惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
S
Securelist
Simon Willison's Weblog
Simon Willison's Weblog
Security Latest
Security Latest
博客园 - 司徒正美
T
Threat Research - Cisco Blogs
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
C
Check Point Blog
Jina AI
Jina AI
H
Heimdal Security Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
B
Blog
美团技术团队
W
WeLiveSecurity
G
Google Developers Blog
K
Kaspersky official blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
C
Cybersecurity and Infrastructure Security Agency CISA
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
V
Visual Studio Blog
T
Threatpost
酷 壳 – CoolShell
酷 壳 – CoolShell
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Attack and Defense Labs
Attack and Defense Labs
腾讯CDC
Hacker News - Newest:
Hacker News - Newest: "LLM"
Cyberwarzone
Cyberwarzone
Apple Machine Learning Research
Apple Machine Learning Research
P
Privacy & Cybersecurity Law Blog
H
Hacker News: Front Page
博客园 - 【当耐特】
人人都是产品经理
人人都是产品经理
有赞技术团队
有赞技术团队
Hugging Face - Blog
Hugging Face - Blog
Recent Commits to openclaw:main
Recent Commits to openclaw:main
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
CERT Recently Published Vulnerability Notes
V
Vulnerabilities – Threatpost
AI
AI
MongoDB | Blog
MongoDB | Blog
Project Zero
Project Zero
Hacker News: Ask HN
Hacker News: Ask HN
量子位
A
Arctic Wolf
GbyAI
GbyAI
Recorded Future
Recorded Future
SecWiki News
SecWiki News
小众软件
小众软件
Martin Fowler
Martin Fowler

Show HN

GitHub - steveking-gh/firmion: Firmion is DSL and engine for firmware image generation. GitHub - villagesql/villagesql-skills: Agent skills for VillageSQL - gemini-cli-extension; claude-code-plugin GitHub - flightdeckhq/flightdeck: Observability and control plane for AI agents. CSP Radar GitHub - Light-Heart-Labs/DreamServer: Turn your PC, Mac, or Linux box into an AI server. LLM inference, chat UI, voice, agents, workflows, RAG, and image generation. GitHub - Diplomat-ai/diplomat-agent-ts: What can your TypeScript AI agent do to the real world? Scan your code. See which tool calls have zero checks Code Block Selector - Visual Studio Marketplace Prometheus dependency graph — interactive showcase | Riftmap Show HN: I made a vi-like modal keyboard plugin for Figma GitHub - run-llama/liteparse: A fast, helpful, and open-source document parser GitHub - dalemyers/Roar: A macOS CLI tool for notifications GitHub - district-solutions/open-agent-tools-coder: Enables small-to-large self-hosted ai models to use local source code when running tool-calling agentic workloads. We actively data mine 20,900+ (2+ TB) popular github repos using large and small ai models to create reuseable: json, markdown and parquet files for local-first tool-calling models. GitHub - progapandist/stripeek: A local TUI proxy for real-time Stripe API debugging, built for navigating complex payloads fast. GitHub - sir1st/hermes-desktop: All-in-one cross-platform desktop app for Hermes Agent — bundles Python + hermes-agent + hermes-web-ui GitHub - astefanutti/shaderbang: Shebang for Shaders Show HN: Generate Claude Code Workflows using Spec Driven Development approach GitHub - nixys/nxs-universal-chart: The Helm chart you can use to install any of your applications into Kubernetes/OpenShift Show HN: AI agents for UK GDAD PCF roles and their skills The Two Pillars: Mixer Mode and Meta-Software in the Reorganization of Software Work After AI GitHub - JaiCode08/teleport-env What 1,000+ Harness Experiments Taught Me About Self-Improving Agents Show HN: Liiists, a Markdown-first, iOS and CLI list app SwiperTab – Get this Extension for 