PinkRain is a privacy-first mental health and wellness tracking application built with security at its core. This document outlines our security policies, practices, and procedures for reporting security vulnerabilities.
Core Security Principle: All user data remains on-device and is never transmitted or collected by external services.
- Security Architecture
- Privacy-First Design
- Data Protection
- Supported Versions
- Reporting Security Vulnerabilities
- Security Best Practices
- Threat Model
- Security Features
- Third-Party Dependencies
- Security Testing
PinkRain implements a zero-trust, local-first architecture:
- No Data Collection: We never collect, store, or transmit user data
- Local Storage Only: All data is stored locally using encrypted Hive database
- No Cloud Sync: Data never leaves the user's device
- No Analytics: No user behavior tracking or telemetry
- Open Source: Full transparency through open-source code
- Data Minimization: Only collect data necessary for app functionality
- Local Encryption: Sensitive data is encrypted at rest
- No Network Transmission: Personal data never leaves the device
- Secure Dependencies: Regular security audits of third-party packages
- Transparent Code: All security implementations are open source
- Encryption at Rest: Sensitive user data is encrypted using AES-256
- Secure Key Management: Encryption keys are generated and stored securely on-device
- Data Isolation: App data is sandboxed within the application container
- Secure Deletion: Proper data wiping when users delete information
| Data Type | Storage Method | Encryption | Transmission |
|---|---|---|---|
| Mood Entries | Local Hive DB | β Encrypted | β Never transmitted |
| Medication Data | Local Hive DB | β Encrypted | β Never transmitted |
| Audio Preferences | Local Storage | β Encrypted | β Never transmitted |
| User Settings | Local Storage | β Encrypted | β Never transmitted |
| ML Model Data | Local Assets | β Encrypted | β Never transmitted |
- User Control: Users can delete their data at any time
- No Backup: We don't create external backups of user data
- App Uninstall: All data is removed when the app is uninstalled
- Data Export: Users can export their data in encrypted formats
We actively maintain and provide security updates for the following versions:
| Version | Supported | Security Updates |
|---|---|---|
| 2.1.x | β Yes | Until 2025-12-31 |
| 2.0.x | β Yes | Until 2025-06-30 |
| 1.x.x | β No | End of Life |
- Security Updates: Released within 48 hours for critical vulnerabilities
- Regular Updates: Monthly security reviews and updates
- End-of-Life: 12-month support window for major versions
We encourage responsible disclosure of security vulnerabilities. Please follow these guidelines:
Email: [email protected] (preferred)
Subject: [SECURITY] PinkRain App Vulnerability Report
Please provide the following information:
- Vulnerability Description: Clear description of the security issue
- Steps to Reproduce: Detailed steps to reproduce the vulnerability
- Impact Assessment: Potential impact and affected users
- Proof of Concept: Code, screenshots, or logs (if applicable)
- Suggested Fix: Recommendations for addressing the issue (optional)
- Contact Information: How we can reach you for follow-up
- Initial Response: Within 24 hours of receiving the report
- Vulnerability Assessment: Within 72 hours
- Fix Development: 1-7 days (depending on severity)
- Release: Within 48 hours for critical issues
- Public Disclosure: 30 days after fix is released (coordinated disclosure)
| Severity | Response Time | Definition |
|---|---|---|
| Critical | 24 hours | Remote code execution, data breach |
| High | 48 hours | Privilege escalation, data exposure |
| Medium | 1 week | Information disclosure, DoS |
| Low | 2 weeks | Minor security improvements |
We believe in recognizing security researchers who help make PinkRain more secure:
- Hall of Fame: Recognition in our security acknowledgments
- Credit: Public credit in release notes (with permission)
- Communication: Direct communication channel with development team
- Keep Updated: Always use the latest version of PinkRain
- Device Security: Use device lock screens and biometric authentication
- App Permissions: Review and understand requested permissions
- Regular Backups: Export your data regularly for personal backups
- Suspicious Activity: Report any unusual app behavior
- Secure Coding: Follow OWASP Mobile Security guidelines
- Input Validation: Validate all user inputs and data
- Dependency Updates: Keep all dependencies up to date
- Security Testing: Run security tests before releases
- Code Review: All security-related code must be peer-reviewed
- Data Interception: Network-based attacks on user data
- Local Data Access: Unauthorized access to on-device data
- Malicious Dependencies: Compromised third-party packages
- Code Injection: Attempts to inject malicious code
- Privacy Violations: Unauthorized data collection or tracking
| Attack Vector | Mitigation | Risk Level |
|---|---|---|
| Network Interception | No sensitive data transmission | β Low |
| Device Compromise | Local encryption, secure key storage | |
| Malicious Dependencies | Regular audits, pinned versions | |
| Social Engineering | User education, clear permissions | |
| Physical Device Access | Device-level security, app sandboxing | π΄ High |
- Device-level security: Operating system vulnerabilities
