Wealth Manager is designed with security and privacy as core principles. This document outlines our security practices, vulnerability reporting process, and security features.
- Local-Only Storage: All financial data is stored locally on the device
- Encrypted Database: Room database with Android Keystore encryption
- No Cloud Sync: Complete privacy with no data transmission to external servers
- Secure Deletion: Complete data removal when uninstalling
- Biometric Authentication: Hardware-backed fingerprint/face recognition
- Session Management: 24-hour automatic session timeout
- Secure Storage: API keys encrypted using Android Keystore
- No Password Storage: No passwords stored locally or remotely
- HTTPS Only: All API communications use TLS 1.3
- Certificate Pinning: Validates API server certificates
- Request Encryption: Sensitive data encrypted in transit
- API Key Rotation: Support for key rotation and management
- Static Analysis: Detekt and ktlint for code quality
- Dependency Scanning: Regular security updates for dependencies
- ProGuard/R8: Code obfuscation in release builds
- Secure Coding: Following Android security best practices
We provide security updates for the following versions:
| Version | Supported | Security Updates |
|---|---|---|
| 1.4.x | β Yes | β Yes |
| 1.3.x | β No | β No |
| 1.2.x | β No | β No |
| 1.1.x | β No | β No |
| 1.0.x | β No | β No |
| < 1.0 | β No | β No |
We take security vulnerabilities seriously. If you discover a security vulnerability, please report it responsibly.
- DO NOT create a public GitHub issue
- DO NOT discuss the vulnerability publicly
- DO report privately using one of these methods:
- Go to the Security tab in our repository
- Click "Report a vulnerability"
- Fill out the security advisory form
Create a GitHub issue with the "security" label
Please include the following information:
- Description: Clear description of the vulnerability
- Steps to Reproduce: Detailed steps to reproduce the issue
- Impact: Potential impact of the vulnerability
- Environment: OS version, app version, device model
- Proof of Concept: If applicable, include a minimal reproduction case
- Suggested Fix: If you have ideas for fixing the issue
- Initial Response: When available
- Status Update: As time permits
- Resolution: When possible
- Acknowledgment: We'll acknowledge receipt when possible
- Investigation: We'll investigate the vulnerability
- Status Updates: Regular updates on progress
- Fix Development: We'll develop and test a fix
- Release: We'll release a security update
- Disclosure: Coordinated disclosure after fix is available
- Keep App Updated: Always use the latest version
- Secure Device: Use device lock screen and biometric authentication
- API Keys: Keep your API keys secure and don't share them
- Regular Backups: Backup your data regularly (though it's stored locally)
- Device Security: Keep your device OS updated
- Secure Coding: Follow Android security guidelines
- Dependency Updates: Keep dependencies updated
- Code Review: Thorough security review of all changes
- Testing: Security testing for all features
- Documentation: Document security considerations
User Input β Validation β Encryption β Local Storage
β
API Request β TLS 1.3 β Certificate Validation β API Server
β
Response β Decryption β Validation β UI Display
App Launch β Biometric Check β Session Creation β App Access
β
Session Timeout β Re-authentication Required
API Key β Android Keystore β Encrypted Storage
β
Request β TLS 1.3 β Certificate Pinning β API Server
- Static Analysis: Detekt and ktlint
- Dependency Scanning: Automated vulnerability scanning
- Code Quality: Automated code quality checks
- Build Security: Secure build process
- Penetration Testing: Regular security assessments
- Code Review: Security-focused code reviews
- Threat Modeling: Regular threat model updates
- Security Audits: Third-party security audits
- No hardcoded secrets or API keys
- Input validation for all user inputs
- Secure error handling (no sensitive data in logs)
- Proper authentication checks
- Secure data storage practices
- HTTPS for all network requests
- No sensitive data in URLs or logs
- Security review completed
- Vulnerability scan passed
- Dependencies updated
- Code obfuscation enabled
- Security testing completed
- Security documentation updated
- No Data Collection: We don't collect any personal data
- No Analytics: No tracking or analytics collection
- No Third-Party Sharing: No data sharing with third parties
- No Cloud Storage: No data stored in the cloud
- No Remote Logging: No remote logging of sensitive data
- Local Storage Only: All data stored locally
- Encrypted Storage: All data encrypted at rest
- Secure Communication: All API communication encrypted
- Privacy First: Privacy by design principles
- Transparent Security: Open about security practices
- Stop Using the App: Immediately stop using the app
- Report the Issue: Follow the vulnerability reporting process
- Secure Your Device: Ensure your device is secure
- Change API Keys: If applicable, rotate your API keys
- Monitor for Updates: Watch for security updates
- Immediate Assessment: Assess the severity and impact
- User Notification: Notify affected users if necessary
- Fix Development: Develop and test a fix
- Security Update: Release a security update
- Post-Incident Review: Learn from the incident
- GitHub Security: Security Advisories
- GitHub Issues: Security Issues
- Response Time: When available
- GitHub Issues: Issues
- Documentation: Security Docs
- Coordinated Disclosure: We follow coordinated disclosure practices
- Responsible Disclosure: We appreciate responsible disclosure
- No Legal Action: We won't take legal action against security researchers
- Recognition: We recognize security researchers who help improve security
- Data Collection: We don't collect personal data
- Data Storage: All data stored locally on your device
- Data Sharing: No data sharing with third parties
- Data Deletion: Complete data deletion when uninstalling
Last Updated: October 2025
Next Review: March 2025
Questions? Create a GitHub issue or discussion