Security-First Development
TAK Can is designed for sensitive operations — military exercises, search and rescue, law enforcement, and disaster response. Security is not an afterthought; it is a core design principle applied at every layer of the application.
Code Review Process
TAK Can undergoes regular internal code reviews covering:
- Thread safety — all concurrent access patterns audited for race conditions and deadlocks
- Cryptographic implementation — TLS configuration, AES-GCM mesh encryption, keychain usage
- Data protection — encryption at rest, credential storage, log file security
- Input validation — XML parsing, API response handling, CoT message integrity
- Access control — mesh bridge security, team filtering, onboarding enforcement
- Memory safety — Core Data threading, background task lifecycle, resource cleanup
Latest Review Summary
| Date | April 2026 |
| Scope | 17 source files — communications, data layer, UI, services, Watch app |
| Findings | 22 findings identified (5 critical, 4 high, 5 medium, 8 security) |
| Resolved | 19 findings fixed, 3 deferred (low risk) |
| False positives | 4 initial findings corrected after verification |
Security Measures in Place
| Layer | Protection |
|---|---|
| Server connections | TLS 1.2+ with mutual certificate authentication |
| MultipeerConnectivity mesh | DTLS encryption (Apple framework) |
| BLE mesh | AES-256-GCM with pre-shared key |
| Data at rest | Core Data + log files encrypted via iOS file protection |
| Credentials | iOS Keychain with ThisDeviceOnly — no iCloud sync |
| Mesh bridge | Only server-authenticated peers forwarded |
| BLE advertising | Generic device name — callsign not exposed |
Vulnerability Disclosure
If you discover a security vulnerability in TAK Can, please report it responsibly:
- Use the Support page contact form with "Security" in the subject
- Do not disclose the vulnerability publicly until a fix is available
- We aim to acknowledge reports within 48 hours and release fixes within 7 days for critical issues
Detailed Review Available
The full code review report — including specific findings, proposed fixes, and verification results — is available upon request for authorized parties (government agencies, military organizations, and enterprise customers evaluating TAK Can for deployment).
To request the report, use the Support page contact form with your organization details.
Continuous Improvement
Security is an ongoing process. Each release includes:
- Automated build verification via GitHub Actions
- Dependency vulnerability scanning (Dependabot)
- Manual code review for security-sensitive changes
- TestFlight beta testing before App Store release