Threat Model

This document is intended for security researchers, auditors, and contributors. It provides a structured analysis of the attack surface, adversary capabilities, cryptographic guarantees, and residual risks for the Connect proximity-based decentralized social application.

The analysis is grounded in the concrete architecture described elsewhere in this research: Ed25519 identity keypairs, NFC/QR-bootstrapped trust, BLE-based proximity discovery, Signal Protocol (Double Ratchet) for 1-to-1 sessions, MLS (RFC 9420) for groups, append-only encrypted local feeds, and an optional Tor relay layer.

1. Scope and Trust Boundaries

In Scope

The following components and interactions are within scope of this threat model:

• Application protocol — the message format, feed structure, and synchronization logic
• Transport layer — BLE advertisement and connection handling, WiFi Direct data transfer, Tor circuit construction and hidden service behavior
• Cryptographic layer — key generation and storage, X3DH initial key agreement, Double Ratchet session management, MLS group key schedule, feed hash-chain integrity
• Trust establishment — the NFC tap and QR code exchange that bootstraps a contact relationship, including the data transmitted and the in-person ceremony assumptions
• Identity model — Ed25519 keypair lifecycle (generation, storage, use, and eventual revocation or abandonment)
• Key storage — how long-term and session keys are held on the device (OS keystore, encrypted database)
• Online relay — behavior when Tor is enabled: hidden service creation, relay-assisted sync, traffic patterns

Out of Scope

The following are explicitly out of scope, with rationale:

• OS security — we assume the OS kernel and its access control mechanisms are not compromised. An attacker who has rooted the device or installed a kernel-level rootkit can access any app's memory. This is a device-level compromise (addressed in Section 7 as a residual risk).
• Hardware security — side-channel attacks on CPU execution (Spectre/Meltdown variants), hardware wallet interactions, or physical probing of flash storage chips.
• Social engineering against users — phishing, SIM swapping, or coercing a user to share their screen. These exist at a layer above the protocol.
• Compiler and toolchain security — supply-chain attacks on the build system or dependencies, while important, are a separate concern from the protocol design.
• Tor network security — we inherit Tor's threat model, not own it. Tor's anonymity properties are well-documented. We note where our design depends on assumptions Tor itself cannot provide.

Trust Boundary Diagram

  ┌─────────────────────────────────────────────────────────────────────┐
  │                        DEVICE BOUNDARY                              │
  │                                                                      │
  │   ┌──────────────┐     ┌──────────────────┐    ┌─────────────────┐ │
  │   │  Key Store   │     │  Message Store   │    │  Contact Store  │ │
  │   │  (OS keystore│     │  (encrypted      │    │  (encrypted,    │ │
  │   │   / secure   │     │   append-only    │    │   local-only)   │ │
  │   │   enclave)   │     │   feed DB)       │    │                 │ │
  │   └──────┬───────┘     └──────────────────┘    └─────────────────┘ │
  │          │                                                           │
  │   ┌──────▼─────────────────────────────────────────────────────┐   │
  │   │                    Application Logic                        │   │
  │   │  (Double Ratchet state, MLS group state, feed validation)   │   │
  │   └──────┬─────────────────────────────────────────────────────┘   │
  │          │                                                           │
  └──────────┼──────────────────────────────────────────────────────────┘
             │  TRANSPORT BOUNDARY
  ┌──────────┼──────────────────────────────────────────────────────────┐
  │          │                                                           │
  │   ┌──────▼──────┐   ┌──────────────┐   ┌──────────────────────┐   │
  │   │  BLE Radio  │   │  NFC Radio   │   │  WiFi Radio          │   │
  │   │  (rotating  │   │  (~10cm tap) │   │  (WiFi Direct /      │   │
  │   │   beacons,  │   │              │   │   WiFi Aware)        │   │
  │   │   ~30m)     │   │              │   │                      │   │
  │   └──────┬──────┘   └──────┬───────┘   └──────────┬───────────┘   │
  │          │                 │                        │               │
  └──────────┼─────────────────┼────────────────────────┼──────────────┘
             │                 │                        │
  ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─
             │                 │              CONTACT    │  BOUNDARY
  ┌──────────▼─────────────────▼────────────────────────▼──────────────┐
  │                      PEER DEVICES                                    │
  │  (authenticated contacts — encrypted channel, content still private) │
  └──────────────────────────────┬──────────────────────────────────────┘
                                 │  (opt-in only)
  ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─
                      INTERNET / RELAY BOUNDARY
  ┌──────────────────────────────▼──────────────────────────────────────┐
  │                      TOR NETWORK (opt-in)                           │
  │   Guard node → Middle node → Exit/Rendezvous → Hidden service       │
  │   (cannot see message content; may observe traffic timing/volume)   │
  └─────────────────────────────────────────────────────────────────────┘

Threat Surface Map

Each boundary above has a distinct exposure profile:

2. Adversary Types

2.1 Passive Observer

Profile: An attacker in physical proximity with commodity hardware — a BLE sniffer (e.g., Ubertooth One, nRF52840 dongle), a WiFi packet capture device, or a dedicated radio scanner. May also be a party conducting mass BLE advertisement harvesting in a public space.

