Skip to content
pairy
PrivacyTermsDeletionSupport

Security

Trust is part of the product.

Pairy connects a phone to a developer's Mac, so authentication, least privilege, and careful handling of screen and input data are core design requirements.

Updated 15 July 2026

Security model

  • Explicit pairing: a phone must establish trust with the Mac before it can control a Simulator.
  • Credential isolation: raw pairing credentials are stored in Apple Keychain; the remote control plane stores one-way hashes rather than raw credentials.
  • Encrypted transport: nearby sessions use local TLS and remote sessions use encrypted WebRTC transport.
  • Scoped remote access: short-lived, role-scoped session credentials separate Mac and phone capabilities.
  • Local captures: screenshots and notes remain on the user's devices unless the user deliberately exports or shares them.
  • No relay recording: Pairy does not configure LiveKit Cloud to record Simulator media.
  • Revocation: users can remove trusted phones, disable Remote, or reset Pairy identity.

Report a vulnerability

Email [email protected] with a clear description, affected version or URL, impact, and safe reproduction steps. If sensitive material is involved, send the smallest redacted example necessary and ask for a safer transfer method before attaching secrets or private customer data.

Pairy will acknowledge good-faith reports as capacity allows, investigate, keep you informed of meaningful progress, and credit researchers when desired and appropriate. Pairy does not currently operate a paid bug-bounty program.

Good-faith research

Please test only accounts and devices you own or have explicit permission to use. Avoid privacy violations, persistence, social engineering, denial of service, destructive actions, and access to another person's content. Stop and report if you encounter personal data, credentials, or a path to real-user impact.

Not security issues

Missing product features, support questions, self-XSS without a victim, automated scanner output without demonstrated impact, and attacks that require already-compromised administrator access are generally not vulnerability reports. Send ordinary bugs to [email protected].

Security and privacy

Security telemetry is intentionally limited. Pairy's control plane and logs must not contain screen pixels, captures, note text, typed text, clipboard contents, pairing QR payloads, access tokens, or encryption keys. See the Privacy Policy for the complete data-handling explanation.

© 2026 Pairy
HomePrivacyTermsSupport