Desktop Security
The Oceanir desktop app is a hardened, sign-in-only macOS shell for your workspace. Analysis runs on Oceanir's servers over an encrypted connection, not on your device. This page documents the controls the desktop shell actually enforces, with no claims about local-only processing.
What the desktop app is
The app is a native macOS shell that loads the authenticated Oceanir workspace. When you analyze an image, it is sent to Oceanir's servers over TLS and processed there, the same pipeline the web app uses. The desktop app does not run geolocation models on your machine, and it does not keep a local-only copy of your evidence. What the desktop adds over a browser tab is a hardened, locked-down container around that workspace.
Process isolation
The workspace runs in an isolated, OS-sandboxed view with no privileged system access from page code, and only a minimal, audited bridge for the few native actions it needs. A web-side exploit or surviving XSS cannot pivot to the host or escalate beyond that view.
Access control
The desktop workspace route is locked to the signed desktop shell. The shell identifies itself with a versioned user-agent marker, and any request without it (including a normal browser) is served a not-found response, with no redirect and no error that would reveal the route exists. The workspace also requires a valid authenticated session, and it is excluded from search engine indexing.
Authentication isolation
Sign-in completes in your real system browser, never inside the app window. This keeps OAuth state in the browser's own cookie jar where the callback completes, and it means the app window never handles your provider credentials directly. Any link that would leave the workspace is opened in your default browser rather than navigating the app window.
Transport and origin pinning
All traffic to the workspace travels over TLS. The window is pinned to a single trusted origin, and an in-process navigation guard blocks any attempt to move it to a different origin. The app cannot be steered to an arbitrary site. For the data-layer story (encryption in transit and at rest, retention, and coordinate handling), see the Data Encryption and Coordinate Rounding pages.
Distribution and notarization
The app is compiled natively for Apple Silicon (arm64). During the current beta it is not yet Developer ID notarized, so macOS Gatekeeper may ask you to approve it once under System Settings, Privacy & Security. Notarization is planned before general release. Always download the app from oceanir.ai so you can be sure of its origin.
What this does not claim
To be precise about scope: the desktop app does not perform on-device or offline geolocation, does not compute evidence hashes locally, and does not keep your images isolated to your machine. Analysis is a server-side capability. If on-device or air-gapped processing is a requirement for your work, contact us about deployment options rather than relying on the standard desktop build.