When using Buildozer you trust us with your code and development certificates, so we want to say a few words about our security measures.
We do not keep a copy of your code. We keep track of the latest commit hash (git) or revision number (svn) to see if we need to build a new version of your app. To build the app, we fetch the code on one of the build servers, process it, build the app and toss the code again.
To check out your source code, we need access to your repository. We support both username/password login and SSH keys ('Deploy Keys' as Github calls these). We recommend you create a specific user or keypair for buildozer in your source control repository that has only the access we need to fetch your code. (GitHub calls this a 'machine user'). The SSH key and/or password are stored using an asymmetric encryption method using a public key. Only the build server has the private key and uses this to decrypt the credentials when it needs to access your repository.
Builds are executed on a build server in a sandboxed environment, so that any build scripts can not harm our system. Note: The sandbox puts some limitations on what a build can or cannot do (if you have very specific build phases, e.g. using custom shell scripts, contact us so we can verify if we are able to build your app).
When you upload a .p12 containing a signing certificate (iOS, OSX) or a Java KeyStore (Android) we use the passphrase you supply to decrypt it. We do not store the passphrase. We encrypt the certificate using an asymmetric encryption method using a public key and store the encrypted version in our database. The build server uses a private key (that is only present on the build server) to decrypt the certificate when it needs to sign your application. The decrypted certificate is removed as soon as the signing is done.
Once your build is created, we store the application in a secured Amazon S3 bucket. Only your testers and developers have access to the builds; we require everyone that needs access to log in to Buildozer first. (Note: if you deploy to TestFlight or another third party tool, this does not apply as TestFlight then takes care of the app distribution.). The email notifications that send out a build or release to testers give direct access to build downloads without logging in first. To secure this we use temporary tokens that only the receiver of the email has and which give temporary access to the download.
If you have any concerns about the safety of your code and your builds, do not hesitate to contact us.