ToneGet needs your Tonal login credentials to access your workout data. Here's exactly what happens:
- ✅ Send your credentials directly to Tonal's Auth0 authentication servers via HTTPS
- ✅ Use the same OAuth2 flow that Tonal's official mobile app uses
- ✅ Discard your password from memory immediately after authentication
- ✅ Use TLS/HTTPS for all network communication
- ❌ Store your password anywhere
- ❌ Log your credentials
- ❌ Send your credentials to any server other than Tonal's
- ❌ Save authentication tokens between sessions
- ❌ Include any analytics, telemetry, or tracking
- ❌ Phone home to any servers
The entire codebase is open source. You can verify:
Check sync_workouts.py and search for authenticate. You'll see credentials go directly to tonal.auth0.com:
response = requests.post(
f"https://{AUTH0_DOMAIN}/oauth/token",
json={...}
)Check desktop-app/src-tauri/src/main.rs - the same pattern. All network requests go only to:
tonal.auth0.com(authentication)api.tonal.com(data download)
Use a tool like Wireshark, Charles Proxy, or mitmproxy to verify the only external connections are to Tonal's servers.
The Tauri-based desktop app has additional security considerations:
The app restricts what resources can be loaded:
default-src 'self'; connect-src https://tonal.auth0.com https://api.tonal.com
This means the app can ONLY connect to Tonal's servers - no other external connections are possible.
The app can only write files to your Downloads, Documents, or Desktop folders (where you choose to save the export).
The app doesn't run in the background or auto-start. It only runs when you explicitly open it.
If you find a security vulnerability:
- DO NOT open a public issue
- Email the maintainer directly (see profile)
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
We'll respond within 48 hours and work with you on a fix.
- Use a strong, unique password for your Tonal account
- Download only from official sources - GitHub releases or building from source
- Verify checksums if provided with releases
- Review the code before running if you're security-conscious
- Don't share your export files publicly (they contain personal data)
- Store exports securely - they contain your workout history
| Package | Purpose | Risk Level |
|---|---|---|
| requests | HTTP client | Low - widely audited |
| Package | Purpose | Risk Level |
|---|---|---|
| Tauri | Desktop framework | Low - security-focused framework |
| reqwest | Rust HTTP client | Low - widely used |
| React | UI framework | Low - widely audited |
We intentionally minimize dependencies to reduce attack surface.
The desktop app is not code-signed (this would cost ~$100-400/year). This means:
- macOS: You'll see "can't be opened because Apple cannot check it for malicious software"
- Windows: You'll see "Windows protected your PC" from SmartScreen
This is expected for open-source apps distributed outside app stores. You can:
- Verify the source code yourself
- Build from source if you prefer
- Use the Python script instead (no signing required)
See the README for instructions on bypassing these warnings.