Capabilities:

• Capture all BLE advertisement packets in range (~30–100m depending on antenna)
• Record advertisement timestamps and payloads
• Observe WiFi Direct probe frames and group formation traffic
• Correlate presence data over time (if beacons are not properly rotated)
• Cannot decrypt any session-layer content
• Cannot see NFC data (too short range, directional, no broadcast)

Motivation: Surveillance of individual movement patterns, commercial tracking (retail analytics, ad targeting), or intelligence collection. May be operating automated infrastructure (e.g., Bluetooth tracking arrays in transit systems).

Realistic threat scenarios:

• Identifying a user's persistent presence at a location by linking beacon IDs across time if rotation is insufficient
• Building a social graph approximation by observing which beacons appear together repeatedly in the same place
• Denial of service via BLE jamming (disrupts sync but does not compromise data)

2.2 Active Local Attacker

Profile: An attacker within BLE or WiFi range who can not only observe but also transmit — sending crafted packets, replaying captured frames, or running a rogue BLE peripheral. May use tools like Wireshark, BTLEJuice, or custom firmware on BLE development boards.

Capabilities:

• All capabilities of the passive observer
• Inject BLE advertisement packets
• Replay previously captured BLE frames
• Attempt to connect to the app's BLE GATT server and probe for vulnerabilities
• Attempt BLE relay attacks (forwarding BLE connection to a distant location in real time)
• Execute BLE denial-of-service: flooding advertisements, jamming the 2.4 GHz band

Motivation: Targeted attack on a specific individual, research into the protocol's security, bypassing proximity requirements to interact with a device from a distance.

Realistic threat scenarios:

• Attempting to complete a BLE authentication handshake from a different physical location by relaying the connection through an accomplice device
• Injecting malformed GATT frames to trigger parsing errors in the app
• Replaying BLE discovery beacons to confuse the app's contact-detection logic

2.3 Compromised Contact

Profile: A legitimate contact — someone who performed an NFC tap or QR exchange with the target in person — who has subsequently become hostile. This could be a trusted person who has been coerced, had their device compromised, or who was a malicious actor from the beginning.

Capabilities:

• Holds a valid shared session secret (Double Ratchet state or MLS group membership)
• Can receive and read all messages sent to them (this is by design)
• Can send arbitrary messages to the target
• Has access to all feed entries the target has shared with them
• Cannot read messages sent to other contacts (different sessions/group keys)
• Cannot forge messages that appear to come from a third party (signatures)
• Cannot read past messages if forward secrecy is maintained (see Section 3.3)

Motivation: Personal grievance, law enforcement cooperation, intelligence agency asset, opportunistic abuse of access.

Realistic threat scenarios:

• Forwarding received messages to a third party (screenshot, copy-paste) — this is not a protocol-level attack, it is a social trust failure
• Providing their device to authorities for forensic extraction of the conversation history
• Attempting to add a malicious third party to an MLS group (constrained by group membership rules)
• Attempting to convince the target to tap their NFC-enabled device against a rogue intermediary device

2.4 Infrastructure Adversary

Profile: An entity with visibility into network traffic: an Internet Service Provider, a CDN operator, a Tor relay operator, or a government entity with access to backbone routing infrastructure. Only relevant when the app is operating in online (Tor) mode.

Capabilities (online mode only):

• Observe encrypted Tor traffic: packet sizes, timing, volume — but not content
• Operate Tor relays (including guard nodes) to correlate circuits
• In non-Tor mode: observe plaintext TCP/IP connections, including IP addresses of both endpoints
• Serve legal orders to Tor relay operators for logs (which are minimal by Tor design)
• BGP routing manipulation to redirect traffic

Capabilities (offline mode):

• None. No internet traffic is generated. This adversary is completely irrelevant in offline mode.

Motivation: Mass surveillance, targeted surveillance of specific individuals, lawful intercept compliance.

Realistic threat scenarios:

• A Tor guard node operator observing that a particular IP address is connecting to Tor (not who they're communicating with)
• Traffic correlation attack: observing that Device A sends a burst of traffic at time T over Tor, and Device B receives a burst at T+delta, inferring they are communicating
• Compelled disclosure of Tor relay logs (which contain only connection times and circuit counts, no content or destinations)

2.5 State-Level Adversary

Profile: A national intelligence agency or law enforcement body with broad capabilities: physical access to devices through border crossings or arrests, the ability to serve legal orders, traffic correlation across multiple vantage points, and potentially the resources to attempt cryptanalytic attacks on weakened implementations.

Capabilities:

• All capabilities of the infrastructure adversary
• Physical seizure of devices
• Legal compulsion of individuals to provide decryption passwords or biometric authentication
• Multi-point traffic correlation at scale (GCHQ TEMPORA, NSA XKeyscore-class systems)
• Potential access to hardware security vulnerabilities or zero-days
• In extreme cases: planting malware on target devices via interdiction or remote exploit

Motivation: National security investigations, political surveillance, transnational crime investigation, suppression of dissent.

Realistic threat scenarios:

• Seizing a device at a border crossing and extracting the unlocked app's database
• Legal compulsion under a jurisdiction's equivalent of a Section 215 order
• Global traffic correlation to de-anonymize Tor users with sufficient coverage of guard nodes
• Compromising the device's OS or app binary before distribution (supply-chain attack on the app store)

2.6 Device Theft / Loss

Profile: An attacker who has physical possession of a lost or stolen device, but does not have the user's PIN, password, or biometric credential. The device may be locked or unlocked.

