Why and How We Created Inbox Security Scan

At Dashlane, we’re constantly monitoring engagement in our apps hoping to find areas where we can improve the users’ experience and add instant value to their lives.

Our desktop app already had a really satisfying way for people to get started with Dashlane: In one click, our web extension pulls all accounts and passwords saved in your browser into the desktop app so you can update your passwords and increase your account security right away. Instant value.

But we never had a comparable experience for mobile. Until recently.

The problem: How do we create an instant value experience in our mobile app?

We knew we had to create an experience that could mimic this instant value for our mobile-first customers—a way to speed up the process of getting existing accounts into Dashlane. That’s not to say our customers don’t love the mobile apps, but we could feel more confident about sending someone to download Dashlane from the App Store or Google Play if their onboarding was significantly faster.

The solution: Inbox Security Scan for iOS and Android

Every time you create an account online, what’s the first thing that happens? That’s right, you get an email in your inbox thanking you for creating an account.

Your inbox is filled with account creation emails and online orders. All of those emails create a pretty clear picture of your digital footprint over time.

If we could build a tool that was able to analyze this data securely and automatically, we would be able to create instant value by filling your Dashlane with all of the existing accounts found in your inbox.

So, we went to work and created Inbox Security Scan.

With this tool, we’re able to scan your emails in one click—with your permission, of course—to detect the emails linked to account creations, password resets, and purchases.

How does it work?

Using the search filters available to us via Gmail’s API and the Microsoft Graph API, we gather a list of potential emails based on a set of keywords and phrases, and then download their contents to the mobile device to analyze them. Using the same language-processing tool that allows the Dashlane web extension to autofill forms online—our semantic engine—we run a security analysis scan that can extract data such as the date when the account was created, the account login, and the website where the account was created.

With these results, we draw up a history of your online activity and categorize your accounts, highlighting the ones which are the most critical to your digital identity.Inbox Security Scan categories

We also check the account creation dates and cross-reference them with our internal database of data breaches to identify any accounts that may be at risk.

Dashlane's Inbox Security Scan security analysis

We then allow you to save these accounts inside Dashlane so you can get started on updating passwords and increasing your account security.

Dashlane's Inbox Security Scan

Once in Dashlane, these accounts are treated like all your other accounts saved in Dashlane. That means if you store an account, and that service later gets breached, you will be notified via a security alert to change your password. This is one of the many ways that Dashlane works to eliminate compromised passwords and secure your digital identity.

Wait, you’re looking through my emails? How is this secure?

Under Dashlane’s strict security principles, we had to find a way to run the scan securely and with the respect to your privacy. By using the OAuth2 protocol to access Gmail (or Outlook, which is available only to Android users), we never ask you for your password directly. We never store any of your emails either.

OAUTH2 Diagram from Wikipedia

All the processing happens locally on your mobile device, and the emails are never stored or sent to any server. The email data doesn’t even outlive the scan process unless the you choose to import the accounts into the Dashlane vault. Client-side processing allows us to fully respect the zero-knowledge Dashlane vision.

Have we succeeded?

Based on early customer feedback and results, Inbox Security Scan has been a big step in the right direction with regards to providing instant value for customers and helping them get a good chunk of their accounts into Dashlane right away.

Despite its limitations—like the fact that accounts imported through Inbox Security Scan don’t include the passwords for those accounts—customers have been delighted to find all of their long-lost accounts, many of which they were shocked even existed!

This post was co-written by Dashlane mobile app engineers Jason Akakpo and Martin Devillers.