Privacy & Security
How FableFrog handles your data, secures your credentials, enforces network security, and what stays on your device.
Data Handling
FableFrog's approach to data is simple: we don't collect any. The app's App Store privacy label is "Data Not Collected," and that's not marketing language. It's a literal description of how the app works.
Device-to-Server, Nothing In Between
FableFrog is a pure client application. All data flows directly between your iPhone and your Audiobookshelf server. There is no intermediary service, no cloud relay, no "phone home" behavior. FableFrog does not operate any servers that your app communicates with. When you browse your library, stream an audiobook, or sync your progress, those requests go straight to the server you configured, and nowhere else.
No Analytics, No Telemetry, No Crash Reporting, No Ads
FableFrog does not include any analytics frameworks, telemetry SDKs, crash reporting services, or advertising networks. There are no hidden network calls to third-party services. The app contains no code from Google Analytics, Firebase, Sentry, Bugsnag, or any similar service. Your listening habits, library contents, and usage patterns are never transmitted to anyone.
This means that when you experience a crash, FableFrog doesn't automatically know about it. If you encounter a bug, the best way to report it is by emailing paul@devitodigitalsolutions.com with a description of what happened.
Credential Security
Keychain Storage
Your Audiobookshelf credentials (username, password, and authentication tokens) are stored exclusively in the iOS Keychain using the kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly protection level. This means:
- Credentials are encrypted at rest by the Secure Enclave
- They're only accessible after the device has been unlocked at least once since boot
- They cannot be transferred to another device through backup or migration
- They're never stored in files, UserDefaults, databases, or any other less-secure mechanism
Token Handling
FableFrog uses a dual-token authentication model:
- Access token: a short-lived token sent with API requests to authenticate your session. Included in the
Authorizationheader on most requests. - Refresh token: a longer-lived token used to obtain new access tokens when the current one expires. Token refresh is handled automatically and transparently. You won't be prompted to re-authenticate unless the refresh token itself has expired or been revoked.
FableFrog implements single-inflight token refresh deduplication, meaning if multiple requests need a token refresh simultaneously, only one refresh request is made and the result is shared. This prevents race conditions and redundant server calls.
Sign Out Behavior
When you sign out of FableFrog, the app clears all server-synced data:
- All authentication tokens and stored credentials are removed from the Keychain
- All cached library metadata (covers, book details, chapter lists, author information, progress, sessions, bookmarks, collections) is deleted
- All in-memory state is cleared and background services are stopped
Your per-book settings (playback speed, skip intervals, volume boost), ratings, and playlists are preserved on the device but isolated to your account. If you sign back in, they're restored automatically. If a different user signs in on the same device, they won't see your data — see Multi-User Device Safety below.
Downloaded audiobook files and app-level preferences (theme, text size) are also preserved across sign-out.
Network Security
TLS Enforcement
FableFrog does not add any App Transport Security (ATS) exceptions. This means iOS enforces TLS for all HTTPS connections by default. If your server uses HTTPS with a valid certificate (e.g., from Let's Encrypt), connections are encrypted end-to-end with no additional configuration needed.
Plain HTTP connections to local/private IP addresses generally work due to iOS's default ATS behavior, but using HTTPS is always recommended, especially for connections over the internet.
Token in URL for Media Endpoints
There is one important caveat to be aware of: for media streaming endpoints (audio file downloads and playback), the authentication token is included as a URL query parameter rather than in the Authorization header. This is a constraint of the Audiobookshelf API. The media endpoints require token-based URL authentication because iOS's media player framework (AVPlayer) does not support custom headers on media requests.
This means your access token may appear in server logs for media requests. If you're concerned about this, ensure your server logs are secured appropriately. The token is still short-lived and can be revoked, limiting the window of exposure.
Authorization Header
For all non-media API requests (library browsing, progress sync, metadata fetching, authentication, and settings), FableFrog sends the access token in the standard Authorization header. This is the more secure approach and is used wherever the API supports it.
What Stays on Device
Downloaded Files
Downloaded audiobook files are not deleted when you sign out. This is a deliberate design decision. Audiobook downloads can be large (hundreds of megabytes to several gigabytes), and users who sign out and back in (for example, when switching servers or troubleshooting) would not want to re-download their entire offline library.
Downloaded files contain only audio data. They do not contain authentication tokens, credentials, or personally identifiable information. They are stored in the app's sandboxed container and are not accessible to other apps.
Per-User Local Data
Your per-book playback settings (speed, volume boost, skip intervals), star ratings, and playlists persist across sign-out. These are scoped to your account — if you sign back in, they're automatically restored. Other users who sign in on the same device never see your data.
App Preferences
App-level preferences (your selected theme, text size, and other non-server-specific settings) persist across sign-out and sign-in cycles. These preferences are not user-scoped and contain no sensitive information.
Multi-User Device Safety
FableFrog isolates per-user data on shared devices. Each user is identified by their account and server combination, and all local-only data — book settings, ratings, playlists, and file-based caches — is partitioned accordingly. This means:
- Different accounts on the same server each have their own local data
- The same account on different servers is treated as a separate user
- No user data is deleted on sign-out — it's simply invisible to other users
- Signing back in restores everything right where you left it