Security

Security & Privacy

Multiple layers of protection by design

Layer 1

End-to-End Encryption

All messages are encrypted using ECDH (Elliptic Curve Diffie-Hellman) key exchange. Messages can only be decrypted by the intended recipient. Relay nodes transport ciphertext they cannot read.

  • ECDH key exchange for shared secret derivation
  • Cryptographic message signing prevents tampering
  • Relays are blind couriers ‐ they can't read content
Encryption screen - dark mode
Encryption screen - light mode
‹›
Layer 2

Hardware-Backed Key Storage

Your identity private keys are encrypted at rest using AES-256-GCM via the Android Keystore. The master key never leaves the secure hardware (TEE/StrongBox), protecting against root extraction and forensic analysis.

  • AES-256-GCM encryption at rest
  • Keys stored in TEE/StrongBox secure hardware
  • Protection against root extraction
  • Automatic migration from legacy storage
Hardware key storage screen - dark mode
Hardware key storage screen - light mode
‹›
Layer 3

Anti-Billboard Protection

During pairing, users appear as random 3-word names generated from a 2048-word list (8.5 billion combinations). This prevents bad actors from broadcasting phone numbers or URLs as usernames.

  • Random discoverable names (e.g., "apple-bridge-cloud")
  • Chosen usernames hidden until PIN verification
  • Suspicious pattern detection for phone numbers, URLs, and emails
  • Color-coded warnings (green = safe, red = suspicious)
Anti-billboard discovery screen - dark mode
Anti-billboard discovery screen - light mode
‹›
Layer 4

Peer Reputation System

An automatic graduated penalty system that detects and handles bad actors without user intervention. Points accumulate for protocol violations, with penalties escalating from warnings to permanent bans.

10 pts Warning
20 pts Throttle (1 msg/min)
50 pts Temp Ban (1 hour)
100 pts Permanent Ban
  • Automatic decay: 1 point per 10 minutes (recovery from transient issues)
  • Contact protection: 2x higher thresholds, 2x faster decay
  • Silent penalties: No feedback to attackers
  • 21 violation types covering all protocol aspects
Peer reputation settings - dark mode
Peer reputation settings - light mode
‹›
Privacy

Privacy Features

Comprehensive protection for your data and identity

App Lock

Multiple authentication methods to protect your conversations:

Authentication Methods

  • PIN Lock ‐ 4-8 digit PIN, SHA-256 hashed
  • TOTP ‐ 6-digit authenticator app codes
  • Biometric ‐ Optional fingerprint authentication

Lock Triggers

  • Lock on screen off (default: ON)
  • Lock when leaving the app
  • Auto-lock after inactivity: Immediate / 1m / 5m / 15m / 30m / Never

Intruder Detection

  • Silent front camera photo on failed unlock attempts
  • Max 50 photos with auto-cleanup
  • Gallery viewer with delete options
App lock screen - dark mode
App lock screen - light mode
‹›

Send Mode Privacy

Choose how your messages are transmitted based on your privacy needs:

DIRECT_ONLY
Maximum metadata privacy. Messages are only sent directly to the recipient ‐ never relayed through the mesh. Prevents any third party from seeing even the encrypted message.
MESH_ONLY
Maximum location privacy. Messages are only sent through mesh relays ‐ never directly. Prevents the recipient from knowing you were physically nearby.
BOTH Default
Balanced approach. Uses both direct and mesh delivery for maximum reliability. Best for most users.
Send mode settings - dark mode
Send mode settings - light mode
‹›

Screenshot Blocking

FLAG_SECURE prevents screenshots and screen recording of the app, keeping conversations private even from screen capture tools.

Hidden Notifications

Option to hide sender names and messages in notifications, so passers-by can't see who's messaging you from your lock screen.

Encrypted Backups

Backups use Argon2id key derivation + AES-256-GCM encryption. Both a password and 32-character backup code are required for restoration.

SOS Alert

Emergency SOS button notifies your emergency contacts if enabled and accepted the disclaimer.