The security of Enjoy Movie is important to us. This document outlines security procedures and policies.

If you discover a security vulnerability, please do NOT open a public issue. Instead:

1. Email: Send details to hello@enjoymovie.pro
2. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

We will respond within 48 hours and work with you to understand and resolve the issue.

1. API Keys: Never share your API keys publicly
2. Firebase Config: Keep your Firebase configuration files private
3. Credentials: Use strong passwords for third-party service accounts
4. Updates: Keep the app updated to the latest version
5. Permissions: Review app permissions before granting access

1. Never Commit Secrets:

   • Don't commit API keys, tokens, or credentials
   • Use .gitignore to exclude sensitive files
   • Review changes before committing

2. Configuration Files:

   • Always use .example files for templates
   • Keep actual config files local only
   • Verify .gitignore includes all sensitive files

3. Dependencies:

   • Regularly update dependencies
   • Review security advisories
   • Use flutter pub outdated to check for updates

4. Code Review:

   • Review all code changes for security issues
   • Look for hardcoded credentials
   • Check for injection vulnerabilities

5. API Security:

   • Always use HTTPS
   • Validate all user inputs
   • Implement proper error handling
   • Don't expose sensitive data in error messages

The following files should NEVER be committed to version control:

android/app/google-services.json
ios/Runner/GoogleService-Info.plist
android/signing.properties
*.jks
*.keystore
lib/config/api_keys.dart

These are already in .gitignore, but always double-check before committing.

Before deploying or sharing your fork:

• All API keys are stored in api_keys.dart (not in git)
• Firebase config files are excluded from git
• Signing keys are not committed
• No hardcoded credentials in source code
• Dependencies are up to date
• .gitignore is properly configured
• Test credentials are removed

1. Clone the repository
2. Create local config files (from .example files)
3. Add your API keys locally
4. Develop features
5. Before committing:
   • Run git status to check staged files
   • Verify no sensitive files are included
   • Review the diff for any secrets
6. Commit and push only non-sensitive files

The app requests the following permissions:

Internet - For API calls and streaming
Storage - For caching images and data
Notifications - For movie release alerts
Camera (optional) - For QR code scanning
Photos (optional) - For saving images

Users should review and grant only necessary permissions.

This app integrates with:

Firebase (Analytics, Crashlytics)
Google Sign-In (Authentication)
Trakt.tv (Movie tracking)
SIMKL (Social tracking)
Rotten Tomatoes (Reviews)

Each service has its own privacy policy and terms of service. Users are responsible for reviewing and accepting these terms.

The app may collect:

Anonymous analytics (via Firebase Analytics)
Crash reports (via Firebase Crashlytics)
User preferences (stored locally)
Viewing history (if connected to Trakt/SIMKL)

No personal data is collected without user consent.

All network requests use HTTPS
Certificate pinning (recommended for production)
No data transmitted in plain text
API tokens stored securely using platform keychain

We regularly:

• Update dependencies
• Review security advisories
• Patch known vulnerabilities
• Monitor for security issues

For security concerns, please contact us:

• Email: hello@enjoymovie.pro (for sensitive security issues)
• GitHub Issues: For non-sensitive issues only

Remember: Security is everyone's responsibility. When in doubt, ask!