Capabilities (locked device):

• Access to the encrypted file system
• Access to BLE/NFC hardware (can scan nearby devices)
• May be able to read some data from the OS keychain if the keychain is not tied to device-unlock credential
• Forensic extraction of the flash chip (yields only encrypted data if full-disk encryption is enabled)

Capabilities (unlocked device):

• Full access to the running app and its in-memory state
• All stored messages, contact list, and identity keys
• Ability to impersonate the user to their contacts
• Ability to perform new NFC trust establishment as the victim

Motivation: Opportunistic (resale), targeted (surveillance), accidental.

Realistic threat scenarios:

• An unlocked stolen phone allowing the thief to read the victim's message history
• A locked phone subjected to forensic extraction — security depends on OS FDE and keychain strength
• The stolen device being used to silently receive future messages from contacts (contacts do not yet know the device is stolen)

3. Attack Surface by Layer

3.1 Physical / Trust Establishment Layer

This is the most security-critical layer because it is where long-term identity binding occurs. An attacker who can subvert trust establishment can impersonate a user to their contacts from that point forward.

NFC MITM (Man-in-the-Middle)

Feasibility: Extremely Low in Practice

An NFC MITM would require an attacker to simultaneously:

1. Intercept the outbound NDEF frame from Device A before it reaches Device B
2. Substitute a modified or attacker-controlled payload
3. Forward a crafted response back to Device A — all within the NFC handshake timing window

The fundamental constraint is NFC's operating range: ~4–10cm. To relay an NFC session, the attacker needs hardware physically adjacent to both devices simultaneously. Research by Hancke (2005) and subsequent work has demonstrated NFC relay attacks using custom hardware, but these require the attacker to be essentially touching both devices. In a real-world trust establishment scenario (two people choosing to tap phones), the social and physical geometry makes this attack implausible rather than impossible.

Additionally, the cryptographic protocol defends against MITM even if relay were achieved: both parties compute an X3DH shared secret using each other's authenticated public keys. An attacker who relays the key exchange without substituting their own key gains nothing — they are transparent to the cryptography. An attacker who substitutes their own key is detected if users perform a key fingerprint comparison (recommended UX).

Remaining risk: The app should display a key fingerprint (short authentication string) after the NFC tap, matching the pattern used by Signal's Safety Numbers. Users who compare fingerprints out-of-band detect any MITM. This UX step is not enforced by the protocol and remains a social control.

QR Code Relay Attack

Feasibility: Low to Moderate

A QR code encodes the same payload as the NFC tap: Ed25519 public key, ephemeral DH key, and application identifier. The attack scenario:

1. Attacker photographs or screen-records the target's displayed QR code
2. Attacker displays the captured QR code to a second victim, who scans it
3. The second victim establishes a trust relationship with the attacker instead of the intended target

The QR code is typically displayed for only a few seconds during the explicit scanning ceremony, reducing the window for capture. However, a high-resolution photo taken from a distance (social engineering: "let me take a photo of you") could capture a sufficient image.

Mitigations:

• QR codes should be ephemeral: regenerated for each session and expired after a short timeout (30–60 seconds)
• Including a timestamp and a signature over the timestamp in the QR payload allows the recipient to reject stale codes
• The key fingerprint comparison step (see NFC MITM above) detects substitution after the fact

Coercion (Forced Trust Establishment)

Feasibility: Moderate (social/physical attack)

An attacker could physically force or socially coerce a user to perform an NFC tap against the attacker's device. This is not a protocol vulnerability — the protocol has no mechanism to distinguish a voluntary tap from a coerced one.

The defense is social and physical: the tap requires deliberate physical action (bringing devices together), and the app should require explicit confirmation after the tap ("Add [name] as a contact?") rather than auto-completing the exchange. A "duress mode" — where a separate PIN causes the app to complete the tap without storing the contact — is a potential mitigation for high-risk users, similar to the duress password concept in full-disk encryption.

Physical Device Compromise During Tap

Feasibility: Low

An attacker could attempt to interfere with the device hardware during the tap — for example, inserting a USB data exfiltration tool (e.g., O.MG cable) while the phone is charging and the user is distracted. This is a device-level attack (out of scope) but worth noting as a threat scenario for high-risk individuals. The mitigation is standard device hygiene: do not use untrusted charging hardware.

3.2 BLE Discovery Layer

BLE Relay Attacks (Fake Proximity)

Feasibility: Moderate (requires coordinated attacker)

A BLE relay attack forwards BLE frames in real time between two locations, making Device B believe Device A is physically nearby when it is not. This is directly analogous to the relay attacks demonstrated against keyless entry systems. The NCC Group's 2022 research demonstrated BLE relay attacks against the Tesla Model 3 keyless entry system with commodity hardware (two Raspberry Pi units and commercial BLE dongles), achieving sub-75ms relay latency — within the proximity-check window of many implementations.

In the context of this application, the threat model is:

• The attacker wants to appear as an existing contact of the target without being physically present
• The attacker controls one device near the target (the "near end") and one device near an actual contact of the target (the "far end")
• The relay forwards BLE advertisements and GATT frames bidirectionally

Why this is partially mitigated:

• BLE relay attacks are mitigated for initial trust establishment because NFC/QR requires physical proximity that is not relayable by BLE hardware alone
• BLE relay only threatens the discovery phase (recognizing an already-known contact), not the initial trust bootstrap
• If a relay attack succeeds against discovery, the attacker can trigger a Double Ratchet session between the victim's device and a device that is not physically present — but the attacker must be in possession of the contact's actual device (or have compromised it), because the cryptographic authentication will fail against a device that does not hold the contact's private key

Residual risk: A relay attack in which the attacker controls both the contact's device and a BLE relay can cause the victim's device to sync with the contact's device from a distance, bypassing the proximity requirement for message sync. This is a privacy and usability concern (unexpected sync behavior) but does not compromise message content — the E2E encryption is between the two legitimate endpoint devices.

