Security Score
Mac + iPhoneA single number that tells you how well your device is configured for security. Not a guess — a weighted assessment of real system settings.
On macOS, HomeFront checks: Is the firewall enabled? Is FileVault (full-disk encryption) turned on? Is System Integrity Protection active? Is Gatekeeper enforcing app signatures? Is automatic updating enabled? Is the screen lock configured with a reasonable timeout?
On iOS, it checks: Is a passcode set? Is the device on the latest OS version? Is the device jailbroken? Is DNS filtering active?
Each check has a weight based on how much it affects your actual security posture. FileVault matters more than screen lock timeout. The weights produce a score from 0 to 100, mapped to a letter grade.
System checks run via Process calls to built-in macOS commands: spctl --status for Gatekeeper, fdesetup status for FileVault, csrutil status for SIP, defaults read for firewall and auto-update. These are the same commands an IT admin would run in Terminal. No kernel extensions, no elevated privileges beyond what the app sandbox allows.
None. All checks read local system state. Nothing leaves your device.
DNS Content Filtering
iPhone today · Mac in developmentOn iPhone, HomeFront filters risky domains against a local reference database. On Mac, this protection is being built on top of Apple’s DNS proxy architecture and is not part of the current launch build.
When an app tries to connect to a domain, it first resolves that name through DNS. On iPhone, HomeFront can intervene at that stage and block domains that appear on the local reference database. On Mac, the product currently focuses on network awareness, file monitoring, and device health checks while the active DNS-enforcement path is under development.
evil-site.com
local blocklist
NXDOMAIN
On iOS, this uses Apple's NEPacketTunnelProvider API — a Network Extension that intercepts DNS packets at the system level. It looks like a VPN in Settings because Apple uses that UI for all network extensions, but no traffic is tunneled anywhere. Your regular internet connection is untouched.
On macOS, HomeFront does not yet ship active DNS filtering. The intended macOS path uses Apple’s DNS proxy system-extension model so filtering remains on-device and platform-correct.
Domain reference data comes from ThreatFox and URLhaus, both operated by abuse.ch, a well-established nonprofit research project at Bern University of Applied Sciences. Ad and tracker filtering uses curated community lists, including Steven Black's unified hosts — the same lists that power Pi-hole installations worldwide. All lists are downloaded periodically and stored locally. During downloads, no user data is sent — it's a one-way fetch of public datasets.
Breach Monitor
Mac + iPhoneChecks whether your passwords have appeared in known data breaches. Your actual password never leaves your device.
This is the feature people are most skeptical about, and rightly so. "I have to give you my password to check if it's been breached?" No. Here's exactly what happens:
locally (SHA-1)
sent to HIBP
locally
This is called k-anonymity. Your password is hashed with SHA-1 on your device. Only the first 5 characters of that hash (out of 40) are sent to the Have I Been Pwned API. HIBP returns all known breach hashes that start with those 5 characters — typically about 500 results. Your device then checks locally whether any of those match your full hash.
HIBP never sees your password, never sees your full hash, and can't determine which of the 500 returned hashes you were looking for. This is the same protocol used by 1Password, Firefox Monitor, and Apple's own built-in password monitoring.
Email breach checking uses the HIBP breached account API. Unlike password checking, this does send your email address to HIBP (there's no k-anonymity protocol for emails). HIBP's privacy policy states they don't log or store searched email addresses. We trust this — Troy Hunt (HIBP's creator) has a strong track record — but we want you to know exactly what's happening.
File Integrity Monitoring
macOSWatches critical system directories for unauthorized changes. If something is added, modified, or removed where it shouldn't be, you'll know.
HomeFront monitors directories where unexpected changes most commonly indicate problems:
- LaunchAgents and LaunchDaemons — where persistent background processes are registered
- ~/.ssh/ — SSH keys and configuration
- /opt/homebrew/bin/ — Homebrew binaries (common target for supply chain attacks)
- Browser extensions — directories where Safari and Chrome extensions are installed
Monitoring uses macOS's FSEvents API — the same system that powers Spotlight indexing and Time Machine. It's efficient, battery-friendly, and doesn't require polling or elevated privileges.
None. File monitoring is entirely local. Events are stored in the app's sandboxed container and displayed in the dashboard.
Privacy Audit
Mac + iPhoneShows exactly which apps have access to your camera, microphone, location, contacts, calendar, and files.
On iOS, HomeFront reads the system's privacy authorization status for each protected resource. It tells you which permissions are granted, which are denied, and which have never been requested. No data is collected — it's reading the same information you'd find in Settings > Privacy & Security, just organized in a more useful way.
On macOS, it reads the TCC (Transparency, Consent, and Control) database and system preferences to show which applications have been granted access to sensitive resources.
None. Privacy audit reads local system state only.
Complete Network Summary
Here is every network connection HomeFront makes. There are no others.
| Destination | What's Sent | When |
|---|---|---|
| api.pwnedpasswords.com | First 5 chars of SHA-1 hash | When you check a password |
| haveibeenpwned.com | Email address | When you check an email for breaches |
| threatfox.abuse.ch | Nothing (download only) | Periodic blocklist updates |
| urlhaus.abuse.ch | Nothing (download only) | Periodic blocklist updates |
| raw.githubusercontent.com | Nothing (download only) | Ad/tracker blocklist updates |
| pgl.yoyo.org | Nothing (download only) | Ad server blocklist updates |
No analytics. No crash reports. No device fingerprinting. No advertising identifiers. If you run tcpdump while HomeFront is idle, you'll see zero network activity.
Code Scanner (Coming Soon)
macOSThe planned macOS code scanner will let you point HomeFront at a project directory and review high-signal risks in AI-assisted code without uploading your source.
AI coding assistants are fast. They are also rather democratic about repeating the same mistakes. The planned scanner focuses on three categories first:
- Hardcoded secrets — API keys, tokens, passwords, and credentials left in source files, pattern-matched against common provider formats.
- Injection vulnerabilities — SQL injection, cross-site scripting (XSS), path traversal, eval/exec usage, and insecure HTTP endpoints.
- MCP prompt risks — Planned checks for MCP server configurations, tool schemas, and agent prompts that could enable prompt injection or unsafe tool behavior.
The intended workflow is straightforward: select a directory with the standard file picker, let HomeFront read local files, run pattern matching on-device, and present findings in the same dashboard used for device health monitoring. No file contents are meant to be uploaded, transmitted, or logged anywhere.
None. Code scanning is entirely local. File contents never leave your Mac.