Who and what do you trust if you use this app? First of all, you trust me* and my professionalism. You trust that the app has been designed to work properly and that all its sub-components are also designed by professional and well-meaning people.
You trust that AES is a reliable cryptographic method and that there exists no practical way to break it. You trust that the estimates of quantum computing resilience in this table hold for AES, PBKDF2, and the SHA-256 PDF* hash function used by the PBKDF2. Note that this app uses even longer passwords and more iterations of PBKDF2 than the estimates in the table.
You trust the Domain Name Service*, the DNSSEC* that authenticates* the name crypt-app.net (provided your resolving name server validates* DNS signatures), and the Certificate Transparency* ecosystem. You trust the hosting provider*, the protection of its servers, and that the app's code is sent from the website to your device unchanged. You trust that the network connection is authenticated and encrypted to the best available standards. You trust that your web browser works correctly, does not contain malicious code, and that the cryptographic primitives in the browser are implemented correctly. You trust that your system is not infected with any malicious software that could interfere with the app's operation on the browser or operating system level and that there are no side-channel attacks PDF* in progress.
Automated means can check some of the above to a certain extent. An easy way to check the technical integrity of any website (whether the domain name is signed, whether the site uses modern security settings, etc.) is to use a tool provided by the Dutch Internet Standards Platform* at internet.nl NEW TAB*. Another tool is a free service provided by the ImmuniWeb SSL/TLS Security Test*, which checks whether a service meets the Payment Card Industry Data Security Standard (PCI DSS) compliance requirements FREE REG PDF*, the U.S. Health Insurance Portability and Accountability Act (HIPAA) requirements*, and the U.S. National Institute of Standards and Technology (NIST) guidelines PDF*. The urlscan.io* is a free service that helps to reveal what really happens when you open a link. It browses the website like a regular user and records all page navigation activity.
The trustworthy operation of your own device is essential: use an up-to-date version of your browser, use only trusted plug-ins or extensions, install all security updates to your operating system, and keep your anti-malware software updated.