Mitigation options:

• RSSI-based proximity thresholds: require signal strength consistent with close range (~1–3m) before initiating sync. Note: RSSI is easily spoofed by adjusting transmit power.
• Round-trip time (RTT) measurement: BLE 5.1 introduces direction finding and RTT can detect relay latency. This is a hardware-dependent mitigation.
• Challenge-response timing: send a GATT challenge and require a response within a tight deadline inconsistent with relay latency. Relay round-trips add at least 40–100ms; a 20ms deadline makes relay impractical. This is the most robust application-layer mitigation.

BLE Tracking and Fingerprinting

Feasibility: Moderate

Modern devices rotate their BLE MAC addresses periodically (iOS: every 15 minutes; Android: varies by manufacturer, typically 15–30 minutes). However, several side-channels can relink rotated MACs to the same device:

1. Advertisement payload continuity: If the app advertises a fixed service UUID or any constant content between MAC rotations, the UUID alone serves as a tracking identifier. The app must rotate all advertisement content at the same time as the MAC.
2. Timing correlation: If advertisement intervals have a distinctive pattern or if the transition between two MACs occurs at a predictable moment, an observer who captures both can link them.
3. Device fingerprinting: BLE chipset-level timing jitter, clock drift, and transmission characteristics create a physical-layer fingerprint. This has been demonstrated in academic research (e.g., Becker et al., "Tracking anonymized Bluetooth devices," 2019). This is not mitigable at the application layer — it requires OS or hardware-level randomization.
4. iOS background advertising stripping: iOS strips the app's service UUID from background BLE advertisements, reducing the identifier surface but also degrading functionality.

Mitigations in scope:

• Rotate BLE advertisement content (UUID, payload) in sync with MAC rotation — every rotation window, generate a new ephemeral advertisement key
• Do not include any stable identifiers in advertisement payloads before mutual authentication
• Use encrypted advertisement payloads (BLE 5.x supports encrypted PDUs) where supported

Advertisement Content Leakage

Any information included in a BLE advertisement is visible to all nearby scanners before authentication. The advertisement payload must therefore contain no identifying information. The correct design is:

Advertisement payload (pre-authentication, visible to all):
  - A random or rotating service UUID (no fixed app identifier in the UUID itself)
  - A rotating nonce or ephemeral value
  - No public key, no contact ID, no app name string

GATT exchange (post-connection, before mutual auth, visible to attacker):
  - A challenge-response handshake using shared contact keys
  - Only if the remote device demonstrates knowledge of a shared secret
    does identity information pass over the channel

Leaking the app's service UUID in advertisements is equivalent to broadcasting "this is a Connect app user" to all nearby scanners, enabling enumeration of app users in a physical space.

Wormhole Attack via BLE Mesh

Feasibility: Low

In a mesh scenario where devices forward BLE beacons for contacts-of-contacts (not currently in scope for this design), a wormhole attack would allow an attacker to tunnel packets from one part of the mesh to another, creating a false adjacency in the network graph. Since this design explicitly does not implement friends-of-friends replication or BLE mesh forwarding by default, the wormhole attack surface is not present in the current architecture.

If mesh capabilities are added in the future, wormhole defenses (geographic leashes, timing leashes, directional antennas) should be evaluated.

Denial of Service (BLE Jamming)

Feasibility: High (with commodity hardware)

The 2.4 GHz ISM band used by BLE is shared with WiFi (channels 1, 6, 11) and other devices (microwave ovens, Zigbee, etc.). Targeted BLE jamming with a software-defined radio (SDR) can disrupt BLE communications in a specific area.

Impact assessment: BLE jamming prevents message sync but does not compromise data confidentiality or integrity. Messages are locally stored and will sync the next time the devices are in range without interference. This is a denial-of-service against availability, not a security breach. The hash-chain integrity of feeds means that even if a jamming attacker injects corrupted data during a partial transmission, the receiving device will reject it upon verification.

3.3 Cryptographic / Session Layer

Key Compromise (Device Theft, Malware)

If an attacker obtains the device's long-term Ed25519 private key — either through physical access to an unlocked device, OS malware, or forensic extraction — the following is true:

• Past messages: If the attacker also obtains the current Double Ratchet state (the chain key and ratchet key), they can decrypt messages that are already in the receive queue but not yet processed. They cannot decrypt messages that were already processed (deleted chain keys). Messages already exchanged are protected by forward secrecy.
• Future messages: With the long-term key, the attacker can authenticate as the victim and participate in future message exchanges. The BLE handshake will succeed. New messages will be decryptable.
• Recovery: Contacts are notified of compromise only through an out-of-band channel (another physical meeting). The protocol has no automated key revocation mechanism in offline mode.

Forward Secrecy Guarantees (Double Ratchet)

The Double Ratchet algorithm provides forward secrecy through two mechanisms:

1. Symmetric-key ratchet (KDF chain):
   After each message is sent or received, the chain key advances:
     chain_key_n+1 = KDF(chain_key_n, "ratchet")
     message_key_n = KDF(chain_key_n, "message")
   The message key is used once and then deleted.
   Compromising chain_key_n reveals nothing about chain_key_n-1 (KDF is one-way).

