The FastMask team takes security seriously. We appreciate your efforts to responsibly disclose your findings.
If you discover a security vulnerability, please report it by:
-
Opening a private security advisory on GitHub:
- Go to the Security tab
- Click "New draft security advisory"
- Provide details about the vulnerability
-
Or emailing directly (if available in the repository owner's profile)
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Resolution timeline: Depends on severity, typically 30-90 days
- API tokens are stored using Android's EncryptedSharedPreferences
- Encryption uses AES-256-GCM for values and AES-256-SIV for keys
- No sensitive data is stored in plain text
- All communication with Fastmail uses HTTPS/TLS
- The app ships a Network Security Config that restricts trust for
api.fastmail.comto the system CA store (user-installed CAs are not honored) - Certificate pinning (SPKI hash pinning) is planned but not yet enabled — see
app/src/main/res/xml/network_security_config.xml - HTTP request/response logging is disabled in release builds (debug builds log only headers, with
Authorizationredacted) - No data is sent to third-party servers
- No analytics or tracking
- No data collection
- Direct communication with Fastmail API only
| Version | Supported |
|---|---|
| 1.x | ✅ |
- Protect your API token: Treat it like a password
- Use device security: Enable screen lock on your device
- Keep the app updated: Install updates for security fixes
- Review permissions: The app only requests necessary permissions
The following are in scope for security reports:
- Authentication and authorization issues
- Data leakage or exposure
- Cryptographic weaknesses
- API security issues
The following are out of scope:
- Social engineering attacks
- Physical attacks on user devices
- Denial of service attacks
- Issues in third-party dependencies (report to upstream)