When a CloudSync is performed, all objects on the android device are first encrypted with AES-256 using your passphrase that you setup when you first ran JuiceSSH, and then exported from the internal SQLite database into a JSON document that looks roughly like this (although with more than just two connections):
"connections": [
{
"_id" : "a62a7b21-6yae-47ab-9331-67e93a6bac77",
"data" : "+l1R+8D+R3I=\n#fD4/tiFpIFaJlfcyEM77Vw==\n#mGfOdOTShcYwSgQ3IahJJiURoO3nQzOpf2mjB35S8Q3ZG75FeNkffbTwWt558hpq0jUr+gKOlaWU\nDvFFRx3sWnHIUz1bhrmDCmtiCr6+Hf0BAZ5z8GHzKnfHxcUhhpbGS\nlDgeJKcPo70F9iRFLlpKS9u76H1TVMc5d0uVecTZI+PzSgbaQnJFroghdTBOAdJQosqOQDvUk14w\noaNjMmR7o+j0pvv4\n",
"modified" : 1354732051842,
}
{
"_id" : "d916i4ee-e3fb-42ea-a87d-c88db16ebfa7",
"data" : "/cViJe7Z/uI=\n#0zvHakBY8vqsrK50Y1CvDw==\n#5T/LqvPW/NgBqdrtawfKovryZOQ32xzn7oElFAlF+fjCbbC1B6v/igtMSES+1lN6CqI7JfV9fybA\nKDasCTt/8n0GIHL4g7KdGlTQH69nOjwLI7VMqaDDuLLQY2KVDupBM\naiSL378/3ghy9U3J+Tx22utHzpzCRO3JJUomuPIqSJXj5o48UFYueu0q/JVRbfMJGq+P33BIh+x9\nfZIN96Xl3HnFN+Pa\n",
"modified" : 1354732052975,
}];
As you can see the only information backed up for each object that's not encrypted is a unique UUID identifier and a modification date (used to compare which version is newer in a sync operation). This is then sent to our API via a HTTPS connection.
We then use google tokens to authenticate your device with our API - as it's more secure than any authentication method we could write.
When our API receives your CloudSync it associates all of the objects with your google account and stores them in our MongoDB database (still encrypted).
We follow all security best practises (firewalling, intrusion detection, regular auditing etc) on our servers however as SSH sessions are something require the utmost level of security we have designed the whole system around the basis of even if an attacker were to penetrate our multiple levels of security, at most, all they'd get is a bunch of AES-256 encrypted objects - completely useless without the decryption passphrase/key - which never leaves your mobile device.
According to wikipedia, even if you had 50 of the most powerful supercomputers in the world today, it would take you 3×1051 years to crack an AES-256 encryption key. If someone tried to brute force your passphrase the encryption type we use (AES/CBC/PKCS5Padding/PBKDF2WithHmacSHA1) has also been specifically implemented to be slow (800ms - 1000ms per decryption attempt on modern hardware) so that brute force attacks are beyond the scope of reason.
I hope this helps show that we take your security seriously and that we've done everything in our power to stop hackers (and us) from being able to access your personal data.
We then use google tokens to authenticate your device with our API - as it's more secure than any authentication method we could write.
When our API receives your CloudSync it associates all of the objects with your google account and stores them in our MongoDB database (still encrypted).
We follow all security best practises (firewalling, intrusion detection, regular auditing etc) on our servers however as SSH sessions are something require the utmost level of security we have designed the whole system around the basis of even if an attacker were to penetrate our multiple levels of security, at most, all they'd get is a bunch of AES-256 encrypted objects - completely useless without the decryption passphrase/key - which never leaves your mobile device.
According to wikipedia, even if you had 50 of the most powerful supercomputers in the world today, it would take you 3×1051 years to crack an AES-256 encryption key. If someone tried to brute force your passphrase the encryption type we use (AES/CBC/PKCS5Padding/PBKDF2WithHmacSHA1) has also been specifically implemented to be slow (800ms - 1000ms per decryption attempt on modern hardware) so that brute force attacks are beyond the scope of reason.
I hope this helps show that we take your security seriously and that we've done everything in our power to stop hackers (and us) from being able to access your personal data.