2. Diffie-Hellman ratchet:
   Periodically, a new DH key pair is generated and exchanged.
   The new DH output is fed into the root KDF, resetting the chain.
   This provides break-in recovery: even if chain_key_n is compromised,
   the next DH ratchet step restores security.

What forward secrecy guarantees:

• An attacker who obtains the current session state cannot decrypt any past messages whose chain keys have been deleted
• The window of exposure for any single message key is bounded by the time it takes to process the message (typically milliseconds)

What forward secrecy does NOT guarantee:

• Protection of messages that have not yet been processed (pending queue)
• Protection against an attacker who obtains the session state AND the stored ciphertext simultaneously
• Key material held in device memory at the moment of compromise

Post-Compromise Security (Break-in Recovery)

Post-compromise security (also called "future secrecy" in some literature) is the property that, after a key compromise, security is automatically restored once a new DH ratchet step occurs. The Double Ratchet provides this by design.

Recovery timeline:

  T=0   Attacker obtains current session state (chain key, DH key)
  T=1   Alice sends Bob a message — includes her new ephemeral DH public key
  T=2   Bob receives the message and performs a DH ratchet step
        - New root key derived from the DH exchange
        - Attacker, who does not have Bob's new DH private key,
          cannot derive the new root key
        - All subsequent messages are outside the attacker's visibility

This is a strong property: even if an attacker has a persistent read on the session state at one moment, they lose that access after the next natural DH ratchet exchange. The key question is how often DH ratchet steps occur — in the Double Ratchet, every message exchange in the opposite direction triggers a new DH ratchet, so the window is one round-trip.

MLS Group Add/Remove Security

MLS (RFC 9420) provides the following guarantees for group membership changes:

Adding a member:

• A new member must be explicitly added by an existing member with add rights
• The new member receives a "Welcome" message with the current group key schedule
• New members cannot decrypt messages sent before they were added (forward secrecy for past messages)
• In this application, adding a group member should require physical trust establishment (NFC/QR) with the group adder as a prerequisite — group membership is a transitive trust claim

Removing a member:

• Removing a member triggers a key update: a new epoch begins, and the removed member's key contribution is excluded from the tree
• After removal, the ex-member cannot derive keys for any new epoch
• The ex-member retains all group messages they received before removal

Commit attacks:

• MLS uses a "commit" mechanism for group state changes. A malicious member who sends a commit with an invalid proposal could attempt to desynchronize group state.
• RFC 9420 specifies strict validation rules for commits; correct implementations reject invalid commits and do not update group state
• In a gossip-distributed MLS group (no central delivery server), fork attacks are possible if two members simultaneously issue conflicting commits. The MLS spec addresses this with a linearization mechanism; implementations must handle this correctly.

Group membership and social graph:

• Group membership is visible to all group members — this is a structural property of MLS
• A compromised group member can extract the full list of current group members
• Consider: is the group membership list itself sensitive? For this application, yes. The recommendation is to minimize group sizes and to treat group membership as sensitive data within the group boundary.

Ratchet State Corruption

If the Double Ratchet state is corrupted (e.g., a partial write during message processing, a crash, or storage corruption), the session may become unrecoverable. This is not a security vulnerability per se but has security implications:

• A corrupted ratchet state could cause the app to re-request a session from the peer — how the app handles this re-initialization matters. A naive re-initialization that reuses the original shared secret would undermine forward secrecy.
• The correct recovery is to initiate a new key agreement via a fresh contact exchange (NFC/QR tap) — treating the corrupted state as a "new contact."
• Implementations should use atomic writes and checksums for ratchet state storage to minimize the risk of corruption.

3.4 Data / Feed Layer

Feed Tampering

The append-only feed uses a hash chain to ensure integrity: each message contains the hash of the previous message, and the chain is anchored to the user's identity by an Ed25519 signature.

  message_n = {
    prev_hash:   SHA-256(message_n-1),
    sequence:    n,
    content:     ciphertext,
    timestamp:   Unix time,
    author_sig:  Ed25519-Sign(identity_key, prev_hash || sequence || content || timestamp)
  }

An attacker who does not possess the author's Ed25519 private key cannot produce a valid signature over a tampered message. A validator rejects any message with an invalid signature or a prev_hash that does not match the preceding message. This makes feed tampering by third parties provably impossible given the cryptographic assumptions.

Exception: The author themselves can produce invalid chains (equivocation — issuing two different messages with the same sequence number and prev_hash but different content). This is a specific threat in systems where a single author communicates with multiple disconnected parties. A legitimate user will not do this accidentally; a malicious user might create a fork (send message M to Alice, and a different message M' to Bob, both with the same prev_hash). Recipients in different network partitions would receive inconsistent views of the feed. This is the "double-spend" problem applied to feeds, and mitigating it requires either a central sequencer (undesirable) or a gossip-based consistency protocol among contacts.

Feed Replay

An attacker could capture a valid feed message and re-inject it at a later time. The sequence number and prev_hash fields prevent this: a replayed message has a sequence number and prev_hash that do not match the current head of the chain. Recipients who maintain their local copy of the feed will reject any message that does not correctly extend the chain.

