| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
We take the security of ZakApp and our users' data very seriously. If you discover a security vulnerability, please report it to us immediately.
DO NOT create a public GitHub issue for security vulnerabilities.
Please email us at security@zakapp.org or reach out to the maintainers directly.
Client-Side (Zero-Knowledge):
- ✅ Payment recipient names (e.g., "Masjid Al-Noor")
- ✅ Payment notes (sensitive details)
- ✅ Receipt references
Server-Side (For Functionality):
⚠️ Payment amounts (needed for calculations, encrypted at rest)⚠️ Payment dates (needed for filtering)⚠️ User profile metadata
| Threat | Protection Level | Details |
|---|---|---|
| Database breach | ✅ PROTECTED | Encrypted blobs are useless without user password |
| Malicious server admin | ✅ PROTECTED | Cannot decrypt payment recipients/notes |
| Government data request | ✅ PROTECTED | Server cannot provide plaintext of sensitive fields |
| Network eavesdropping | ✅ PROTECTED | HTTPS (TLS 1.3) + client-side encryption |
| Lost password | Data is unrecoverable by design | |
| Client-side malware | If device is compromised, encryption won't help |
Encryption:
- Algorithm: AES-256-GCM
- Key derivation: PBKDF2 (SHA-256, 600,000 iterations)
- IV: 96-bit random (crypto.getRandomValues)
- Format:
ZK1:<iv_base64>:<ciphertext_base64>
Key Management:
- User password → PBKDF2 → Encryption key
- Key stored in memory only (never localStorage)
- Key cleared on logout
- Server never sees password or derived key
Existing users have data encrypted with server-side keys. ZakApp provides an optional migration wizard to upgrade historical data to zero-knowledge format.
Migration Process:
- Server decrypts legacy data ONE LAST TIME
- Client re-encrypts with user's password (ZK1 format)
- Server stores new encrypted blobs
- Server forgets ability to decrypt
Important: Migration is one-way. After upgrading, lost password = lost data.
See Migration Guide for details.
As outlined in our Constitution, we adhere to a Privacy & Security First principle:
- Zero-Trust Model: We assume no network is safe.
- Encryption: All sensitive financial data is encrypted client-side using AES-GCM (256-bit) before synchronization.
- Zero-Knowledge: Encryption keys are derived from your password and never leave your device.
- No Third-Party Sharing: User data is never transmitted to third parties except for the optional self-hosted sync relay.
- Self-Hostable: Users have full control over their infrastructure and can run without any cloud dependency.
- Triage: We will acknowledge your report within 48 hours.
- Investigation: We will investigate the issue and determine its impact.
- Fix: We will develop a patch and verify it.
- Disclosure: Once the patch is released, we will disclose the vulnerability and credit the reporter (if desired).