| Version | Supported |
|---|---|
| 1.0.x | Yes |
Thump takes health data security seriously:
- On-device only: Health data never leaves the user's device
- Encrypted at rest: All health snapshots are encrypted with AES-256-GCM before storage
- Keychain-protected keys: Encryption keys are stored in the iOS/watchOS Keychain with
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly - No server-side storage: No backend servers store or process user health data
- Anonymous analytics: Usage analytics contain no personally identifiable information or health data
- Scoped HealthKit access: Read-only access to specific metrics; no write access requested
If you discover a security vulnerability, please report it responsibly:
- Do not open a public issue
- Email: security@thump.app
- Include steps to reproduce and potential impact
- We will acknowledge receipt within 48 hours
- We will provide a fix timeline within 7 days
- Local data encryption and key management
- HealthKit permission handling
- WatchConnectivity message integrity
- StoreKit transaction validation
- UserDefaults data protection
- Physical device access (device passcode is the first line of defense)
- Jailbroken devices
- Apple framework vulnerabilities (report to Apple)