Edge case: If a recipient has not yet received some messages (gap in their local copy), they may not be able to detect a replay of older messages that fills the gap with the correct sequence numbers. Message timestamps and the requirement to process messages in order mitigate but do not fully eliminate this.

Feed Enumeration

A contact who has access to the feed can enumerate all entries shared with them. This is by design — the feed is shared. The security question is whether contacts can learn more than intended:

• Feed content is encrypted per-audience using MLS or bilateral session keys. A contact in group A cannot read entries encrypted for group B, even if they receive the ciphertext.
• Feed length is visible to any sync partner. A contact can observe how many entries exist in the feed even if they cannot read all of them. This leaks metadata about communication volume.
• Feed existence is visible to direct contacts during sync. Third parties (non-contacts) should not be able to request a feed at all — the sync protocol should require mutual authentication before exposing any feed entries.

Storage Compromise (Device Seized)

If the device is seized by authorities or a thief and the storage is extracted:

• With full-disk encryption enabled (default on modern Android/iOS): the raw flash image yields only encrypted data
• With the device unlocked at time of seizure: the file system is accessible; the database, feed entries, and key material are all readable
• The app should additionally encrypt its own database with a key derived from the user's app-specific PIN, separate from the device unlock credential — providing an additional layer of defense against a coerced device unlock
• Messages already displayed in the UI may be in plaintext in memory or in OS-level caches (screenshots, notifications)

3.5 Online Relay Layer (Opt-in Tor)

This section applies only when the user has enabled online mode. In offline-only mode, this entire attack surface does not exist.

Tor Deanonymization Risks

Tor provides anonymity by routing traffic through at least three relays, preventing any single relay from knowing both the sender and the recipient. However, Tor's anonymity is probabilistic and conditional:

• Honest relay assumption: Tor requires that the guard node and exit node (or rendezvous point in hidden service communication) are not controlled by the same adversary. If they are, traffic correlation becomes possible.
• End-to-end correlation: An adversary observing both the client's internet connection and the hidden service's internet connection can potentially correlate traffic patterns even without compromising Tor relays — by observing packet timing and volume at both ends.
• De-anonymization of the client (the device connecting to Tor) requires correlation of the client's ISP-visible connection to Tor with activity inside the Tor network.

Relay Correlation Attacks

The most powerful class of attack against Tor is traffic correlation: matching the timing and volume of traffic entering and leaving the Tor network at two points. This does not require breaking any cryptography and is limited by the attacker's network vantage points.

Against this application:

• Messages are small (text, structured data) and bursty
• An adversary who controls the client's ISP and a Tor relay on the path can observe that the client sent X bytes at time T and correlate this with Y bytes arriving at the recipient hidden service at time T+latency
• Cover traffic (constant-rate traffic padding) mitigates but does not eliminate this — requiring independent implementation in the transport layer

Hidden Service Enumeration

Tor hidden services (.onion addresses) are derived from public keys and are not registered in any central directory. An .onion address by itself does not reveal the operator's identity. However:

• If the .onion address is distributed to contacts through the app, and a contact is compromised, the adversary learns the .onion address
• The .onion address is a stable identifier — it does not rotate unless the user generates a new keypair and redistributes it
• A passive observer with Tor directory server access can observe when a hidden service descriptor is published or refreshed, leaking timing information about when the app goes online

Guard Node Compromise

In Tor, the guard node is the first relay in the circuit — the one that sees the client's real IP address. The Tor client keeps a small set of persistent guard nodes ("entry guards") to reduce the risk of eventually connecting through a malicious guard.

• If an adversary operates (or compromises) a client's guard node, they know the client's IP address and the times when they use Tor
• They do not know the destination (that is hidden by the circuit)
• Combined with hidden service correlation, guard node access significantly improves deanonymization probability

4. STRIDE Analysis

The following table maps STRIDE threat categories across each application layer.

Status key: M = Mitigated | P = Partial mitigation | R = Residual risk

5. What the Architecture Provably Defeats

These are security properties that hold by structural argument — not just by good implementation, but by the fundamental design of the system.

Mass Surveillance (Offline Mode)

In offline mode, no IP packets are transmitted. There is no ISP to subpoena, no DNS query to log, no CDN to serve legal orders to. An infrastructure adversary — even a nation-state with full backbone visibility — has zero traffic to analyze. The attack surface for mass surveillance collapses entirely.

This is not a matter of good policy or legal compliance — it is a structural property. The system cannot be mass-surveilled in offline mode because there is no network traffic to observe.

Social Graph Extraction

No central graph exists. The complete social graph of the application's users is never assembled in any one place. Each device holds only its own contact list (encrypted, local). There is no friend-of-friend traversal, no directory, no graph database. An adversary who compromises a single device learns only that device's contacts — a local subgraph, not the global network.

An adversary who compromises every device learns the complete graph, but this requires attacking each device individually. There is no single point of extraction equivalent to compromising a social network's database.

Message Content Interception

End-to-end encryption with the Double Ratchet means that any party who intercepts ciphertext in transit — whether on a BLE channel, a WiFi channel, or the Tor network — receives only random-looking bytes. Without the recipient's private key and the current ratchet state, the ciphertext is computationally indistinguishable from random data (assuming correct AES-256-GCM / ChaCha20-Poly1305 implementation).

Server Compromise

There is no server. An adversary cannot execute a "server compromise" attack because there is no application server to compromise. The design eliminates this entire class of attack by architecture.

