Privacy & Security

Device Security

Your phone is the weakest link. Here is what to do about it.

Device Security

The apps protect your data in transit. They cannot protect your data from someone who has your unlocked phone. Your device is your responsibility.

This page is not optional reading. It is the foundation everything else rests on.

Lock your phone

Use a PIN. Not a pattern — patterns are visible from across a room. Not a fingerprint or face unlock as your only method — those can be compelled. A PIN you memorize that you have not shared with anyone.

Make the PIN at least 6 digits. 8 is better. Avoid birthdates and years.

Set your screen to lock after 30 seconds of inactivity. Go to Settings → Security → Screen Lock. Do it now if you have not.

Keep your phone updated

Go to Settings → System → Software Update. Install every update. Do not postpone security patches.

An outdated phone has known vulnerabilities. Known vulnerabilities have public exploit code. This is not hypothetical.

Be careful what else is on your phone

Every app you install is potential access to your data. Apps with contact list access, accessibility service access, or notification access can read and exfiltrate data from other apps.

If an app asks for permissions it does not need, deny them or remove the app. A flashlight app does not need access to your contacts.

Do not use public or shared Wi-Fi for sensitive operations

If you are sending invitations or syncing family data, do it on your own connection. Public Wi-Fi is observable by the network operator. The encryption in these apps protects the content, but the fact that you are connecting to a specific address can still be seen.

Mobile data is preferable to public Wi-Fi for sensitive operations.

What to do if your phone is lost or stolen

Tell your family immediately. Generate new invitations to any family cell you were part of. You cannot revoke the old invitations — they have already been claimed. But you can:

  1. Have a family member (the tree maintainer) remove your device's access from the cell.
  2. Reinstall the app on a new device and rejoin via fresh invitation.

The tree data on the lost phone is encrypted at rest if you have Android's full-disk or file-based encryption enabled. Check this in Settings → Security → Encryption. On modern Android phones, this is on by default.

A note on duress

If you are physically pressured to unlock your phone or show your family tree, your safety comes first. No app feature is worth your physical safety.

If this is a realistic concern for you — not hypothetical, but realistic — think about what is in your tree before you put it there. Information that exists cannot be hidden under pressure. Information that was never entered cannot be forced out.

This is not a failure of the app. It is the nature of physical security. The app protects against remote threats. Local, physical threats require local, physical responses.