Security

How Fynna keeps your financial data safe

Fynna is built with a security-first architecture. Your financial data is among the most sensitive information you have, and we designed every layer of the app to ensure it stays protected and under your control at all times.

Core principle: We cannot see your data. We do not want to see your data. The app is architectured so that accessing your financial information is technically impossible for us.

1. Local-First Architecture

All your financial data is stored exclusively on your device using Apple's SwiftData framework. There is no central database, no cloud storage by default, and no server that holds your records.

  • Data resides in your device's local storage, protected by iOS sandboxing
  • Each app on iOS runs in its own sandbox, meaning no other app can access Fynna's data
  • Your device's built-in encryption (Data Protection) encrypts the database at rest when your device is locked
  • No internet connection is required for core functionality
  • Deleting the app permanently removes all local data

2. End-to-End Encryption (iCloud Sync)

When Pro users enable iCloud sync, all data is encrypted on-device before being transmitted. The encryption process works as follows:

Encryption Details

Algorithm

AES-256-GCM

Key Size

256-bit symmetric key

Library

Apple CryptoKit

Key Storage

iOS Keychain (hardware-backed)

Key Sync

iCloud Keychain (device-to-device)

Data Format

Encrypted binary blobs

How It Works

  1. 1A 256-bit symmetric encryption key is generated on your device when you first enable sync
  2. 2The key is stored in the iOS Keychain with hardware-backed protection (Secure Enclave)
  3. 3The key is shared between your devices via iCloud Keychain, which is itself end-to-end encrypted by Apple
  4. 4When syncing, each data record is serialized and then encrypted using AES-256-GCM on your device
  5. 5Only the encrypted binary blob is uploaded to your private iCloud container (CloudKit)
  6. 6On your other devices, the encrypted blob is downloaded and decrypted locally using the same key
  7. 7At no point does unencrypted data leave your device

3. Key Management

The encryption key is the only piece that can decrypt your data. It is managed with the following security measures:

  • Generated using cryptographically secure random number generation via Apple CryptoKit
  • Stored in the iOS Keychain, which leverages the device's Secure Enclave for hardware-level protection
  • Marked as synchronizable via iCloud Keychain so it is available on your other Apple devices signed in with the same Apple ID
  • iCloud Keychain itself uses end-to-end encryption, meaning Apple cannot access your keychain data
  • The key never exists in plaintext outside of device memory during encryption/decryption operations
  • If iCloud Keychain is disabled, sync will still function but decryption on other devices will fail until keychain sync is enabled

4. Zero-Knowledge Architecture

Fynna operates on a zero-knowledge model. This means:

  • We have no ability to view, access, or decrypt your financial data
  • Our servers never receive your financial records, account balances, transaction details, or any personal information
  • CloudKit stores only encrypted blobs in your private iCloud container, which only your devices can decrypt
  • Even if our infrastructure were compromised, attackers would obtain nothing of value because we hold nothing
  • We do not have a database of users, accounts, or financial records
  • We cannot respond to data requests from third parties because we have no data to provide

5. Network Security

The only network requests Fynna makes are for fetching market data (exchange rates, stock prices, cryptocurrency prices) from our servers. These requests are secured as follows:

  • All network communication uses HTTPS/TLS encryption in transit
  • App Transport Security (ATS) is enforced, preventing any non-HTTPS connections
  • Market data requests contain only public identifiers (currency codes, stock symbols) and no user data
  • Our servers act as a stateless proxy, they do not log, store, or correlate requests with any user identity
  • No cookies, session tokens, or authentication headers are sent with market data requests
  • CloudKit sync traffic is handled entirely by Apple's infrastructure with their own TLS implementation

6. Device-Level Security

Fynna benefits from multiple layers of iOS security:

  • iOS App Sandbox prevents other apps from accessing Fynna's data
  • Data Protection encrypts app data at rest using your device passcode
  • Face ID and Touch ID protect device access
  • Secure Enclave provides hardware-backed key storage for the encryption key
  • iOS Keychain uses its own encryption layer independent of the app
  • Code signing ensures only verified versions of Fynna can run on your device

7. Sync Conflict Resolution

When syncing across multiple devices, conflicts are handled securely:

  • Last-writer-wins strategy based on timestamps ensures deterministic conflict resolution
  • Delta sync using CloudKit change tokens ensures only modified records are transferred
  • Soft delete pattern (marking records as deleted rather than removing them) prevents data loss during sync
  • All 12 data models are synced with the same encryption standard
  • Sync is debounced (60 seconds) to prevent excessive network traffic
  • Immediate sync is triggered when the app moves to background to ensure data freshness

8. What We Do Not Do

To be completely transparent about our security posture:

  • We do not collect, store, or process any personal or financial data on our servers
  • We do not use analytics SDKs, crash reporting tools, or any form of telemetry
  • We do not integrate advertising networks or tracking frameworks
  • We do not fingerprint devices or track user behavior
  • We do not share, sell, or trade any data with third parties
  • We do not require or store email addresses, phone numbers, or any account credentials
  • We do not have the technical ability to recover your data if you lose your device and your iCloud backup

9. Recommendations for Users

While Fynna is designed to be secure by default, you can further protect your data by following these recommendations:

  • Keep your iPhone updated to the latest iOS version for the newest security patches
  • Use a strong device passcode (6-digit or alphanumeric)
  • Enable Face ID or Touch ID for convenient but secure device access
  • Enable iCloud Keychain if you plan to use multi-device sync, to ensure your encryption key is available on all devices
  • Regularly back up your device via iCloud or local Mac backups
  • Be cautious about using Fynna on jailbroken devices, as jailbreaking removes important iOS security protections

Report a Security Issue

If you discover a security vulnerability or have concerns about the security of Fynna, please contact us immediately at [email protected]. We take all security reports seriously and will respond as quickly as possible.