Security & Privacy Practices
UmmatOne is designed with a privacy-first philosophy. The application is intentionally built to minimize data collection, reduce attack surface, and protect sensitive personal information related to religious practice.
Below is a summary of the security practices followed in the design and development of UmmatOne.
1. Privacy-First Architecture
UmmatOne operates primarily as a local-first application.
Your personal data – including prayer history, Quran recitation sessions, dhikr counts, fasting logs, and personal goals – is stored locally on your device.
The application does not include advertising SDKs, analytics trackers, or third-party telemetry frameworks that collect behavioral data.
This means your religious practice data is not monitored, tracked, or shared with advertisers.
2. Minimal Data Collection
UmmatOne collects only the information required for the application to function.
Examples include:
• prayer tracking history
• dhikr counters
• fasting records
• optional location for prayer time calculation
• optional Google account selection for backups
No passwords, financial credentials, or identity documents are collected.
3. Secure Local Storage
Sensitive application settings and identifiers are protected using Android Keystore-backed encryption.
Where appropriate, UmmatOne uses EncryptedSharedPreferences, which encrypts data at rest using keys stored securely within the Android device hardware security module.
This protects data against unauthorized access on compromised or rooted devices.
4. Encrypted Backups
If the optional Google Drive backup feature is used:
• backup data is encrypted before leaving your device
• encryption uses AES-256-GCM with device-bound keys stored in Android Keystore
• backups include cryptographic integrity verification to prevent tampering
This ensures that even if cloud storage is compromised, backup data cannot be read or modified without the device encryption keys.
5. Integrity Protection
Backup files include cryptographic integrity verification mechanisms to detect tampering.
During restore operations, UmmatOne validates:
• backup format version
• data integrity signature
• numeric bounds and schema compatibility
This prevents corrupted or malicious data from being restored.
6. Secure Communication
All network communication performed by UmmatOne uses HTTPS encryption.
Android’s network security configuration is used to enforce secure connections and prevent accidental use of insecure HTTP endpoints.
7. Limited Application Attack Surface
The application intentionally avoids components commonly associated with security vulnerabilities:
• no embedded web browsers (WebView)
• no externally exposed content providers
• minimal background services
• restricted inter-app communication
Reducing the attack surface lowers the risk of exploitation.
8. Secure Coding Practices
UmmatOne is developed using modern Android security practices including:
• strict input validation
• encrypted data storage where appropriate
• release build hardening and code obfuscation
• dependency monitoring for known vulnerabilities
• removal of debug logging from release builds
These practices help protect the application from common mobile security threats.
9. Independent Security Review
The codebase has undergone independent static security analysis and threat modelling aligned with:
• OWASP Mobile Top 10
• Android Security Best Practices
• Mobile Application Security Verification Standard (MASVS)
The security design focuses particularly on protecting user privacy and preventing data exposure.
10. Responsible Disclosure
If you believe you have discovered a security issue in UmmatOne, please report it responsibly.
We welcome security research that helps improve the safety and privacy of the application for the wider community.
Contact: Email will be shared soon.
UmmatOne is developed as a community-focused project with the goal of making Islamic habit building accessible while respecting the privacy and dignity of its users.