We release patches for security vulnerabilities in the following versions:

We take the security of SwipeLabel seriously. If you believe you have found a security vulnerability, please report it to us responsibly.

• Open a public GitHub issue for security vulnerabilities
• Disclose the vulnerability publicly before it has been addressed

1. Email us directly at the contact information in the GitHub repository profile
2. Provide details including:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if you have one)
3. Allow time for a fix - We aim to respond within 48 hours and patch critical issues within 7 days

• Acknowledgment within 48 hours of your report
• Regular updates on our progress addressing the issue
• Credit in release notes (if desired) once the vulnerability is patched
• Coordinated disclosure - We'll work with you on timing of public disclosure

• SwipeLabel stores all data locally on your device
• No data is uploaded to external servers except:
  • Optional crash reports (Firebase Crashlytics - can be disabled in Settings)
  • Images loaded from URLs you provide (standard HTTP requests)

• Never commit your google-services.json file to public repositories
• Use Firebase security rules to restrict access to your project
• Rotate Firebase credentials if accidentally exposed

• Official releases are signed with our release key
• Verify APK signatures before installing from third-party sources
• SHA-1 fingerprint available in release notes

• Data is stored unencrypted in app-private storage (/data/data/com.textarttools.swipelabel/)
• Device encryption (enabled by default on Android 10+) provides at-rest protection
• Uninstalling the app permanently deletes all local data

• Image loading uses HTTPS when possible (depends on URLs in your JSON data)
• No authentication tokens or credentials are transmitted
• Network activity limited to image loading and optional crash reporting

• INTERNET - Required for loading images from URLs and Firebase Crashlytics
• READ_EXTERNAL_STORAGE - Required to select JSON files (Android 12 and below)
• WRITE_EXTERNAL_STORAGE - Required to export CSV files (Android 9 and below)

We use the following security-sensitive libraries:

• Firebase Crashlytics - Crash reporting (user-controllable, GDPR-compliant)
• OkHttp/Coil - Image loading with standard TLS/HTTPS support
• Room Database - Local SQLite storage (no network access)

All dependencies are regularly updated to patch known vulnerabilities.

Once a security vulnerability is reported:

1. Day 0: Acknowledgment sent to reporter
2. Day 1-3: Vulnerability assessed and fix developed
3. Day 4-7: Fix tested and released
4. Day 7+: Public disclosure coordinated with reporter

Critical vulnerabilities may be fast-tracked with emergency releases.

Last security review: October 2025 (v1.8.2)

• PII removed from crash logs
• Firebase Analytics removed (eliminated AD_ID permission)
• Privacy controls verified (GDPR-compliant opt-out)

For security concerns, contact the maintainers through the GitHub repository.

For general privacy questions, see PRIVACY_POLICY.md.