Retroactive Surveillance

Forward secrecy (Section 3.3) means that even if an adversary compromises a device today, they cannot decrypt messages sent before the compromise (assuming those chain keys have been deleted). "Harvest now, decrypt later" is ineffective for messages whose keys no longer exist.

Caveat for post-quantum threats: A classical adversary cannot break the current cryptography. A future quantum adversary could attack the key exchange (ECDH/X25519) but not the symmetric encryption (AES-256 remains secure against quantum adversaries with Grover's algorithm doubling the effective key search space). The hybrid PQXDH design (adding ML-KEM-768) provides forward secrecy even against a future quantum adversary for messages sent after PQXDH deployment.

6. What the Architecture Mitigates (but Doesn't Eliminate)

BLE Relay Attacks

Mitigated by: NFC/QR requirement for initial trust establishment. A relay attack on BLE alone cannot introduce a new contact — it requires relaying NFC, which is physically infeasible at useful distances.

Not eliminated: Relay attacks against the BLE sync phase with an already-known contact are possible with coordinated hardware. The impact is bounded: the attacker can cause sync to occur at the wrong physical location, but cannot read the synced content.

Residual: Challenge-response timing mitigates most relay attempts; RSSI-based thresholds reduce but do not eliminate distance amplification.

BLE Fingerprinting

Mitigated by: MAC address rotation (OS-level), advertisement content rotation (app-level), avoiding fixed service UUIDs in pre-authentication advertisements.

Not eliminated: Chipset-level physical-layer fingerprinting (timing jitter, clock drift) cannot be mitigated at the application layer. An adversary with specialized radio hardware and enough observation time may be able to re-link a rotated MAC to a previously seen device. This has been demonstrated in academic settings; the practicality in operational deployments against a motivated adversary is real but requires sustained close-range observation.

Platform Surveillance (iOS/Android OS-Level BLE Scanning)

Mitigated by: The app's rotating beacons and encrypted advertisement content make the payload opaque to the OS vendor.

Not eliminated: iOS and Android have OS-level access to BLE scan results — including which apps trigger scans and at what times. Apple and Google's telemetry systems (if enabled) may log BLE activity metadata. The app can minimize what it puts in advertisements, but it cannot prevent the OS from observing that BLE scanning is occurring and attributing it to the app.

Users who require protection against platform-level surveillance should use a de-Googled Android distribution (e.g., GrapheneOS) with network permissions restricted. This is a user and platform choice, not an application design concern.

Key Revocation in Offline Mode

Mitigated by: Contacts can be manually removed. The revoked contact will not receive new messages.

Not eliminated: In a fully offline scenario, there is no mechanism for a user to broadcast "my device was stolen, do not trust new messages from my old key." Contacts who are not physically reachable cannot be notified. A stolen device can be used to impersonate the user to any contact who does not independently verify the compromise.

7. Residual Risks (Accepted)

These are risks that the architecture acknowledges but cannot eliminate by protocol design alone. They are accepted as part of the system's threat model.

Device-Level Compromise (OS Malware, Forensic Access to Unlocked Device)

An adversary with root-level OS access or physical access to an unlocked device can read all app data, including decrypted messages, key material, and contact lists. No application-layer defense can protect against a fully compromised OS.

Acceptance rationale: Defending against OS-level compromise requires hardware security enclaves (Secure Enclave on iOS, StrongBox on Android) and careful key management. The architecture should leverage these where available (storing long-term keys in hardware-backed keystores), but cannot fully prevent a sophisticated adversary from extracting data from a compromised device.

Mitigation direction: Use OS hardware keystores for long-term keys, implement app-level database encryption with a separate PIN, and recommend that users enable full-disk encryption and strong device passcodes.

Physical Coercion

A user can be compelled — by violence, legal authority, or social pressure — to unlock their device, add a malicious contact, or share their screen. No cryptographic system defends against wrench attacks.

Acceptance rationale: This is a fundamental limitation of any security system. Mitigations (duress modes, minimal data retention) can reduce the value of a coerced disclosure but cannot prevent coercion itself.

iOS Background BLE Reliability

iOS imposes significant restrictions on background BLE advertising and scanning. Apps in the background advertise with reduced duty cycle and stripped service UUID data. This means discovery reliability degrades when the app is not in the foreground.

Security impact: None. This is a UX and availability risk, not a security risk. Users who do not have the app foregrounded may miss proximity sync opportunities.

Acceptance rationale: The limitation is platform-imposed and not mitigable without using private Apple APIs. The architecture accepts degraded discovery performance on iOS in exchange for operating within the platform's permission model.

Post-Quantum: Current Classical Cryptography

Current key exchange (X25519, Ed25519) is vulnerable to a sufficiently powerful quantum computer running Shor's algorithm. No cryptographically-relevant quantum computer exists today, and current estimates suggest at least a decade before such capabilities emerge.

Acceptance rationale: The hybrid PQXDH design (adding ML-KEM-768) mitigates the "harvest now, decrypt later" threat for messages exchanged after PQXDH deployment. Classical keys are used in combination with post-quantum keys so that breaking one does not break the other. This provides security parity with Signal's current PQXDH deployment.

The residual risk is: messages exchanged before PQXDH deployment, using only classical keys, are retroactively vulnerable if a quantum adversary harvested the ciphertext and later builds a quantum computer. For most users, this is an acceptable risk given the timeline involved.

