Security & Trust

Built to protect your data, not just host a website.

AppTesters is designed so that a server-side issue on apptesters.org does not expose your payment details or Cloud data. This page explains how our architecture works and how we handle security incidents.

Website & data hosted separatelyNo card data on AppTesters serversTransparent security advisories
High-level architecture
1. You & your devices
Client

Browser, Akentis app, queues & orders view

2. apptesters.org (server)
Server

UI, API endpoints, non-sensitive logic

3. Cloud (Google Cloud)
Data

Accounts, orders, queue data, device IDs

4. Stripe / PayPal / others
Payments

Card details & payment processing

TL;DR: Even if the website host is compromised, your core data and card details stay protected inside Cloud and payment providers.

Where your data actually lives

Different types of data live in different places. This separation is intentional and reduces the impact of any single issue.

Web App Server

Presentation layer

Hosts apptesters.org and some API services. We do not store your passwords, card numbers, or Cloud data directly on this machine.

Cloud (Google Cloud)

Primary data store

Stores account data, orders, queue information, and device IDs. Protected by Google Cloud security, IAM and security rules.

Payments (Stripe, PayPal, etc.)

Sensitive payment data

Card details never touch AppTesters servers. Payment providers handle and store card information in their own PCI-DSS compliant systems.

Apple-related data

Apple ecosystem

We do not store your Apple ID and password ever. We don't need it. We use your apple device UDID, to process and deliveries.

How we protect AppTesters

Security is not a single feature – it is an ongoing set of practices across infrastructure, code, and operations.

These are some of the day-to-day practices we follow to keep the platform and your data safe.

Isolated architecture

The public website, Cloud data, and payment providers run on separate infrastructure, reducing the blast radius of any single issue.

TLS everywhere

All traffic to apptesters.org is served over HTTPS, with modern TLS configuration and HSTS enabled at the edge.

Hardened access

Administrative access uses SSH keys and restricted accounts. We regularly review access and rotate keys when needed.

Dependency patching

We follow upstream advisories for React, Next.js and other dependencies, and patch critical issues as quickly as possible.

Monitoring & logging

We monitor server resource usage, error rates, and suspicious patterns so we can react quickly if something looks wrong.

Backups & recovery

Key data is backed up from Cloud to secure storage so we can recover in the event of an outage or disaster.

Security advisories & incidents

When something important happens, we document it publicly so you can see what was affected and how we responded.

Latest advisoryDec 2025

React2Shell (CVE-2025-55182 / CVE-2025-66478)

RCE vulnerability in the React Server Components protocol. Affected our apptesters.org web server; no Cloud or payment data was exposed.

Patched on 11 Dec 2025 · Status: ResolvedRead full advisory

No other advisories (yet)

As we grow, we will continue publishing clear, human-readable incident reports here. We prefer to over-communicate rather than hide issues.

Report a security issue

If you believe you’ve found a vulnerability or security issue affecting AppTesters, we’d like to hear from you. We appreciate responsible disclosure.

How to contact us

  • Email: [email protected]
  • Include a clear description and steps to reproduce the issue.
  • Mask or redact any sensitive personal data in screenshots where possible.

We aim to acknowledge valid security reports within 72 hours and keep you updated as we investigate and fix the issue.

Responsible disclosure (quick guidelines)

  • ✅ Use test data whenever possible.
  • ✅ Give us reasonable time to investigate and fix before going public.
  • ❌ Do not attempt to access other users’ accounts or data.
  • ❌ Do not perform denial-of-service attacks or spam the platform.

What this means for you

In plain language:

  • • Your card details and payment information are handled by Stripe, PayPal, and other providers – not stored on our servers.
  • • Your account data, queue status, and device IDs live in Cloud (Google Cloud), behind its own security model.
  • • If a major vulnerability affects us (like React2Shell), we patch quickly and publish a clear advisory so you can see what happened.

We built AppTesters to be transparent, not mysterious. When something important happens, you’ll see it documented here – with real details, not vague PR.

Common questions

Was my data exposed in the Dec 2025 React2Shell incident?

No. The issue affected the web server (presentation layer). Your account data, queue status, and device IDs remain stored in Cloud (Google Cloud), and payment details are handled by payment providers such as Stripe and PayPal.

Do you store card numbers on AppTesters servers?

No. All card and payment details are processed and stored by Stripe, PayPal, and other payment providers. AppTesters never sees your full card number.

What happens if there’s another major vulnerability?

We patch quickly, investigate impact, and publish a public advisory under our Security Advisories section so you can see exactly what happened and what we did.

How can I report a security issue?

You can email us with details of the potential issue. We appreciate responsible disclosure and will work with you to verify and fix the problem.