Last Updated: December 12th 2018.
TLS Inspector is a privacy-focused tool that puts users safety first. TLS Inspector is designed to protect users privacy, and therefor extreme care is taken to ensure that information collected by the app is not disclosed or shared except for normal operation of the app.
- We never collect personal information about you or your device.
- We never share the websites you inspect using the app.
When you inspect a website with TLS Inspector the app connects directly to the website to collect certificate and other security information. The collection of certificate information happens on your device at the time you inspect the website. With the exception of the certificate status we do not contact any third party services for information about the website you inspect.
Recently Inspected Domains
Starting with TLS Inspector 1.2 the app will remember the last 5 recently inspected domains on your device for easy re-inspection. This feature stores the last 5 domains locally on your device, and does not sync or otherwise share this list anywhere else. If desired, this feature can be disabled from the application settings. Individual sites can be removed from the list by swiping to the left on a site, and tapping "Delete".
Starting with TLS Inspector 1.7.0 the app will perform a Online Certificate Status Protocol (OCSP) query to check if the certificate used by a website has been revoked. The authority that responds to these queries is defined in a certificate, and is typically the authority who issued the certificate. To accomplish this, we send the SHA-1 fingerprint of the certificate we're checking to the OCSP responder and they indicate the status of that certificate. That does mean that because of this request, the OCSP responder may be able to identify the website you're inspecting, depending on the certificate.
We believe that this poses little danger, however understand that some users may not want this. Automatic OCSP querying can be disabled in the Application Settings, however your device may still perform OCSP queries which is beyond our control.
Since the first release of TLS Inspector the app can download a file that contains revoked certificates known as a Certificate Revocation List (CRL). These list typically contain many certificates, however, like with OCSP CRLs could potentially be used to identify a website you're inspecting. Since TLS Inspector 1.7.0 automatic CRL downloading is disabled by default.
Starting with TLS Inspector 1.7.0 the app will now keep a small amount of error information in text files known as "logs". These files are typically empty, but contain information if the application quits unexpectedly (known as a crash). In the event of a crash, the application will save information about what happened at the time the app crashed so we can prevent the issue from happening again.
In the event that you're having difficulties using TLS Inspector due to a problem, we may ask that you enable "Debug Logging". When enabled, the app records more information about what the app is doing so we can better identify potential issues. The information included in this log doesn't include any personal information such as your name or phone number, but does include the domains you inspect using the app while debug logging is enabled. As a precaution, debug logging will automatically be disabled each time the app starts.
These log files are stored locally on your device, and are never automatically shared with anybody without your explicit action & consent.
TestFlight Beta Applications
Beta applications are releases that are meant for testing purposes. These releases may contain software faults or other problems. In order for provide users with a reliable service, we release these builds to select users in order to catch these problems before we release the application to the public. While rare, these software faults may include privacy related vulnerabilities that can potentially put your information at risk. Users who agree to sign up for TestFlight builds agree to accept this risk.
If you choose to participate in TestFlight Beta Testing, you must sign up through the Apple operated TestFlight service. Your Apple ID is associated with your TestFlight participation, but is not made visible to us. Only an aggregate count of users who have signed up for beta versions of TLS Inspector, and the number of times the application has crashed is provided by Apple to us.
Beta applications are distributed using the TestFlight service provided by Apple. This first-party service is tied to your Apple ID and the software is sent to your device using the TestFlight app. When you subscribe to TLS Inspector beta builds though TestFlight, analytical information about the status of the test is provided to Apple and to us. This information includes if you have installed a beta version of TLS Inspector, which version of TLS Inspector you have installed, and how many (if applicable) times the beta application has crashed. No other information is collected no shared with us, including information within the application such as (but not limited to) the websites you inspect.
Questions or Comments
You may email us with any questions or concerns using this address.