We take privacy very seriously and follows practices to ensure the security of user data. All user data is encrypted in transit and at rest, and all user interactions with the system are protected by authentication protocols. Additionally, the Security Dashboard maintains rigorous internal policies and procedures to ensure that user data remains private and secure.
To do so, we:
Mainly use and collect publicly accessible data to perform security tests. This is done by fetching the public JSON application file of your app, which only contains information on its structure.
Never access, fetch or copy any data from your app's database. You can also remove the database access to the Security Dashboard.
Require all app owners to verify their ownership, making it impossible to use the Security Dashboard for identifying vulnerabilities on other apps.
Avoid using customer data for security tests whenever possible. In most cases, we only use the JSON application file to review items. For example, when reviewing if a database field is sensitive, we first assess it based on its field name and context.
Never store customer data on our server, they are deleted immediately upon check.
How does the Security Dashboard work?
Scraping public data
The main thing we use in order to analyze your application is scraping the public App JSON Object on all your pages. This is basically how the tool works:
First API call to get all the pages of your application
Fetch the JSON Object of each page
Analyze the public content of each page
Analyze the public global properties of your app
This allows for extraction of all the front-end data (that is public and viewable by everyone) as a JSON object that we pass to our algorithm. Once your data is inside our back end, we will analyze it and look for security vulnerabilities on every single page of your app.