Feed Equivocation (No Global Sequencer)

An adversarial author can produce two valid feed forks — different message M and M' with the same sequence number and prev_hash — and distribute them to different contacts. Without a global ordering mechanism, there is no protocol-level way to detect this.

Acceptance rationale: This is a fundamental property of distributed append-only logs without a central sequencer (the same problem SSB faces). The mitigations are: contacts who encounter the same feed in gossip can compare hashes and detect forks; UI can flag inconsistency; and the social consequences of provable equivocation (contacts can identify the author as the source of the fork) provide a deterrence effect. Full elimination would require a central sequencer, which violates the no-server design principle.

8. Security Properties Summary Table

9. Audit Readiness

What a Third-Party Auditor Would Focus On

A security audit of this system should prioritize components where implementation errors directly translate to cryptographic breaks — as opposed to areas where the design itself provides the security guarantee.

Priority 1 — Cryptographic integration:

• Correctness of the X3DH initial key agreement implementation, specifically the key derivation function inputs, the ratchet initialization, and the handling of the associated data (AD) field
• Double Ratchet state machine: correct deletion of used message keys, handling of out-of-order messages (the max skip value), and ratchet state persistence (atomic writes, no key reuse)
• MLS implementation: correct construction of the ratchet tree, handling of commits and proposals, validation of the KeyPackage structure, and epoch transition logic
• Random number generation: all key generation and nonce generation must use a cryptographically secure RNG; verify no fallback to Math.random() or java.util.Random equivalents

Priority 2 — BLE handshake and session setup:

• The GATT-layer authentication protocol: verify that authentication is required before any contact-identifying data is exchanged; verify that the challenge-response is not replayable; verify that session keys are properly derived and not reused
• Rotating beacon implementation: verify that advertisement content rotates in sync with the MAC address and that no static identifiers persist
• Input validation on all GATT characteristic writes: buffer overflow protection, type confusion, rejection of malformed frames

Priority 3 — Key storage:

• Long-term Ed25519 key storage: verify use of OS hardware-backed keystore (Android KeyStore with StrongBox; iOS Secure Enclave) for all long-term keys
• Session key storage: verify that chain keys and message keys are stored only in memory during active sessions and are securely zeroed after use
• Database encryption: verify that the local message database is encrypted with a key derived from a user-provided secret, not a device-stable key

Priority 4 — Trust establishment flow:

• NFC NDEF frame parsing: verify that the parser correctly handles malformed, oversized, or truncated records without memory corruption
• QR code payload parsing: same as above
• Confirmation UX: verify that the "Add as contact?" prompt correctly reflects the public key that was received and cannot be bypassed by a TOCTOU race

Priority 5 — Feed integrity:

• Hash chain verification: verify that each received message is checked against the stored prev_hash and that out-of-order or gapped delivery is handled correctly
• Equivocation detection: verify that the app detects and flags feed forks

Components Requiring Most Urgent Review

Ranked by risk and complexity:

1. Double Ratchet state management — incorrect deletion of message keys or out-of-order handling is the most likely source of forward secrecy failures. Any bug here has direct security consequences.
2. X3DH / key exchange initialization — the initial key agreement is performed exactly once per contact relationship. A subtle error (wrong AD, wrong KDF input order) silently produces a shared secret that appears to work but is weaker or predictable.
3. MLS ratchet tree operations — MLS is a complex specification (RFC 9420 is 200+ pages). Correct implementation of the TreeKEM component, blank node handling, and path secret derivation is error-prone.
4. BLE GATT authentication layer — this is bespoke protocol design and is most likely to contain logic errors that authentication can be bypassed.
5. OS keystore integration — platform-specific key storage code is often copied from examples that do not enforce hardware-backed storage. Auditors should verify that setIsStrongBoxBacked(true) (Android) and Secure Enclave key generation (iOS) are correctly configured and that the fallback behavior when hardware is unavailable is explicitly designed.

Recommended Audit Scope and Timing

Pre-public alpha (internal audit / threat model review):

• This threat model document reviewed by an external security researcher
• Cryptographic design review: whiteboard audit of the key exchange, ratchet, and MLS integration with a cryptographer — before any code is written
• BLE handshake specification reviewed for authentication and replay resistance

Beta / pre-release (code audit):

• Full code review of the cryptographic layer: key generation, X3DH, Double Ratchet, MLS
• BLE GATT protocol implementation: authentication, session setup, data exchange
• Key storage: platform keystore integration on both Android and iOS
• NFC/QR parsing: fuzzing with malformed payloads (AFL, libFuzzer on the NDEF parser)
• Feed integrity: hash chain validation, equivocation detection

Post-release (ongoing):

• Dependency audit: signal-protocol libraries, MLS libraries, Tor client libraries — track CVEs and update policies
• Penetration test focusing on BLE relay attacks and GATT authentication bypass
• Red team exercise with physical devices: attempt NFC relay, BLE relay, and coerced contact addition

Recommended auditors: Organizations with demonstrated experience in mobile cryptography (Android/iOS Secure Enclave integration), Bluetooth security, and distributed systems security. Relevant prior work would include audits of Signal, Briar, Matrix, or IETF MLS implementations.

This threat model reflects the architecture as of April 2026. It should be reviewed and updated when: the cryptographic stack changes (new algorithms, new library versions), the transport layer changes (new proximity technologies added), the trust model changes (e.g., adding remote follow capability), or a significant new vulnerability in a dependency is disclosed.