diff --git a/TODO b/TODO
index 31368dc..471724f 100644
--- a/TODO
+++ b/TODO
@@ -16,6 +16,49 @@ Tasks:
   - Reorganize for clarity
   - Optimize use of Android lifecycles
 
+Silent Store approval checks to confirm/implement:
+- Known Vulnerabilities
+  - Apps will be tested to ensure that they are not susceptible to known
+    publicly disclosed vulnerabilities. For example:
+    - Heartbleed
+    - Poodle
+    - MasterKey
+    - Common Path Traversal attacks
+    - Common SQL Injection attacks
+- Network Security Protocols
+  - All Apps that require transmission of data from the App to a system that
+    does not exist on the device must use, at a minimum, TLS1.1 standards.
+    However, Blackphone would prefer the usage of TLS1.2.
+  - Apps must not use algorithms for cryptographic purposes that are considered
+    obsolete or outdated i.e. MD5, SHA1, RC4, DES, or any encryption algorithm
+    that is weaker than AES128.
+- Transport Layer Protection
+  - All network communication should be encrypted
+  - Not vulnerable to SSl Strip
+- Data Leakage
+  - No storage of sensitive data outside of application sandbox
+  - Files should not be created with MODE_WORLD_READABLE or MODE_WORLD_WRITABLE
+  - Copy & Paste will be evaluated on a case by case basis
+  - App logs should not contain sensitive information
+- Authentication and Authorization
+  - Validate that authentication credentials are not stored on the device
+  - Must use an approved password-based key derivation function ie. PBKDF2, scrypt
+- Data-at-rest Encryption
+  - Must use at a minimum AES128 with modes CCM or GCM
+  - Should not store the encryption key on the file system
+- Permission Checks
+  - The App must function with all permissions disabled
+  - Apps must not hard crash if a permission is disabled
+  - Apps should ask users to enable permissions that are disabled if needed to
+    function properly and explain why the permission is necessary
+- Privacy Policy
+  - Apps must have a privacy policy that details how customer data is used,
+    stored, shared, etc...
+  - Apps must be configured with the customer opted out by default
+  - App logs should not contain PII
+- Error Handling
+  - Apps should follow best-practices for error handling and logging
+
 Features:
 - Search
 - Fingerprints that users can compare to validate