- Physical device theft: Device encryption and lock screens
- Social engineering: User education and awareness
- Network infrastructure: ISP or network provider security
- Local Encryption: AES-256 encryption for sensitive data
- Secure Storage: Platform-specific secure storage APIs
- No Analytics: Zero telemetry or user tracking
- Minimal Permissions: Only essential permissions requested
- Sandboxed Execution: App runs in isolated environment
- Offline Operation: Full functionality without internet connection
- No User Accounts: No registration or login required
- No Cloud Services: All processing happens on-device
- Transparent Code: Open source for full transparency
- User Control: Complete control over personal data
When experimental AI features are enabled:
- Local ML: TensorFlow Lite models run entirely on-device
- No Cloud AI: No data sent to external AI services
- Secure Models: ML models are cryptographically signed
- Feature Isolation: Experimental features are sandboxed
We regularly audit our dependencies for security vulnerabilities:
- Automated Scanning: Daily dependency vulnerability scans
- Manual Review: Quarterly manual security reviews
- Version Pinning: Specific dependency versions to prevent supply chain attacks
- Minimal Dependencies: Only essential packages are included
| Package | Purpose | Security Level | Last Audit |
|---|---|---|---|
flutter |
UI Framework | β High | 2024-08-30 |
hive |
Local Database | β High | 2024-08-30 |
riverpod |
State Management | β High | 2024-08-30 |
tflite_flutter |
ML Inference | β High | 2024-08-30 |
just_audio |
Audio Playback | β High | 2024-08-30 |
- Vulnerability Monitoring: Automated alerts for security issues
- Update Strategy: Prompt updates for security patches
- Minimal Surface: Remove unused dependencies
- Source Verification: Verify package authenticity and integrity
- Static Analysis: Automated code security scanning
- Dependency Scanning: Regular vulnerability assessments
- Penetration Testing: Periodic security assessments
- Code Review: Security-focused peer reviews
- β Data Encryption: Verify all sensitive data is encrypted
- β Network Isolation: Ensure no unauthorized network requests
- β Permission Validation: Verify minimal permission usage
- β Input Validation: Test all user input handling
- β Error Handling: Verify secure error handling
# Security testing commands
flutter analyze --fatal-infos
dart pub deps --json | dart pub global run pana
flutter test test/security/As a mental health app, PinkRain handles highly sensitive personal information:
- HIPAA Awareness: While not HIPAA-covered, we follow similar privacy principles
- Mental Health Privacy: Extra protection for sensitive mental health data
- No Medical Claims: App disclaimers prevent medical liability
- Research Context: Data used only for personal tracking and research
- App Sandboxing: Android app sandbox provides isolation
- Keystore Integration: Android Keystore for secure key management
- Permission Model: Android 6+ runtime permission model
- App Signing: APK signing with strong cryptographic keys
- App Sandbox: iOS app sandbox provides process isolation
- Keychain Integration: iOS Keychain for secure credential storage
- App Transport Security: HTTPS enforcement for network requests
- Code Signing: Strong code signing requirements
- Browser Security: Relies on browser security model
- Local Storage: Encrypted local storage where supported
- HTTPS Only: All web requests over HTTPS
- CSP Headers: Content Security Policy headers
- Detection: Automated monitoring and user reports
- Assessment: Rapid evaluation of impact and scope
- Containment: Immediate steps to prevent further impact
- Investigation: Thorough analysis of the incident
- Remediation: Fix development and deployment
- Communication: Transparent user communication
- Post-Incident: Lessons learned and process improvements
- Security Team: [email protected]
- General Support: [email protected]
- OWASP Mobile Security
- Flutter Security Guidelines
- Dart Security Best Practices
- Android Security Best Practices
- iOS Security Guidelines
- Email: [email protected]
- PGP Key: Available upon request
- Response Time: 24 hours for security issues
- Email: [email protected]
- GitHub Issues: For non-security related issues
- GitHub Discussions: Community support and questions
This security policy is reviewed and updated regularly:
- Last Updated: August 30, 2024
- Version: 1.0
- Next Review: November 30, 2024
- 2024-08-30: Initial security policy creation
- 2024-08-30: Added threat model and security architecture
- 2024-08-30: Defined vulnerability disclosure process
We thank the security research community for helping make PinkRain more secure:
- Security researchers who report vulnerabilities responsibly
- The Flutter and Dart security teams for framework security
- The open-source security community for tools and guidance
This security policy is part of PinkRain's commitment to user privacy and security. By using PinkRain, you acknowledge that:
- Security is a shared responsibility between users and developers
- No system is 100% secure, but we strive for best practices
- Users should follow basic security hygiene on their devices
- This policy may be updated to reflect new security measures
ποΈ "Your mental health matters. Your privacy and security matter more." ποΈ
Made with β€οΈ for privacy-first mental health technology