Audits & reproducible builds
“Don’t trust — verify.” Because Aperture is open source, anyone can confirm that the app you download is built from the exact code you can read.
Reproducible builds
A reproducible build means the public source compiles to the very same binary that ships on the App Store. Anyone can rebuild Aperture in a clean environment and confirm, byte-for-byte, that nothing was added between the code and the app you install.
- Deterministic output. Same source plus the same pinned toolchain produces an identical binary.
- No hidden additions. Rules out backdoors slipped in at build time.
- Independently checkable. You don’t need our permission or our word — only the public source.
How to reproduce the build
- Clone the repository from GitHub at the released tag.
- Build with the pinned toolchain described in
project.ymland the repo’s build docs. - Compare the resulting binary against the App Store release.
Security reviews
Aperture’s security comes from open review: the full source is public, the key-handling code is small and auditable, and the bug bounty rewards anyone who finds a real issue. As formal third-party audit reports are completed, they’ll be published here with their scope, date, and findings.
Threat model
- Server compromise. There are no servers holding keys, so there’s nothing to steal.
- Malicious updates. Reproducible builds plus open source make any tampering visible.
- Phishing & drainers. No in-app browser or swap to abuse; approvals are revocable.
- Device theft. Secrets are encrypted and gated behind Face ID or your passcode.
Responsible disclosure
Report vulnerabilities to care@aperturex.io. Rewards apply under the bug bounty; please allow time to fix before public disclosure.