Cybersecurity Local File and Permission Review

Status: Active working review Owner: BionicLoop engineering Last updated: 2026-04-06 12:37 EDT

1. Purpose

Review the current BionicLoop app-local file handling and permission surface relevant to the software handoff cybersecurity package.

This note is focused on what the shipped app currently exposes through local storage, export behavior, Info.plist permissions, and entitlements configuration.

2. Current App-Local Storage and Export Findings

2.1 Step telemetry CSV export

• LoopTelemetryStore.swift exports step telemetry to:
• FileManager.default.urls(for: .documentDirectory, in: .userDomainMask).first
• file name BionicLoop_StepTelemetry.csv
• Export is performed asynchronously on a utility queue.
• The CSV is written as plain UTF-8 using csv.write(to: exportURL, atomically: true, encoding: .utf8).
• No explicit iOS file-protection attribute is applied in code during export.

Interpretation:

• The development-only export path is real and currently writes cleartext CSV into the app Documents directory.
• This is acceptable only if it remains a controlled development/investigational path and is not treated as a production-grade protected record store.

2.2 Telemetry outbox persistence

• CloudTelemetryOutbox.swift persists the local telemetry outbox in UserDefaults.

Interpretation:

• This is suitable as an app-level queueing implementation detail.
• It should not be described as the long-term secure record store for sensitive telemetry.

2.3 Auth/session storage

• AuthSessionNetworking.swift stores auth tokens and credentials in iOS Keychain with kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly.

Interpretation:

• Current auth/session storage uses a stronger platform-protected path than the CSV export and telemetry outbox.
• Formal cloud/auth closure is still deferred from this software handoff package.

3. Current File-Access Surface

Info.plist currently enables:

• UIFileSharingEnabled = true
• LSSupportsOpeningDocumentsInPlace = true

Interpretation:

• Any content written into the app Documents directory is part of a larger local access surface than a fully sandbox-opaque app.
• Because step telemetry CSV is written into Documents, the current file-sharing/open-in-place settings materially affect the telemetry exposure boundary.

4. Current Permission and Background Surface

Info.plist currently includes:

• NSBluetoothAlwaysUsageDescription
• NSBluetoothPeripheralUsageDescription
• UIBackgroundModes = ["bluetooth-central"]

The checked-in BionicLoop app project does not currently define CODE_SIGN_ENTITLEMENTS for the BionicLoop target in project.pbxproj.

Interpretation:

• The app currently uses a relatively small declared permission surface centered on Bluetooth device communication.
• No separate BionicLoop app entitlements file is currently configured in the checked-in project.
• There is an entitlements file in a LoopKit example target only, not in the BionicLoop app target:
• LoopKitExample.entitlements

5. Current Security Position for Software Handoff

What can be claimed now:

• The app’s local permission surface is currently limited to Bluetooth usage descriptions and Bluetooth-central background mode.
• The app does not currently show evidence of additional BionicLoop-specific entitlements in the checked-in project.
• The local CSV export path and file-sharing exposure are explicitly recognized and documented in the cybersecurity package.

What should not be claimed yet:

• That the current file-sharing / Documents-export posture is production-ready
• That local exported telemetry receives explicit iOS file-protection hardening in the current implementation

6. Recommended Handoff Position

For the current software-only handoff package:

• keep TV-SEC-001 in scope
• treat the current CSV export path as development-only / investigational support behavior
• explicitly state that file-sharing and open-in-place expand the exposure surface for any Documents content
• require downstream decision before production release on whether to:
• keep file-sharing enabled
• move export behind tighter operator/developer gating
• add explicit file protection to exported files

Current engineering recommendation:

• acceptable with explicit conditions for the current investigational software handoff baseline
• not acceptable as-is for production/commercial release

The formal recommendation and its conditions are recorded in Cybersecurity_Baseline_Acceptability_Recommendation.md.

7. Recommended Follow-up

1. Produce formal TV-SEC-001 evidence for export/file-handling behavior using Cybersecurity_TV_SEC_001_Freeze_Execution_Checklist.md.
2. Decide whether UIFileSharingEnabled and LSSupportsOpeningDocumentsInPlace remain acceptable for the frozen investigational baseline.
3. If the export path remains, decide whether explicit file-protection attributes must be added.
4. Keep this note linked from the cybersecurity handoff register and RA-009 supporting narrative.