Security


SensorTower takes security and confidentiality seriously. Although most of the data aggregated and curated by our services comes from public channels, any sensitive data or credentials that we do collect is done so transparently, with proper permissions, and is secured in the most responsible manners. The purpose of this page is to explain our general security policies and also to highlight the measures we put in place to secure such data.

Have a question about something that's not covered here? Send us an email to support@sensortower.com and we will be glad to answer it.


Where does SensorTower run?

SensorTower servers run as a web application on third party cloud platforms. Currently, the cloud service provider used by SensorTower is Amazon Web Services (AWS). We may use other cloud providers in the future if they meet our security and availability needs.

SensorTower exchanges data with our users over secure TLS connection, and the public web facing application runs on HTTPS. The internal connections between our various servers and databases are also encrypted and secured via various standard methods.

What data does SensorTower store?

SensorTower collects the vast majority of its data through public access channels - primarily from the App Store and Google Play. Additionally, for customers who optionally grant explicit permission via Sensor Tower’s App Store Intelligence Dashboard, SensorTower will collect sales and marketing data for your apps from iTunes Connect, Google Play or other analytics providers for whom you specifically grant us access. Doing so requires that we log in or connect to these services and retrieve the data over a secure connection. To collect this data, Sensor Tower may store an access token or username and password for those services, based on information that you optionally provide to us.

How is secure data stored?

SensorTower stores all sensitive data in a secure and encrypted format, via the AES-256 encryption algorithm (the same algorithm that the National Institute of Standards and Technology recommends for encrypting Top Secret US Government data). Additionally, the passwords you create to log in your SensorTower account are encrypted via bcrypt algorithm. We do not write or modify the cryptographic software but instead use thoroughly vetted and tested open source libraries. The data is stored only with our cloud providers and is backed up in the encrypted form.

How is secure data decrypted?

We only decrypt the data when we need to get the download or revenue numbers for your app. Only a small and thoroughly secured set of computers have the keys to decrypt the data. The keys are not stored or checked in with the source code but instead are stored as a runtime configuration.

The computers that are able to decrypt the sensitive data are not public-facing servers, they're not connected to the Internet but instead are only accessed through secure and encrypted calls. This means that even if SensorTower's public facing web servers are attacked, the keys necessary for decryption would not be compromised.

The computers that collect the download data for you are configured in such a way that they never save the sensitive decrypted data to the disk or log it in any capacity. Whenever we collect the download or revenue data for you, we make sure that the external servers' certificates are verified.

Is the data available to SensorTower employees?

Because of the configuration of our system architecture, it is theoretically possible for an SensorTower employee to gain access to secure data. However, as a matter of policy, access to this data is forbidden. We have internal controls to make sure this data is not accessed outside of the scheduled download checks. Furthermore, the access to the servers that contain the keys necessary to decrypt the data is limited to a small subset of SensorTower employees for whom this access is absolutely necessary. All access is logged and regularly audited.

How does SensorTower protect itself from external attackers?

The web servers that SensorTower is running on are built using a modern web framework designed with security in mind. We follow best security practices, keep up to date with bugs and security patches and apply security updates to our systems in a very prompt manner. We have tools in place to detect abnormal behavior and have an internal security team responsible for keeping our security up to date. Furthermore, we regularly run tests and security audits on our systems and work with external security firms to ensure that our systems are thoroughly secured.

How are payments processed?

We have a secure method of payment implemented on our site: Credit card payments via Stripe. We never collect your credit card information but instead securely pass the information to the payment provider. We can not access your credit card information as it is securely sent to our payment provider without passing through our server.

What can I do to ensure the security of my Google Play or iTunes Connect account?

For customers who optionally choose to integrate the SensorTower App Intelligence Platform with their iTunes Connect or Google Play services, we advise that they create a separate iTunes Connect or Google Play account for SensorTower with permissions set to only view relevant revenue and download data.

Disclosure

We investigate and act on all security issues. If you believe you've found a bug in SensorTower' security, get in touch with us at security@sensortower.com. You can optionally use our PGP key. We request that you do not publicly disclose the issue until it's been addressed by SensorTower.

Our PGP key is below. Learn more about PGP at GPG.

