Security
How we protect the apps, and how to report a vulnerability.
Technical measures
- APK signing: v1 + v2 + v3, RSA 4096-bit key, dedicated keystore stored outside the repo.
- Hardened release build: R8 + minification enabled, debuggable=false, allowBackup=false.
- Network Security Config: cleartext disabled, HTTPS required for all network communication.
- Pass Tech: PBKDF2-HMAC-SHA256 600,000 iterations (OWASP 2023), AES-256-CBC + HMAC-SHA256 (encrypt-then-MAC), hardware-backed biometrics via Android Keystore + BiometricPrompt CryptoObject, root/emulator detection (RASP), clipboard marked sensitive.
- Verifiable updates: each release publishes the APK SHA-256 in the GitHub notes.
- No Files Tech server: no backend = no server-side leak possible.
Audits
All three apps have undergone a full mobile audit (Code Audit + OWASP MASVS + Pentest):
- Pass Tech — score ~99/100
- PDF Tech — score ~92/100
- Read Files Tech — score ~92/100
Report a vulnerability
If you discover a vulnerability, please do not disclose it publicly before we can fix it.
- Email: contact@files-tech.com — subject "Security"
- Or via the contact form selecting "Security vulnerability"
We commit to acknowledge receipt within 72 hours and to publish a fix within a reasonable delay. You will be credited in the release notes if you wish.
Verification hash
Before installing an APK, verify that its SHA-256 matches the one published on the download page or in the GitHub release notes:
sha256sum app-arm64-v8a-release.apk