--- last_verified: 2026-05-30 verified_version: 0.1.34 owner: backend freshness_days: 30 --- # Security Guide — pvtcoms > The authoritative boundary is [`../THREAT_MODEL.md`](../THREAT_MODEL.md). This guide is the developer-facing checklist. ## Identity & authentication - Identity = a device-held keypair (`Ed25519 + ML-DSA-65`). No phone/email/server account. - Contact authentication = single-use invite + **out-of-band SAS verification** (the only first-contact MITM defence). - Key-change alerts block sending to a previously-verified contact until re-verification. ## Confidentiality - E2EE, post-quantum: hybrid `X25519 + ML-KEM-768` handshake + Double Ratchet; ChaCha20-Poly1305. - Forward secrecy + post-compromise security via per-message key rotation. - Deniability preserved (no signatures in the per-message ratchet). ## Secrets management - Keys in OS keystore / Secure Enclave; DB encrypted at rest (SQLCipher) with an Argon2id-derived passphrase key. - Zeroize key material; never log secrets/plaintext/tokens/IPs. - **NEVER** commit secrets; **no telemetry/analytics/phone-home**. ## Input validation & robustness - All wire input is untrusted: typed errors, no `unwrap()`/`panic!` on attacker-controllable data; fixed-size padded envelopes; replay/idempotency on mailbox pulls. ## Threat checklist (adapted; full matrix in THREAT_MODEL.md) | Area | Status | Notes | |---|---|---| | Network eavesdropper | ✅ | E2EE + Tor | | Malicious relay/mailbox | ✅ | Oblivious; learns nothing linkable | | First-contact MITM | ✅ detectable | Mandatory SAS | | Seized locked device | ✅ | SQLCipher + keystore + short retention + duress wipe (v2) | | Other app on device | ✅ | Sandbox + keystore + FLAG_SECURE + clipboard hygiene | | Compromised/rooted OS, 0-click | ❌ OUT OF SCOPE | OS-vendor responsibility; recommend GrapheneOS | | User-granted accessibility/keyboard spyware | ❌ OUT OF SCOPE | Warn, can't block | | Global passive adversary (on Tor) | ⚠️ partial | Padding/jitter; Nym is the v3 answer | ## Security scanning & continuous monitoring ```bash cargo audit # RustSec advisories (Rust crates only) cargo deny check advisories # advisories + licenses + bans + sources osv-scanner -L Cargo.lock # covers Cargo + GitHub + (some) native trivy fs ./target # OS/native deps (OpenSSL, SQLite) — cargo audit can't see these cargo clippy --all-targets -- -D warnings ``` Daily CI cron; **break the build on any High/Critical**. Bumps require a reviewed PR + `cargo audit` + Tor integration + replay tests. **Feeds to watch** (a webview/native CVE exposes users regardless of our app version): RustSec advisory-db · OSV.dev · GitHub Security Advisories · **NVD for WebView2 / Apple WebKit / WebKitGTK** · OpenSSL security list · SQLite changelog · Tor Project blog + TROVE · `cryspen/libcrux` + RustCrypto release notes. ## Verified advisories to clear (audit 2026-05-30 — see `reports/2026-05-30-security-review.md`) All chosen crates are **patched at the pinned versions** (no known *open* advisory). Must-verify in `Cargo.lock`/vendored build: - curve25519-dalek **≥4.1.3** (RUSTSEC-2024-0344) · openssl crate **≥0.10.70** (RUSTSEC-2025-0004) · rustls-webpki **≥0.103.10** (RUSTSEC-2026-0049, -0098) · bump `bytes`/`time` (RUSTSEC-2026-0007/0009). - **Bundled SQLite ≥3.50.2** (CVE-2025-6965, CVSS 9.8) · **bundled OpenSSL ≥3.5.5/3.4.4** (CVE-2025-15467 + 9230/9231/9232) — these are native libs `cargo audit` cannot see; catch with `osv-scanner`/Trivy. ## Secure-config must-dos - **SQLCipher**: `kdf_iter` **> OWASP 600k** (default 256k too low), `cipher_memory_security=ON`, `secure_delete=ON`, `trusted_schema=OFF`, `foreign_keys=ON`; fail-hard if any PRAGMA fails; lock in migration tests; key via `secrecy` + keystore. - **Tauri**: strict CSP (no unsafe-inline/remote/eval), **plain-text-only** message rendering (no HTML/SVG/markdown-to-DOM), capability deny-by-default, no untrusted iframes, secrets never reach JS. Red-team XSS→IPC→key-exfil. - **Transport**: fail-closed Tor-only (no clearnet/local-resolver fallback); full vanguards; CI asserts zero network syscalls outside the Tor SOCKS port. - **Crypto**: hybrid KEM combiner absorbs **transcript + both public keys + ML-KEM ciphertext** (key/ciphertext binding, not just shared secrets); central AEAD nonce management (never caller-random); strict anti-replay; `subtle` constant-time compares. Run the `dependency-governance` skill for a full audit once `Cargo.toml` exists.