Skip to content

Security: coderguy787/FreeTime

Security

SECURITY.md

Security Architecture

FreeTime uses a defense-in-depth model. This document describes the design principles at a high level.

End-to-End Media Encryption

Sender                         Server                         Receiver
   │                              │                              │
   ├─ Generate per-file key ─────►                              │
   ├─ Encrypt media locally       │                              │
   ├─ Send encrypted_file + ─────►│── Blind storage ───────────►│
   │  encrypted_key               │                              │
   │                              ├─ Store (no plaintext)       │
   │                              ├─ Forward to recipient       │
  • Per-file random encryption keys (AES-256-GCM)
  • Server never has access to plaintext media
  • Unique IV per encryption operation

Local Storage Security

  • Android Keystore (hardware-backed on supported devices)
  • AES-256-GCM via Google Tink for authenticated encryption
  • Session tokens and credentials encrypted at rest

Network Security

  • TLS 1.3 for all API and WebSocket communication
  • JWT-based auth tokens with auto-refresh
  • Device tracking to prevent concurrent session abuse

Open Source Sanitization

Note: The server code included in this repository (master-server/ and peer/) has been sanitized for public release. All production domain names, IP addresses, and credentials have been replaced with CHANGE_ME placeholders or generic values (YOUR_DOMAIN.com, YOUR_SERVER_IP). The peer-to-master authentication domain and API keys are intentionally censored — configure your own in config/.env when self-hosting.

What Was Omitted

  • Production server domain names and IP addresses
  • Real JWT secrets, API keys, and passwords
  • Peer-to-master authentication challenge-response details
  • SSL/TLS private keys and certificate paths tied to production infrastructure
  • Firebase service account credentials

All omitted values are replaced with clearly marked placeholders in configuration files.

There aren't any published security advisories