then you can basically simulate having an account. It's just a free tier of 'inconvenience' rather than 'features' or some such.
But yeah, there's definitely some pricing psychology at play there. Thanks for taking the time to leave some feedback!
I wonder if the "most private" way to do this would be to distribute as a jupyter notebook or some sort of local bundle/distro to run as a local webapp?
Well, uFincs is a PWA, so you could 'install' it that way. We send a little in-app notification whenever a new update is pushed, so you could theoretically just ignore those and never update to keep using that one version of uFincs forever (assuming your browser never decides to update it otherwise).
But yeah, in terms of more standalone distribution and sandboxing, that's where the future desktop/mobile apps would be more appropriate. Of course, they'd be Electron-esque, but that would at least fulfill my end-goals of being privacy-first, offline-first, and providing 'long-term' software.
You could store the data in the user's cloud (or local) storage, so you don't have a copy of the data.
Having an "encrypted" copy of the data, with a key controlled by you (unless there's some browser API for encrypting using the user's key?) is a lot shorter than a "ten foot pole"
That's the thing, the key isn't controlled by me. The key is derived from your account password. If you want some more technical details, feel free to check out https://ufincs.com/policies/security. tl;dr Yes, that browser API is called WebCrypto.
As for storage, all data is kept in-browser in local storage (specifically, IndexedDB), until it gets saved to our database. And before it leaves the browser to be saved in our database, it gets encrypted using the user's key.
Finally, if you only ever use the 'no account' option (https://ufincs.com/noaccount), then all your data is only ever stored in-browser; it never gets saved to our database because you don't even have an account to save it to! Feel free to monitor the network requests to prove it for yourself (or even turn off your network connection).
Hmm, that's a good question to add to the Security doc!
Not quite. See, we make use of a scheme called envelope encryption. That means we have two separate keys: one to encrypt your data (the 'data encryption key' or DEK) and one to encrypt the DEK (the 'key encryption key' or KEK). We use the KEK to encrypt your DEK to get something called the 'EDEK' (or 'encrypted data encryption key'). The EDEK is what we store in our database.
Something that never changes after you sign up is your DEK. This is completely random and not dependent on your password.
What is dependent on your password is your KEK. So when you change your password, all that actually changes is your KEK. With your new KEK, we just re-encrypt your DEK to get a new EDEK, and we store that new EDEK in our database. Again, the Security doc (https://ufincs.com/policies/security) outlines the basic process.
So no, all your data isn't passed back to the browser to be decrypted and re-encrypted when you change your password, but thanks for the question!
⇒ when users change their password, you have access to the DEK (you decrypt it and then encrypt it with the new KEK)
“one to encrypt your data (the 'data encryption key' or DEK)”
⇒ when users change their password, you could decrypt their data.
I think this boils down to “you don’t store user passwords, but when users change their password, they must trust you to not look at your data or store the KEK”.
The 'error', as you put it, is that the password change process (i.e. the changing of the KEK and the re-encryption of the DEK into the EDEK) all happens client-side (except for the part where we verify your old password against the hashed version in the database, for obvious reasons).
'We' have 'access' to your DEK at all times — if you define 'we' as the 'client-facing portion of the app'. All of the encryption/decryption, key management, etc happens on the client-side (i.e. in-browser). Remember, as part of signing in to the app, the EDEK is transmitted from our servers and decrypted client-side so that the client can then use that DEK to decrypt your data.
If we instead redefine 'we' to be the backend servers, database, or even myself personally, then 'we' never have access to your keys nor data.
The fact is, there's nothing special about the password change process itself. It's essentially the same as the sign-up process. Nothing is especially exposed during the password change process that isn't exposed during the sign-up process (again, the DEK is present on the client-side the moment you sign up or sign in, although the KEK is slightly more ephemeral than that).
However, I do understand the implication you're making here, and here's the darker side of it: 'we' (uFincs) could change the client-facing portion of the app to steal your DEK (or your password, or even your data) and send it off elsewhere. This is... just true of any piece of software. It just so happens that, since web apps can be arbitrarily updated, it's a lot easier for us to act maliciously if we so chose (although, at least with web apps, inspecting network requests is quite easy).
So indeed, there is an element of trust here. You trust that I (or the entity known as 'uFincs') won't change the code in such a way that the security of the app is compromised. You also have to trust that we have such security measures in place that make it harder for some third-party malicious actor to forcefully change the operation of the app.
uFincs is not a trust-less system. Unfortunately, due to the nature of web apps (or even most apps for that matter), it simply cannot be. Anytime the code can be updated (and can't be audited), there is effectively zero security (for those who are particularly security-conscious). So if your (the general 'your') financial data is so sensitive that any chance of a leak would be utterly catastrophic, then don't even think of using uFincs.
But I like to think that putting these measures in place (particularly, using client-side encryption, not connecting to banks, not using any in-app analytics beyond our own, etc) is at least a step better — in terms of security and privacy — than what most other services do. And I like to think that, even if it's not perfect, it was still worth doing. Otherwise, I wouldn't have 'wasted' 2+ years of my life building uFincs :)
Thanks. I never would have thought “we encrypt” to mean “your browser encrypts”.
I think a few pictures showing how passwords and data flow between the user’s browser and the backend when you do various things would make your technical description easier to understand.
Lacking that, using phrases such as “our code, running in your browser” rather than that ambiguous “we”, would have made things clearer for me, too.
This looks like exactly something i've been after! I used to use an iOS app but really missed becuase able to access it on windows....but the pricing just seems way too high. Its more expensive than a photoshop sub...
As I replied down below (https://news.ycombinator.com/item?id=26972907), I don't have any concrete plans to open-source it at the moment. However, I know this is a pretty big sticking point for some people, so I have been working through some plans on how we could do it.
In particular (but again, no promises), I want to start by open-sourcing the custom Redux middleware that we use to handle data encryption. I feel like that's one of the most important parts to open-source (ya know, since it's the foundation of uFincs' security), but it's a matter of getting everything in order.
ufincs looks very cool! During my December holiday, I was thinking of making a web-based platform that had a more modern UI than GNUcash, and it looks like you built it already!
Just curious, what's your tech stack, how long have you been working on it, and how many users do you have?
That's exactly what uFincs is, a modern version of GnuCash! I had the exact same thoughts as you did :)
The simple tech stack breakdown is that the client-side is React + Redux + TypeScript + Sass. Of note, I use redux-saga, which has been an absolute boon for some of the more complex flows.
Design system is completely custom.
Backend API is Node + Feathers. Database is Postgres.
Marketing site is served separately from the app and is React + NextJS + Tailwind CSS.
I intend to write up a more complete breakdown of the tech stack sometime in the future.
In terms of how long it's taken to get this far, longer than I'd like to admit... there was a version '0.1' that was built as a capstone project over the course of 2019, then the redesigned version (uFincs as it exists now) that's been ongoing since the start of 2020.
And the user situation can look... misleading. I only 'officially' launched last week, so for the longest time the only user has been le-moi (and some friends that did testing), but I actually did just acquire my first paying customer yesterday!
It definitely isn't. At least, not yet. I've been thinking through different ways we could handle that aspect, but I don't have any concrete plans to open-source uFincs at the moment.
Assuming you had a perfect plug-in/extension system where I could write some JavaScript to create my own behaviors, that might do 80% of what people are looking for in the open source question.
Although, knowing how these things usually go, I'm sure the "2023" target is a little optimistic...