Trust model

Security

How Shippie isolates apps, verifies packages, and handles vulnerability reports.

Updated June 11, 2026

Security model

Shippie treats each app as untrusted until the platform can verify how it should run. The Apps shell uses iframe boundaries, package receipts, app metadata, and explicit bridge APIs so apps ask for capabilities instead of reaching across the shell.

What we check

The platform scans deploys and generated packages for device support, external domains, local-data signals, security posture, and Apps compatibility. Runtime proof badges are earned only after Shippie observes a capability working on real devices.

  • Package hashes and package metadata help users identify the version they opened.
  • External domains and declared permissions are surfaced on app detail pages where available.
  • Private-space invites and app grants are scoped rather than global account permissions.

Responsible disclosure

Please report suspected vulnerabilities to hello@shippie.app. Include affected URLs, reproduction steps, expected impact, and whether you accessed any data that was not yours.

Do not run destructive tests, exfiltrate user data, interrupt service, or publicly disclose an issue before we have had a reasonable chance to investigate and fix it.

Ship security model

Sealed shipped items are end-to-end in the sense that the content is encrypted in the browser with AES-256-GCM and Shippie cannot read the ciphertext — the key lives only in the URL fragment and is never sent to the server. The ciphertext is bound to a client sealId via AES-GCM additional authenticated data, so it cannot be transplanted under another seal. Decrypted content renders in a sandbox="allow-scripts" iframe with connect-src none, so it cannot phone home. The caveat is that the key is in the link: anyone with the link can read the item, so a sealed link should be treated like a password.

Shareable shipped items are public pages Shippie can read by design. They are served from an isolated per-item origin with a hardened CSP (connect-src self, form-action none, a sandbox directive, report-uri) and scanned on upload for secrets and phishing — a risk signal, not a guarantee.

  • Abuse handling: user reporting via /api/drops/[id]/report, an admin kill switch that suspends an item to a 451 on the next request, and automatic expiry.
  • Takedown and abuse contact: hello@shippie.app.

Current launch posture

Shippie is a web app platform. Browser isolation, Cloudflare Workers, package metadata, local storage boundaries, and user-visible capability surfaces are the core protections. Native app-store review is not part of the launch model.

No platform can guarantee absolute security. Shippie reduces default cloud exposure, makes data movement visible, and treats vulnerability reports as launch-critical.