Cybersecurity Baseline Acceptability Recommendation

Status: Active working recommendation Owner: BionicLoop engineering Last updated: 2026-04-06 12:37 EDT

1. Purpose

Provide an engineering recommendation on whether the current software-only investigational baseline is acceptable from a cybersecurity handoff perspective, given the already-documented local export, file-sharing, permission, logging, and inherited-control posture.

This note is not a final quality approval. It is the engineering recommendation that the receiving quality/submission team can accept, reject, or condition during freeze and IDE package assembly.

2. Recommendation Summary

Engineering recommendation:

• Acceptable with explicit conditions for the current software-only investigational handoff baseline
• Not acceptable as a production/commercial baseline without hardening

Reason for the conditional investigational recommendation:

• the largest local-surface concern is real but bounded: LoopTelemetryStore.swift automatically exports cleartext step telemetry CSV into the app Documents directory on initialization and on each persisted step-record update
• Info.plist currently enables both UIFileSharingEnabled and LSSupportsOpeningDocumentsInPlace
• the current app-local permission surface is otherwise relatively narrow and Bluetooth-focused
• reviewed auth/network/telemetry logging does not directly emit bearer tokens, passwords, or telemetry payloads in the reviewed code paths
• the current package already documents the inherited-control boundary rather than over-claiming DASH/G7/Dexcom-app cybersecurity ownership

Reason this is not acceptable as a production/commercial baseline:

• the step CSV export is automatic rather than operator-triggered
• the CSV is written as plain UTF-8 into Documents without explicit iOS file-protection attributes
• file-sharing/open-in-place expands the local exposure surface for that data
• the current package intentionally does not claim production-grade cloud/auth/security closure

3. Basis for the Recommendation

3.1 Findings that support conditional investigational acceptability

• The app does not currently show evidence of broad additional entitlements beyond Bluetooth/background communication in the checked-in project and Info.plist.
• Auth/session credentials are stored using Keychain accessibility kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly in AuthSessionNetworking.swift.
• Reviewed API/telemetry debug logging avoids direct emission of bearer tokens and redacts URL query strings in AuthenticatedAPIClient.swift, with the residual logging risk limited primarily to debug-only response snippets.
• The software handoff package clearly separates BionicLoop-owned local controls from supplier/device-owned inherited controls in CybersecurityPlan.md.

3.2 Findings that require explicit conditions

• StepCSVExporter writes BionicLoop_StepTelemetry.csv to the Documents directory automatically on store initialization and every persistStepRecords() call in LoopTelemetryStore.swift.
• That export currently uses plain UTF-8 with no explicit iOS file-protection attribute in LoopTelemetryStore.swift.
• UIFileSharingEnabled and LSSupportsOpeningDocumentsInPlace are enabled in Info.plist, so the Documents-based CSV path is part of a broader local access surface.
• TV-SEC-001 is still the in-scope security verification row for this package and has not yet been promoted into formal freeze-time evidence.

4. Conditions Required for the Investigational Recommendation

Engineering recommends the current baseline be considered acceptable for the software-only investigational handoff package only if all of the following are carried forward explicitly:

1. The current CSV export path is described as an investigational/development support behavior, not as a protected long-term record store.
2. The receiving quality/submission team records an explicit acceptance that Documents/file-sharing exposure is part of the frozen investigational baseline.
3. TV-SEC-001 is rerun/promoted into formal evidence at freeze for the actual frozen SHA using Cybersecurity_TV_SEC_001_Freeze_Execution_Checklist.md.
4. Site/operator controls, managed-device expectations, or equivalent procedural controls are used to bound who can access app Documents content during the investigation.
5. The package continues to avoid claiming production-grade closure for deferred cloud/auth/security rows.

5. Explicit Non-Recommendation for Production / Commercial Use

Engineering does not recommend the current baseline as acceptable for production/commercial release.

Before such a release posture, at least one of the following hardening changes should occur:

1. remove automatic CSV export from ordinary runtime behavior
2. disable file sharing / open-in-place for participant-facing builds
3. gate export behind a tighter developer/operator-only control path
4. apply explicit file-protection attributes to any retained local export files
5. complete broader auth/cloud/security closure and formal evidence promotion beyond the current investigational handoff scope

6. Current Recommended Freeze-Time Disposition

For the current software-only IDE handoff package, engineering recommends the receiving team record:

• Acceptable with conditions for investigational baseline

with the conditions pulled from Section 4 above.

7. Relationship to Other Cybersecurity Notes

This recommendation is based on:

• Cybersecurity_Local_File_and_Permission_Review.md
• Cybersecurity_Logging_and_Secret_Review.md
• Cybersecurity_Handoff_Register.md
• CybersecurityPlan.md