hacked

Hacked? - have i been pwned? Android App

View the Project on GitHub doerfli/hacked

Privacy Policy

This page described how the Hacked? - have i been pwned? App handles privacy and what happens to the data you enter in the app.

General

The Hacked? - have i been pwned? app uses the service Have i been pwned as it sole data source. Have i been pwned publishes its own privacy policy at https://haveibeenpwned.com/Privacy

All data transmitted over the internet is sent over HTTPS connections.

When you save an email address in the app

Any email address entered in the app is stored within a local database on the device. The Android Sandbox makes sure that only the app can access this database. The list is not sent anywhere, except when searching for breached accounts.

When you search for a breached account

When you search for an email address in the app, it sends the address to the API of Have I Been Pwned via the hibp-proxy. The hibp-proxy is required to supplement the request with the access key required for accessing the Have i been pwned API. The hibp-proxy does not explicitly store the email address in any persistent data storage, it only forwards the request to the Have I Been Pwned API service and returns the response, which does not contain the email address anymore. The response is returned to the device through Firebase Cloud Messaging, a messaging solution provided by Google.

When you check your password

The pwned password function checks a user-provided password against a list of known breached passwords. The plain text password is not sent to any service what so ever. Instead, it is hashed on the device and only the first 5 characters of the hash are sent to the Have I Been Pwned API. This process is called k-Anonymity and more details are provided in this article. The request is sent directly to the Have I Been Pwned API and not through the hibp-proxy.

Logging

The app stores limited technical logs through the Android Log service. These logs are stored within the Android device and never sent to an external system.

If the app crashes, a crash report is sent to Crashlytics for analysis.

The app uses Firebase analytics to track some key events (like account added, password checked, breach acknowledged, …). In all cases no content data is sent to the analytics host, only the indication that the event happened is transmitted. This data is used to analyze how the app is being used.

The hibp-proxy stores only the bare minimum logs keep the service operational and combat malicious activity. This includes transient web server logs. These logs may include data entered by the user and in some cases, the user’s IP address.

Hosting

The app itself requires no hosting. The hibp-proxy service is hosted in Heroku’s Europe data center.

Source code

The source code for Hacked? - have i been pwned and the hibp-proxy can be found on their respective Github pages.