-
-
Notifications
You must be signed in to change notification settings - Fork 1
Security
AstorisTheBrave edited this page Jul 4, 2026
·
1 revision
URSA connects only to servers you already control and stores as little as possible. Its full security posture is mapped to the OWASP Mobile Application Security Verification Standard (MASVS) in docs/security.mdx. This page is a short summary.
- Credentials at rest. After login only the session token is stored, encrypted with AES-256-GCM (Tink) under a master key held in the Android Keystore. Your password and TOTP are never written to disk.
- Transport. All traffic uses TLS by default (OkHttp for the live connection, Ktor for status pages).
-
Screen contents.
FLAG_SECUREis set app-wide, so monitor data and server URLs stay out of screenshots, screen recordings, and the recents preview. - Push surface. The push service is not exported, and push payloads are treated as untrusted input (parsed tolerantly, render-only).
- Privacy. No analytics, no telemetry, no third-party endpoints. URSA talks only to your server and your chosen push distributor.
- Self-signed certificates. Trusting one is opt-in per connection and clearly labelled. Only enable it for servers you control.
- Plain HTTP. Allowed so plain-HTTP self-hosted instances work. Prefer HTTPS.
These are documented, tracked items, not accidents. A remediation backlog (for example an optional biometric app lock and tightening cleartext to specific hosts) is maintained in the security document.
Please report privately, not in public issues. See the Security Policy.