Mike/Kordant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: fix 10 security review findings (FRE-4572)

Browse Source 
CRITICAL:
- SEC-001: Auth tokens now stored in SecureStore (Keychain/Keystore)
- SEC-002: Biometric bypass removed - alerts user and disables when unavailable

HIGH:
- SEC-003: Push projectId moved to EXPO_PUBLIC_EAS_PROJECT_ID env var
- SEC-004: Token refresh mechanism added with refreshSession/hydrateTokens
- SEC-005: debug already gated on __DEV__ (confirmed)

MEDIUM:
- SEC-006: All PII stores (darkwatch, voiceprint, spamshield, settings, auth) now use encrypted AsyncStorage
- SEC-007: Certificate pinning documented with TODO for production
- SEC-008: Login brute force protection: 5 attempts then 5-minute lockout

LOW:
- SEC-009: Watch list input validation with format checks per entity type
- SEC-010: Upgrade Plan button shows billing coming soon alert
This commit is contained in:
Michael Freno
2026-05-17 19:15:42 -04:00
parent 06ca3ec0cf
commit a8a5930ced
15 changed files with 290 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
packages/mobile/src/constants/theme.ts
View File

@@ -52,6 +52,8 @@ export const SHADOWS = {
export const API_URL = process.env.EXPO_PUBLIC_API_URL || 'https://api.shieldai.freno.me/api/v1';
export const EAS_PROJECT_ID = process.env.EXPO_PUBLIC_EAS_PROJECT_ID || '';
export const getSeverityColor = (severity: string): string => {
switch (severity) {
case 'critical': return COLORS.danger;