Key fingerprint: 4E03 1B4E 1C3B 0EB1 2B9B B9BC ECD5 30AE E9EC 214F

Key size: 2048

Key ID: E9EC214F

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFla5dABEAC2GEMx6SiRvkCbX/2Y0k12OeXy/NpVImAPNgR41gx4eoxy83vT DKSKsci7IJ/YyssnxfuHn7E6mW7oIquvKkYvHZzOs0sqooA9tZE49dqIL9pn+DbL zoGnNa/r3P/YGFsIqWuHiU8Cut6dNrd73/M87bW9ZfDU941Zyq/SSJG44Zb8a/Dj QbZ+NFyHYOeG3pFa2m1ZfO3nql5eNAUJbalRvOdIr6HbpCUCkADsPzlFMm/u+mOT GDf1llVs2GlUj90nk/9777QyVhanpEWDrRR5jPp6XNZ/FLJCDlzpd32bBTQJvTT7 +C0lN/vyJDOJ0K2EzuKe0QDxidX/alVBfi+I2N5MaFnQZZqR0VzSwjcHEgK+NX0J k+2YbFaY1ZEKYUBC9hlFPsKQuSMdwepCxXcUDNo2liyyMadoMdPYZSlm+XFMIg+C c8Ex7hahXlkE9bVq2+Nh087gWtYC8P9GUIRxDN/MCo3kG7j9I0Q/j4aaDwbUf/H6 Tsp5jFIVHOdOL/kiIf9W2WkkZmfjW3QryX5tpVV1qZQqEM/bTZGQZw+Bu2+IiQl+ 7xg1X24ukvCGCMh0f08zK7GZG4Uyc8BVb3rN8CBh7+EXh1Ly54/acq/WUr0Ec1o6 CCMazwJmp3Ppl1OCshkIU2gTiVrtbG5c+7os5CLs6nP9Duu+zMxe33Nb7wARAQAB tCRBbGV4IE1hbGFmZWV2IDxhbGV4QHNlbnNvcnRvd2VyLmNvbT6JAj0EEwEKACcF Alla5dACGwMFCQeGH4AFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQvvGnkio6 Sy12iw//Si/LIAPocojjvwODh1/Qqy60TXfE+pcQVBBv89ySFC8B+C4EffuEs8yc yZuFOQN0UTjf1z9YJrb1DiFt481DrPnH5mZZqSK55Nilr14D9GSi8Oz9ioGMrUoH TlNg5nieNzf1ywPG+/mH+Rw8PYyjaqVtHTexF/Eub/5dQyDJ42vtH4sBS0B/rQLI Mb5fM7pZqHQ8N85BTgrmqkq2xj7ZLFI+MU2PdlDys6VIsAIm60mmB8bwgbmbBHyX 7DpP00QisF1cHRX7N67ipOF7U4aSsPWnkC0j/AFKCVrONOfNUsHWJrC7cTLKYmfP PoGdWC71XcZI/XANL8wUTot6ofjiCrg5MB7AbfUqoucgMuhu+HdAnU15bVgys2bt Lr3glgQ879ufbAU4guKtyR4jDhvkCl0/5JkLJmy1c8JomG06g0PLV4AALt02VBa/ 1FGgOpMYMdKPvvxPaYosJy5TC9hoQ+t0a5m0GkInZMgtUlSgGkeQB1iwpOPHILDs F3MmhFKuijkZFlW8zQFnm+IZ2tnLhUahCLleYT2KPk77QNp9A3A1/eMn5ihYLov9 h0y35HF5LFya34gUgQ435TsglViUgnQJCk8/e3OAoTiXheUDsQXTSfzaLMDUpjaE CKM0la755hQEfPDRml7L/SHy2CE+ryAbyxgPxYp3s5xHyFhNtY65Ag0EWVrl0AEQ AM2QoyG0EAloqItigHSZUAhMgqFvqnt/+qsy20ulwPFswdsVHjWPE+v4sVQlt52Q BWqoOQkHYc4f1jlWztoh2BGKozPKgYINfvSuznm2flzjO07qg/U/uyIcijbYj+p2 NF60oqgjKKoyiOXboCmMCx3SYNzZLes/Foc1+0liaT0mXjWtY2hJFxrkY5/Zs6QP 0Ww5gLbvHCeE8N0PJ1BWb+HCYGLMR+IT+OtrGet5LapinUNJL5DsIuyMFzpwMD4X qy28b9tSBB6N64MopI57rhQHYeG5MhIdxDrjJuKGzyS+DvPjLlmfis2BS5LLK4k+ rD7jp6/02gvk1yeSDfRzrvb+D+GibIZotQK/FWiBrgoU08rqn6On+/QA0BRInZ6L lZNGi2+xk4izUy3GukXJkO3a/hZeekYdstLZuRGz4+0rgDeDuhwxtK6T5AbyxRTG rs8X5Jd/ZoWHFarJiXNGmrxVSOr7AE/KEANCu9Y+cTv17ZecYg7KrkzlSnklVWxw 15zXCTtrDYNJvTPUBFuDiyACl4gyhIyRVId/mdGAtHFVrWL7lB+Oe7g0Jl1+rNTc dcLk1hvhy9/zdOpksBFV/spvTGkqFumlw0ke3XFHQH0NkXHhyCwGekKDdTPzTYv+ JAxlFT+WKWGJjXbHTko7QFuy3roZa1TE5A73ZjsUQhRZABEBAAGJAiUEGAEKAA8F Alla5dACGwwFCQeGH4AACgkQvvGnkio6Sy3Nmg/+M7TaQCGd0qtQmDE8t6a5WN/2 gOOzZyDffalJvpFWbEL2K3d9/tYRcXk7IeB41fTlovPzVxdE4tW7SuOWLPA9XYvj rFOkE+uQKcWt46dYmWi1GCZNvVXR2hjmYEX88Nv6qdNsGkwfr0eaKBd22GJVJdVU +20Aj9pvAO5NiKJkEyCrS8X7W7U05fVKiZq3vZ5yIAmDdASyInoPSFESSNW/xf4o 8pky7v3N9NKOACtGtkdkS4yy1P6AionXpP1iRW+Ih3QhT01e74VMlUv8/IBrznIo tNLheCKX+d19Ap3zqKgimfQVR1fPp/NIpRakZw4v/QDZ5NO/8M5cJCqwIQwQDJz8 IpD2C/R8+I4BjPdGGDcbwEpewiB0obIk0ImgFDmq57uiuFBbTH2uebMpxpgOjKKx Y1V41CB4CUR8J/Rhq8+Yh7aF+4vTcy9kIf9HzUB3LQ6C0BVeytEpgupdPUZf+qcX iOIa3dHQSGtrTeDT9k3UcBz+YDv0ysr7UjPTVbs5WNO0YIswCMk8wEppFz9lFDSm aLki3SW9Dcqbz5903KHMp2AS4eiES27t24ppTWopWKWXddZCFcdPbZEIhPqd72mS TBZ7C4b69Hf6U7Cdpsl7m3UTfDXv72/03+x3wpyZIKikZN1ywzFrSf1EFvq9PGQP TbWcw5J1WaNZGjOLfiM= =zaF+

-----END PGP PUBLIC KEY BLOCK-----

Date of Last Update. This page was last updated on Mar 12, 2015.