Most apps don't publish threat models. They publish privacy policies — documents written by lawyers, for lawyers, that describe what a company is allowed to do with your data. A privacy policy tells you what happens to your data after you've already handed it over. It is a contract, not a defense.
A threat model is different. A threat model says: here are the people who might try to access your data, here is what they're capable of, and here is specifically how it stops them. It also says — and this is the part most companies skip — here is what it cannot protect against.
Tarn's threat model is published on GitHub. I want to walk through why I wrote it, what it covers, and why I think every health app should have one.
Four tiers of adversary
I organized the threat model around four adversary profiles, from least to most capable:
Tier 1: Casual access. Someone picks up your unlocked phone. A roommate, a coworker, a friend. They're not looking for anything specific — they're scrolling, and they happen to see a period tracker. Tarn's defenses: PIN lock, disguised app icon, no branding on the lock screen, screenshot prevention, immediate lock on app background. The app doesn't advertise what it is.
Tier 2: Informed access. Someone who knows your phone passcode and is looking for something. An abusive partner. A controlling parent. A suspicious spouse. They can get past the phone lock screen. They can browse your apps. Tarn's defenses: app-level PIN separate from the phone passcode, duress PIN that shows an empty app, self-destruct after configurable failed attempts.
Tier 3: Technical adversary. Forensic tools like Cellebrite or GrayKey that can extract data from a device. Law enforcement with a warrant. Tarn's defenses: SQLCipher encryption on the database, Argon2id key derivation that makes brute force computationally expensive, no cloud backup to subpoena, random-byte overwrite on self-destruct.
Tier 4: State-level adversary. Nation-state capabilities. Full device compromise. Custom malware. Tarn's honest answer: it cannot fully protect against this tier. If your device is compromised at the OS level, all bets are off. I document this explicitly because pretending otherwise would be irresponsible.
What Tarn cannot protect against
This section matters more than the rest of the document combined.
Tarn cannot protect against device-level compromise — if someone installs spyware on your phone, they can see everything you see. Tarn cannot protect against someone watching you use the app over your shoulder. Tarn cannot protect against legal compulsion to provide your PIN, which varies by jurisdiction and is an evolving area of law. Tarn cannot protect against a sophisticated adversary with physical access to your device and unlimited time.
I include these limitations because security tools that overstate their protection are more dangerous than no security tools at all. If you believe an app makes you safe and it doesn't, you take risks you wouldn't otherwise take. I'd rather you understand exactly where the walls are.
Why this matters for health apps
Health data is different from most personal data. It's intimate. It's persistent. And in the current legal landscape, it can be used against you in ways that didn't exist five years ago.
Most period trackers treat security as a feature — a lock screen, maybe a PIN. They don't think about it as a system. They don't ask: what happens if someone clones the device? What happens if someone compels the user to unlock? What happens if the database is extracted and attacked offline?
These aren't theoretical questions. They're the questions that forensic extraction tools answer. They're the questions that defense attorneys in reproductive health cases have to grapple with.
I think every app that handles sensitive health data should publish a threat model. Not a privacy policy. A threat model. Tell your users who you're protecting them from, how, and where the protection ends. Let them evaluate your claims. Let security researchers poke holes. Fix what breaks.
If your security only works when nobody's looking at it, it's not security. It's hope.
Read it yourself
The full threat model is at THREAT-MODEL.md. It covers adversary profiles, attack surfaces, defenses by layer, the cryptographic design, the self-destruct mechanism, duress mode, forensic resistance analysis, metadata leakage, known limitations, and design trade-offs.
If you find something I missed, report it. I'd rather fix it than not know about it.