Security

← Back to home

OXYGENE handles files on your Mac: caches, preferences, trash, app data. That requires impeccable security. This page details how the application is signed, what it does (and especially what it doesn't do) with your data, and how to report a vulnerability.

Apple signing and notarization
Verify the signature yourself
What OXYGENE does (and doesn't) with your data
macOS permissions requested
Shredder and secure deletion
Updates and integrity
Responsible disclosure (informal bug bounty)
Security contact

Apple signing and notarization

OXYGENE is signed with an Apple Developer ID certificate and notarized by Apple for every release. This means Apple has analyzed the binary for known malicious components before macOS allows it to run on your Mac.

🍎

Developer ID signed

Each build is signed with our Developer ID Application certificate (Team ID BC39KJ9KQ3).

📜

Apple notarized

The DMG and the app go through Apple's notarization service before release. macOS refuses to run a non-notarized build.

🛡️

Hardened Runtime

Hardened runtime is enabled: third-party code injection, runtime debugger and unsigned libraries are blocked by the system.

🆔

Unique Bundle ID

com.oxygene-app.oxygene — no other app can spoof our identifier without a fresh Apple notarization.

Verify the signature yourself

You can verify in 10 seconds that your copy of OXYGENE is really ours and hasn't been tampered with, via Terminal:

# Verify the app's signature codesign --verify --deep --strict --verbose=2 /Applications/OXYGENE.app # Verify macOS sees it as notarized spctl -a -vvv -t execute /Applications/OXYGENE.app # Show the Team ID and signing authority codesign -dv --verbose=4 /Applications/OXYGENE.app 2>&1 | grep -E "Team|Authority"

The Team ID returned must be BC39KJ9KQ3. If not, do not run the application and contact us at security@oxygene-app.com.

What OXYGENE does (and doesn't)

OXYGENE is designed to operate locally. No analysis of your files is sent to our servers.

What OXYGENE does

Locally scans caches, logs and temporary files on your disk
Detects uninstallable applications and their orphan files
Maps disk usage without transmitting the listing
Deletes the files you select, after confirmation
Enables anti-malware protection using public YARA signatures
Sends to our server only your email address (for the license) and the installed version number (for updates)

What OXYGENE does NOT do

Never sends the contents of your files remotely
Never sends the list of your files, applications or folders
Does not read your email, Messages, Photos, or iCloud data
Does not delete anything automatically without your explicit action
Does not contain a cryptocurrency miner, adware or third-party tracker
Does not install kernel extensions or unsigned system daemons

macOS permissions requested

OXYGENE asks for only the permissions strictly needed. Each is requested by the system on first use of a feature:

Full Disk Access — needed to scan user and app caches in ~/Library, analyze the trash and map the disk. Without this permission, OXYGENE can't do its job.
Files and Folders — requested only if you use the shredder on protected folders like Downloads or Desktop.
Apple Events access — used to control Finder when uninstalling apps and moving items to trash.
Accessibility (optional) — only if you enable global shortcuts in Technician Mode. Disabled by default.

You can revoke any of these permissions at any time under System Settings → Privacy & Security. OXYGENE will clearly indicate which functions become unavailable.

Shredder and secure deletion

OXYGENE's file shredder permanently deletes a file by overwriting its contents before logical deletion, making recovery by classic tools extremely difficult on a hard drive (HDD).

About SSDs. On an SSD (all recent Macs), the storage controller distributes writes and the APFS file system uses TRIM. Logical overwrite alone does not guarantee physical destruction of data on an SSD — that's a hardware limitation, not a software one. For truly unrecoverable destruction on an SSD, encrypt your disk with FileVault (enabled by default); losing the key makes the data inaccessible.

Updates and integrity

OXYGENE checks for available updates by querying a signed JSON file on our server (https://oxygene-app.com/update.json). The download is HTTPS-only. Each update is signed and notarized; macOS automatically refuses to install a tampered build or one from an unknown publisher.

You can disable automatic update checks under Settings → Updates. In that case, you remain responsible for manually installing security patches.

Responsible disclosure

If you discover a security vulnerability in OXYGENE, we are grateful and ask that you report it responsibly before any public disclosure.

To report:

Email security@oxygene-app.com with a precise technical description, a proof of concept if possible, and the expected impact.
We acknowledge receipt within 48 business hours and commit to communicating progress on the fix.
We commit not to pursue legal action against researchers who follow this process and do not exfiltrate user data.

Out of scope: form spam, absence of non-critical headers, attacks requiring physical access to the Mac, volumetric DoS. We prioritize RCE, privilege escalation, data exfiltration and signature bypass.

Security contact

🔐

Report a vulnerability

Technical report, vulnerability, proof of concept.

security@oxygene-app.com

🛟

Technical support

Issue not related to security.

support@oxygene-app.com

🔒

Privacy & GDPR/CCPA

Access, rectification, erasure rights.

privacy@oxygene-app.com

Table of contents