We currently support the following versions with security updates:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
We take the security of React Native Facial Recognition seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please send an email to security@example.com with the following information:
- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours.
- Updates: We will send you regular updates about our progress every 7 days until the issue is resolved.
- Timeline: We aim to resolve critical vulnerabilities within 90 days of the initial report.
- Credit: If you would like, we will publicly acknowledge your responsible disclosure.
This application handles sensitive biometric data. We implement the following security measures:
- Local-Only: All face data is stored locally on the device using AsyncStorage
- No Cloud Transmission: Face embeddings never leave the device
- Mathematical Representation: We store mathematical embeddings, not actual face images
- Encryption: Consider implementing additional encryption for stored embeddings
- On-Device Only: All AI processing happens locally using ONNX Runtime
- Memory Management: Proper cleanup of tensors and temporary data
- No Network Requests: No external API calls for face recognition functionality
- Minimal Permissions: Only requests camera access when needed
- User Consent: Clear permission descriptions and usage explanations
- Graceful Degradation: App functions properly when permissions are denied
When using this application or contributing to it:
- Device Security: Use device lock screen protection (PIN, pattern, biometric)
- App Permissions: Review and understand app permissions before granting
- Regular Updates: Keep the app updated to receive security patches
- Physical Security: Protect your device from unauthorized physical access
- Code Review: All code changes should be reviewed for security implications
- Dependency Updates: Regularly update dependencies to patch security vulnerabilities
- Input Validation: Validate all user inputs and external data
- Error Handling: Avoid exposing sensitive information in error messages
- Secure Coding: Follow secure coding practices for React Native and TypeScript
- Device Compromise: If the device is compromised, stored face data may be accessible
- Physical Access: Face recognition can be bypassed with photos/videos in some cases
- Model Attacks: Advanced adversarial attacks against the AI model are theoretically possible
- Additional Authentication: Consider combining with PIN/password for critical operations
- Liveness Detection: Future versions may include anti-spoofing measures
- Regular Security Audits: Periodic security reviews and updates
Security updates will be released as patch versions and communicated through:
- GitHub Releases: All security updates will be documented in release notes
- Security Advisories: Critical vulnerabilities will have dedicated advisories
- Changelog: Security fixes will be clearly marked in CHANGELOG.md
This application is designed with privacy as a core principle:
- No Personal Data Collection: We do not collect, store, or transmit personal data
- Local Processing: All face recognition processing happens on your device
- No Analytics: No usage analytics or telemetry data is collected
- No Third-Party Services: No external services are used for core functionality
- Zero Data Sharing: No face data or personal information is shared with third parties
- Open Source: All code is open source and auditable
- Transparent Processing: All data processing logic is visible in the source code
For security-related questions or concerns, please contact:
- Security Email: security@example.com
- General Issues: GitHub Issues
- Maintainer: @maateusx
Last Updated: July 30, 2024