Most security docs are written for auditors. This one isn't. It's for the person about to install Nimbus8 and wondering what, exactly, the app is allowed to do on their phone.
The boundaries Apple gives you, and we use
iOS puts every app in a sandbox. Inside the sandbox: the app's own files, Keychain items it created, and whatever the system explicitly hands it (a photo the user picks, a file they drop). Outside the sandbox: everything else — other apps' data, the user's contacts, location, microphone, camera, the whole filesystem. You can't reach outside without asking, and the ask is audited and user-visible.
Nimbus8 lives inside its sandbox and stays there. We never ask for any permission we don't strictly need to make a feature work.
The entitlements we request (and why)
- Network client access — required at all, because the network off-switch is an in-app toggle, not a permission. When the toggle is off, the client is unused.
- Background processing — for Ashe's scheduled hands. Limited to the BGTaskScheduler windows iOS hands us; we do not abuse audio or VoIP exemptions.
- Camera / Photo Library — only when you use Stratus or attach an image in Gale. Both are standard iOS permission prompts.
- Microphone — only when you invoke Overture or use dictation. Standard prompt.
The entitlements we deliberately don't ask for
- No contacts access. We don't need it.
- No location. We never ask where you are.
- No always-on motion/fitness. We don't build a profile.
- No CarPlay / Handoff / SiriKit. Those are future work, and we'll ask specifically when we get there.
- No push notifications by default. Ashe uses local notifications only. The only thing that ever notifies you is a hand that ran on your device.
Keychain is the trust anchor
Any secret the app holds — a GitHub token for Cirrus, an optional API key you've provided — lives in Keychain with kSecAttrAccessibleWhenUnlockedThisDeviceOnly. Translated: the secret is unreadable when the phone is locked, never syncs to iCloud, and is destroyed if the app is uninstalled. We don't store secrets in UserDefaults, in plist, or in any file the OS would back up.
The network off-switch is the default
Nimbus8 ships with the network toggle off. Everything you can do with the included local models works with the toggle off. The toggle has to be explicitly flipped to enable: Hugging Face browsing, Cirrus pushing PRs, Mist's optional web search, and favicon fetching for URLs the app renders. We never re-enable it silently.
When the toggle is on, we still scope egress: per-feature allowlists mean that toggling on "Cirrus PR flow" does not permit the app to talk to any other host. Each feature's networking is its own pinhole.
What leaves the device
When the network toggle is on, and when you've invoked a feature that needs it, the following can go out:
- A search query to your configured search provider (Mist).
- A model identifier and version request to Hugging Face when you browse.
- A PR body, patch, and base ref to
api.github.comwhen you tap Open PR in Cirrus. - A URL when you tap a link in a rendered message and elect to fetch its favicon.
Nothing else. Not your prompts, not your chat history, not the model output, not "anonymous telemetry," not crash reports. There is no analytics SDK. There is no server-side logging. There is no opt-out, because there's nothing to opt out of.
What we haven't figured out yet
A third-party security audit is planned for later in the year, against a frozen v1 build. We'll publish the full report. If you're a security researcher interested in coordinated disclosure, the address in the footer works — we respond within 48 hours to anything marked as a security report.
Tagged Security · Published Mar 07, 2026 · Back to all posts