XPENC is a money app that reads bank SMS on-device. Security and privacy are the whole trust story, so reports are taken seriously.
Only the latest release receives security fixes.
Please do not open a public issue for security problems.
Use GitHub's private vulnerability reporting instead:
- Go to the repository's Security tab
- Click Report a vulnerability
- Describe the issue, steps to reproduce, and impact
You should receive a response within a few days. Once fixed, the report will be credited (unless you prefer otherwise) in the release notes.
- XPENC has no server — there is no backend, API, or cloud component to test.
- In scope: anything that leaks message/transaction/balance data off the device,
corrupts the ledger, bypasses the on-device-only guarantee, or abuses the
READ_SMSpermission beyond its documented use (inbox scan on app open). - The APKs published on GitHub Releases are the only official builds. Verify
downloads against
SHA256SUMS.txtattached to each release.