The following versions of Rika Firenet Unofficial are currently supported with security updates:

⚠️ IMPORTANT SECURITY NOTICE: Version 1.4.0 introduces critical security features that protect against MITM attacks, credential theft, and API abuse. We strongly recommend upgrading to 1.4.x immediately. Previous versions lack essential security protections and should not be used.

• Credentials: Email and password are encrypted using FlutterSecureStorage (Android Keystore/iOS Keychain)
• Session cookies: Stored locally via PersistCookieJar for persistent authentication
• App settings: Stored in SharedPreferences (non-sensitive data only)
• Secure deletion: Multi-layer cryptographic erasure of credentials on logout
• No cloud storage: All data remains on your device

• Biometric authentication: Optional fingerprint/Face ID app lock for quick access (Android & iOS)
• Password fallback: Always available if biometric authentication fails
• Session management: Automatic re-authentication when sessions expire

• HTTPS enforced: All communications with Rika Firenet API use HTTPS
• Certificate pinning: SSL certificate validation to prevent man-in-the-middle attacks
• Rate limiting: Client-side request throttling with exponential backoff to prevent abuse
• No third-party servers: The app communicates only with official Rika Firenet API
• No analytics or tracking: No data is transmitted to third parties or developers

• ProGuard/R8 enabled: Release builds use code shrinking and obfuscation
• Open source: Source code is publicly available for security audits

⚠️ This app is UNOFFICIAL and NOT affiliated with RIKA. It uses the Rika Firenet web interface in an undocumented manner. While we implement security best practices, users should:

• Never share their Rika Firenet credentials with anyone
• Use strong, unique passwords
• Regularly review their stove's activity
• Not rely solely on this app for critical safety functions

If you discover a security vulnerability in Rika Firenet Unofficial, please help us protect our users by reporting it responsibly.

DO NOT open a public GitHub issue for security vulnerabilities.

Instead, please report security issues via one of the following methods:

1. GitHub Security Advisories (recommended):

   • Go to Security Advisories
   • Click "Report a vulnerability"
   • Fill in the details

2. Private email to the maintainer:

   • Contact via GitHub profile: @R-Gld
   • Include [SECURITY] in the subject line

Please provide the following information:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact (what could an attacker do?)
• Affected versions (if known)
• Suggested fix (if you have one)
• Your contact information for follow-up questions

• Acknowledgment: Within 48 hours of your report
• Initial assessment: Within 7 days we'll confirm if the issue is a valid security vulnerability
• Updates: You'll receive progress updates at least every 14 days
• Resolution timeline:
  • Critical vulnerabilities: Patch within 7 days
  • High severity: Patch within 30 days
  • Medium/Low severity: Patch in next scheduled release

1. We'll work on a fix and prepare a security patch
2. You'll be credited in the security advisory (unless you prefer to remain anonymous)
3. We'll coordinate disclosure timing with you
4. A security advisory will be published with the patch release
5. Users will be notified via release notes

If we determine the reported issue is not a security vulnerability, we'll explain why and may suggest:

• Opening a regular GitHub issue if it's a bug
• Submitting a feature request if it's an enhancement
• Clarifying if additional information changes the assessment

To maximize your security when using Rika Firenet Unofficial:

• Use a strong password for your Rika Firenet account (12+ characters, mixed case, numbers, symbols)
• Don't share credentials with anyone
• Change your password regularly (every 3-6 months)
• Enable two-factor authentication on your Rika Firenet account (if available)

• Lock your device with a PIN, password, or biometric authentication
• Enable biometric lock: Use the app's biometric authentication feature for quick and secure access
• Keep your OS updated to receive security patches
• Only install from official stores (Google Play Store, App Store)
• Review app permissions regularly

• Update regularly: Install updates promptly to receive security fixes
• Log out when selling/discarding device: Remove credentials before transferring ownership
• Review notification settings: Ensure sensitive information isn't displayed on lock screen

• Use secure Wi-Fi: Avoid using the app on public/untrusted Wi-Fi networks
• Consider a VPN: For additional privacy when accessing your stove remotely

This app uses the Rika Firenet web interface API, which is:

• Undocumented: Not officially supported by RIKA
• Subject to change: RIKA may modify the API without notice, potentially breaking functionality
• No official support: RIKA is not responsible for issues caused by this app

• WorkManager limitations: Android may restrict background tasks based on battery optimization settings
• Notification delays: Background sync interval may not be perfectly precise due to OS restrictions

The app uses SSL certificate pinning to prevent man-in-the-middle attacks. When RIKA renews their SSL certificate, the app requires an update:

Certificate Rotation Strategy:

1. ~30 days before expiry: Add new certificate hash to the pinned list (keep old hash)
2. Release update: Publish new app version with both hashes
3. Wait for adoption: Monitor update rate (~90-95% of active users)
4. Remove old hash: After sufficient adoption, remove the expired hash in next release

Current Certificate:

• Hash: mAXiOaBzLsq4NP7qbVl62bHRXvzdVhKPxfHXAYMWAY4=
• Valid as of: 2025-12-31
• Next review: Check certificate expiry periodically

To regenerate hash:

echo | openssl s_client -connect www.rika-firenet.com:443 -servername www.rika-firenet.com 2>/dev/null | \
openssl x509 -pubkey -noout | openssl pkey -pubin -outform DER | \
openssl dgst -sha256 -binary | openssl enc -base64

Impact if not updated:

• App will reject SSL connections to Rika Firenet
• Users will see "Certificate pinning validation failed" errors
• Authentication will fail until app is updated

Note: No formal third-party security audits have been performed. Contributions from security researchers are welcome.

For non-security-related issues, please use:

• Bug reports: GitHub Issues
• Feature requests: GitHub Issues
• General questions: GitHub Discussions or Issues

Thank you for helping keep Rika Firenet Unofficial secure! 🔒