Security of our applications

Our applications protect your privacy and freedom by sending messages and photos directly between devices, by using WebRTC data channel connection. Audio and video calls are also made with a WebRTC connection and there is no media server in between. Communications between devices are therefore made by using direct connections, fully encrypted by using SRTP and DTLS.

Our Twincode technology allows us to set up various kinds of relations without knowing private information about any party. These relations are also signed by an Ed25519 private key, ensuring authenticity, integrity, and tamper-proof communication.

Furthermore, when a WebRTC connection must be established, the signaling information produced by WebRTC is encrypted by using AEAD with a relation specific secret. The signaling server only sees encrypted signaling information, thus hiding and protecting how the WebRTC connection is set up. The signaling packets contains certificates, media stream codec information, IP addresses, ports and protocols to allow WebRTC to set up the direct peer-to-peer communication. These sensitive meta information are therefore not visible pour our server: only the target device can decrypt them.

The secrets used to encrypt the WebRTC signaling information are changed periodically by generating new secrets, and they are exchanged by the devices within the data channel of WebRTC.

To store relations, private keys, secrets, messages, our applications are using an SQLCipher database. The database is therefore encrypted by using an AES-256 encryption key which is stored either in the iOS keychain or in the Android keystore.

Our applications have been audited by Quarkslab and by independent security auditors.