Back to home

Security Center

Last updated: June 6, 2026

This page describes StreetLoans security measures using verifiable language. It is not a substitute for an external audit of the APK, backend, TLS configuration, or infrastructure.

Summary: StreetLoans stores core operations locally, protects new backups with authenticated SLB2, uses HTTPS/TLS for backend communication, and provides a formal vulnerability reporting channel.

1. Local storage

Customers, loans, payments, partial payments, late fees, and receipt profiles are stored in the app's local database inside Android private app storage. Protection also depends on device lock, operating system updates, and user practices.

2. Encrypted backups and integrity

New backups use SLB2:{version}:{kdf}:{iterations}:{salt}:{iv}:{ciphertext}:{hmac}. The current implementation uses AES-256-CBC with separate encryption and HMAC-SHA256 keys. StreetLoans verifies the HMAC before decryption to reject tampered or corrupt files.

Older SLB1 backups remain readable for compatibility. Exported backups remain the user's responsibility and should be protected with a strong password and stored safely.

3. Features requiring internet

Core operations work offline. Verification, account recovery, license validation, support, crash reporting, and optional backup synchronization require internet.

4. Google Drive on Android

When available and enabled by the user, StreetLoans can synchronize encrypted backups with Google Drive. iOS may be evaluated in a future stage and is not documented as available at this stage.

5. Protection limits

No control removes all risk. Protection depends on the backup password, physical device security, updates, Android permissions, backend configuration, and operational controls.

6. Vulnerability reporting

Report vulnerabilities to security@streetloans.app. Include reproduction steps, impact, app version, device, non-sensitive screenshots, and any safe proof of concept.

  • Allowed: responsible reports, testing on your own accounts, and minimal evidence.
  • Not allowed: third-party data access, destructive exploitation, social engineering, spam, denial of service, or mass extraction.
  • Expected response: initial acknowledgement within 7 business days and status updates based on severity.