iris_android is a privacy-first, on-device AI assistant. Security and privacy are fundamental to our mission. This document outlines our security practices, how to report vulnerabilities, and what users can expect from us.

1. On-Device Processing Only: All AI inference happens locally. No data is transmitted to external servers.
2. No Telemetry: We do not collect usage data, analytics, or telemetry.
3. Minimal Permissions: We request only the permissions necessary for core functionality.
4. Encrypted Storage: Sensitive data is stored using Android's encrypted preferences.
5. Open Source: All code is public and auditable.

• No Network Calls: AI models run entirely offline
• User Consent: Explicit consent required for accessing sensitive data
• Data Minimization: We collect and store only what's necessary
• Local Storage: All data remains on the device
• Secure Deletion: Proper data deletion when requested

We provide security updates for the following versions:

Please DO NOT create public GitHub issues for security vulnerabilities.

Instead, use GitHub's Security Advisory feature:

1. Navigate to the Security tab
2. Click "Advisories" → "New draft security advisory"
3. Provide detailed information about the vulnerability

Your security report should include:

1. Description: Clear description of the vulnerability
2. Impact: What could an attacker achieve?
3. Affected Components: Which parts of the app are affected?
4. Steps to Reproduce: Detailed steps to reproduce the issue
5. Proof of Concept: Code or screenshots demonstrating the vulnerability
6. Suggested Fix: If you have ideas for fixing it
7. Environment: App version, Android version, device model

• Initial Response: Within 48 hours
• Severity Assessment: Within 1 week
• Fix Development: Varies by severity (see below)
• Public Disclosure: After fix is released and users have time to update

• Input Validation: All user inputs properly validated and sanitized
• SQL Injection: No raw SQL queries, use parameterized queries
• Path Traversal: File paths properly validated
• Intent Security: Intent filters properly configured
• WebView Security: JavaScript disabled unless necessary
• Cryptography: Use Android Keystore for sensitive operations
• Permissions: Request minimum necessary permissions
• Data Storage: Use EncryptedSharedPreferences for sensitive data
• Network Security: Verify no unauthorized network calls
• Dependencies: Check for known vulnerabilities

// ✅ Good
fun processUserInput(input: String): Result {
    require(input.isNotBlank()) { "Input cannot be blank" }
    require(input.length <= MAX_LENGTH) { "Input too long" }
    return sanitizeAndProcess(input)
}

// ❌ Bad
fun processUserInput(input: String) = process(input)

// ✅ Good - Use EncryptedSharedPreferences
val sharedPreferences = EncryptedSharedPreferences.create(
    context,
    "secure_prefs",
    masterKey,
    EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
    EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
)

// ❌ Bad - Plain SharedPreferences for sensitive data
val sharedPreferences = context.getSharedPreferences("prefs", Context.MODE_PRIVATE)

// ✅ Good - Parameterized query
@Query("SELECT * FROM messages WHERE id = :messageId")
fun getMessageById(messageId: Long): Message?

// ❌ Bad - String concatenation
val query = "SELECT * FROM messages WHERE id = $messageId" // SQL injection risk

Before adding dependencies:

# Check for known vulnerabilities
./gradlew dependencyCheckAnalyze

# Update dependencies regularly
./gradlew dependencyUpdates

Run security-focused static analysis:

# Detekt with security rules
./gradlew detekt

# Android Lint
./gradlew lint

1. ProGuard/R8: Code obfuscation enabled in release builds
2. Certificate Pinning: N/A (no network calls)
3. Root Detection: Implemented for sensitive operations
4. Debugger Detection: Checks for debugging in release builds
5. Tamper Detection: Signature verification
6. Secure Random: Using SecureRandom for cryptographic operations
7. Memory Clearing: Sensitive data cleared after use

All permissions are:

• Requested at runtime
• Require explicit user consent
• Can be revoked at any time
• Not required for core functionality

• Weekly: Dependency vulnerability scans
• Monthly: Security-focused code reviews
• Quarterly: Penetration testing
• Annually: Third-party security audit (planned)

# Run all security checks
./gradlew clean assembleRelease lint detekt test

# Check dependencies
./gradlew dependencyCheckAnalyze

# Verify ProGuard rules
./gradlew assembleRelease
apktool d app/build/outputs/apk/release/app-release.apk

1. Local Attack Vector: If device is compromised, app data may be accessible
2. Side-Channel Attacks: Potential timing attacks on AI inference
3. Physical Access: Device with screen unlocked can access app data
4. Rooted Devices: Limited protection on rooted devices

• Encourage device encryption
• Implement app-level screen lock
• Clear sensitive data from memory
• Use Android Keystore for cryptographic keys
• Detect and warn on rooted devices

• Android Security Best Practices
• Device Encryption Guide
• App Permissions Guide

• OWASP Mobile Security
• Android Security Checklist
• Secure Coding Guidelines

We follow responsible disclosure practices:

1. Private Reporting: Vulnerabilities reported privately
2. Fix Development: Security team develops and tests fix
3. User Notification: Users notified of security updates
4. Public Disclosure: After fix is released and users have updated
5. Credit: Reporter credited (if desired) in security advisory

• Critical: 7 days after fix release
• High: 14 days after fix release
• Medium: 30 days after fix release
• Low: 60 days after fix release

We recognize security researchers who help improve iris_android:

• To be added as vulnerabilities are responsibly disclosed

For security-related questions or concerns:

• Security Advisories: GitHub Security Tab
• General Security Questions: Create a discussion in the Security category
• Non-Security Bugs: Use standard issue templates

This security policy is licensed under CC BY 4.0.

Last Updated: November 2025
Version: 1.0

This policy may be updated as the project evolves. Check back regularly for updates.