Security Score
Mac + iPhoneA single number that tells you how well your device is configured for security. Not a guess — a weighted assessment of real system settings.
On macOS, HomeFront checks: Is the firewall enabled? Is FileVault (full-disk encryption) turned on? Is System Integrity Protection active? Is Gatekeeper enforcing app signatures? Is automatic updating enabled? Is the screen lock configured with a reasonable timeout?
On iOS, it checks: Is a passcode set? Is the device on the latest OS version? Is the device jailbroken? Is DNS filtering active?
Each check has a weight based on how much it affects your actual security posture. FileVault matters more than screen lock timeout. The weights produce a score from 0 to 100, mapped to a letter grade.
System checks run via Process calls to built-in macOS commands: spctl --status for Gatekeeper, fdesetup status for FileVault, csrutil status for SIP, defaults read for firewall and auto-update. These are the same commands an IT admin would run in Terminal. No kernel extensions, no elevated privileges beyond what the app sandbox allows.
None. All checks read local system state. Nothing leaves your device.
DNS Threat Blocking
Mac + iPhoneBlocks connections to known malicious, phishing, tracking, and advertising domains before they load. Works in every app — Safari, Chrome, Facebook, TikTok, games. No VPN tunnel. No proxy server. No middleman.
When any app on your device tries to connect to a domain, it first needs to resolve that domain name to an IP address via DNS. HomeFront intercepts this step at the system level. If the domain appears on the local blocklist — whether it's a malware server, a phishing site, an ad network, or a tracker — HomeFront returns a "does not exist" response, and the connection never happens. This works in every app, not just your browser.
evil-site.com
local blocklist
NXDOMAIN
On iOS, this uses Apple's NEPacketTunnelProvider API — a Network Extension that intercepts DNS packets at the system level. It looks like a VPN in Settings because Apple uses that UI for all network extensions, but no traffic is tunneled anywhere. Your regular internet connection is untouched.
On macOS, DNS filtering works through system-level DNS configuration. Safari also gets an additional layer via a Content Blocker extension that uses WebKit's built-in content blocking rules.
Security threat indicators come from ThreatFox and URLhaus, both operated by abuse.ch, a well-established nonprofit security project. Ad and tracker blocking uses curated community blocklists, including Steven Black's unified hosts — the same lists that power Pi-hole installations worldwide. All lists are downloaded periodically and stored locally. During downloads, no user data is sent — it's a one-way fetch of public datasets.
Breach Monitor
Mac + iPhoneChecks whether your passwords have appeared in known data breaches. Your actual password never leaves your device.
This is the feature people are most skeptical about, and rightly so. "I have to give you my password to check if it's been breached?" No. Here's exactly what happens:
locally (SHA-1)
sent to HIBP
locally
This is called k-anonymity. Your password is hashed with SHA-1 on your device. Only the first 5 characters of that hash (out of 40) are sent to the Have I Been Pwned API. HIBP returns all known breach hashes that start with those 5 characters — typically about 500 results. Your device then checks locally whether any of those match your full hash.
HIBP never sees your password, never sees your full hash, and can't determine which of the 500 returned hashes you were looking for. This is the same protocol used by 1Password, Firefox Monitor, and Apple's own built-in password monitoring.
Email breach checking uses the HIBP breached account API. Unlike password checking, this does send your email address to HIBP (there's no k-anonymity protocol for emails). HIBP's privacy policy states they don't log or store searched email addresses. We trust this — Troy Hunt (HIBP's creator) has a strong track record — but we want you to know exactly what's happening.
File Integrity Monitoring
macOSWatches critical system directories for unauthorized changes. If something is added, modified, or removed where it shouldn't be, you'll know.
HomeFront monitors directories that malware and unauthorized software commonly target:
- LaunchAgents and LaunchDaemons — where persistent background processes are registered
- ~/.ssh/ — SSH keys and configuration
- /opt/homebrew/bin/ — Homebrew binaries (common target for supply chain attacks)
- Browser extensions — directories where Safari and Chrome extensions are installed
Monitoring uses macOS's FSEvents API — the same system that powers Spotlight indexing and Time Machine. It's efficient, battery-friendly, and doesn't require polling or elevated privileges.
None. File monitoring is entirely local. Events are stored in the app's sandboxed container and displayed in the dashboard.
Privacy Audit
Mac + iPhoneShows exactly which apps have access to your camera, microphone, location, contacts, calendar, and files.
On iOS, HomeFront reads the system's privacy authorization status for each protected resource. It tells you which permissions are granted, which are denied, and which have never been requested. No data is collected — it's reading the same information you'd find in Settings > Privacy & Security, just organized in a more useful way.
On macOS, it reads the TCC (Transparency, Consent, and Control) database and system preferences to show which applications have been granted access to sensitive resources.
None. Privacy audit reads local system state only.
Complete Network Summary
Here is every network connection HomeFront makes. There are no others.
| Destination | What's Sent | When |
|---|---|---|
| api.pwnedpasswords.com | First 5 chars of SHA-1 hash | When you check a password |
| haveibeenpwned.com | Email address | When you check an email for breaches |
| threatfox.abuse.ch | Nothing (download only) | Periodic blocklist updates |
| urlhaus.abuse.ch | Nothing (download only) | Periodic blocklist updates |
| raw.githubusercontent.com | Nothing (download only) | Ad/tracker blocklist updates |
| pgl.yoyo.org | Nothing (download only) | Ad server blocklist updates |
No analytics. No crash reports. No device fingerprinting. No advertising identifiers. If you run tcpdump while HomeFront is idle, you'll see zero network activity.