← Back to home

Audits & reproducible builds

“Don’t trust — verify.” Because Aperture is open source, anyone can confirm that the app you download is built from the exact code you can read.

Reproducible builds

A reproducible build means the public source compiles to the very same binary that ships on the App Store. Anyone can rebuild Aperture in a clean environment and confirm, byte-for-byte, that nothing was added between the code and the app you install.

  • Deterministic output. Same source plus the same pinned toolchain produces an identical binary.
  • No hidden additions. Rules out backdoors slipped in at build time.
  • Independently checkable. You don’t need our permission or our word — only the public source.

How to reproduce the build

  • Clone the repository from GitHub at the released tag.
  • Build with the pinned toolchain described in project.yml and the repo’s build docs.
  • Compare the resulting binary against the App Store release.

View source on GitHub →

Security reviews

Aperture’s security comes from open review: the full source is public, the key-handling code is small and auditable, and the bug bounty rewards anyone who finds a real issue. As formal third-party audit reports are completed, they’ll be published here with their scope, date, and findings.

Threat model

  • Server compromise. There are no servers holding keys, so there’s nothing to steal.
  • Malicious updates. Reproducible builds plus open source make any tampering visible.
  • Phishing & drainers. No in-app browser or swap to abuse; approvals are revocable.
  • Device theft. Secrets are encrypted and gated behind Face ID or your passcode.

Responsible disclosure

Report vulnerabilities to care@aperturex.io. Rewards apply under the bug bounty; please allow time to fix before public disclosure.