🦊 Firefox (en-US) GitHub - kouhxp/fftext: Summarize, explain, fact-check, or translate any text, URL, or file. No GPU. No cloud. One command GitHub - sweetpad-dev/sweetpad: Develop Swift/iOS projects using VSCode GitHub - dogmaticdev/IRON: IRON a.k.a. Intermediate Representation Object Notation is a Interpreter/Database that is used to create Programming Languages. GitHub - sjhalani7/vaen: Package your AI coding harness into a portable .agent file, and share it across repos, teams, & the community without ever having to copy-paste instructions, skills, MCP config, or secrets. Show HN: Gandalf the Grader Show HN: Citadeld – replay any CI failure locally from a single file GitHub - tdortman/cuSBF: High-Performance GPU Super Bloom Filter coral-ai/claude-code-token-xray at main · Coral-Bricks-AI/coral-ai GitHub - ulyssestenn/funes: Funes is a Git-based framework for LLM-managed knowledge work: an AI Librarian ingests raw sources, builds an interlinked Markdown knowledge base, and uses it to produce cited reports, analyses, and other outputs. GitHub - ThatXliner/gah: Git Add Hunk, built for agents to use GitHub - harmont-dev/harmont-cli: Command-line client for the Harmont CI platform GitHub - brooksmcmillin/mcp-authflow: OAuth 2.0 Authorization Server framework for MCP servers GitHub - javaid-codes/audit-supply-chain-agents GitHub - amorey/gochan: A small library of common channel architectures for Go, inspired by Rust GitHub - arifozgun/OpenGem: Free, Open-Source AI API Gateway with Gemini, OpenAI & Anthropic Compatibility in 1 file GitHub - Pranesh950/BioPetals: 🌸 Run BIOxAI models at home, BitTorrent-style. Fine-tuning and inference up to 10x faster than offloading GitHub - cnguyen14/bounty-doctor: Diagnose a GitHub bounty issue before you waste hours: detects honeypot scam repos, AI-bot attempt swarms, and stale contests. Show HN: CoreMCP – MCP Server for On-Prem DBs Show HN: KittyHTML – Render HTML/CSS as an inline image in your terminal GitHub - bingud/filemat: Web-based file manager Show HN: TruthLens – Free multi-signal deepfake image detector GitHub - apexlocal-jz/claude-usage-tray: Windows system-tray app showing your Claude Code rate-limit usage at a glance. Zero deps, ~300 lines of PowerShell. Cross-IDE (works regardless of VS Code, Cursor, plain terminal). Release v0.1.2.1 · kouhxp/yapsnap GitHub - noopolis/moltnet: Self-hostable chat network for AI agents. Pre-built bridges for Claude Code, Codex, and the Claws. Rooms, DMs, history. No Slack bots, no Matrix, no glue code. GitHub - tamerh/enju: Coordinating Humans, AI Agents, and Compute as Peers on a Shared Workflow Graph Show HN: Continuity-auth – Respect-weighted rate limits for the open web GitHub - luml-ai/luml: AI lifecycle platform where engineers and agents track experiments, train models, and ship to production. GitHub - mrdanielcasper/CoreTex: A UNIX-inspired, biomimetic, flat-file AI harness and knowledge engine. GitHub - clemg/pierre-github: Pierre's diffs.com and trees.software for Github GitHub - lyriks-io/unspaghettit: Behavior-driven AI development without prompt spaghetti. GitHub - sofumel/claude-handoff-revive: Resume Claude Code work after rate/usage/context limits without replaying the prior transcript. Auto-saves at 90%/95% usage. Plugin-installable, 10 languages. GitHub - dotexorg/saferpc: Typed, end-to-end encrypted RPC over any bidirectional channel. GitHub - BeeZeeAgent/beezee: Agent harness orchestration Legato Next.js Boilerplate for Internal Tools · CoreUI GitHub - clark-labs-inc/clark-hash: Clark Hash, 32x smaller searchable sketches for embeddings GitHub - ZeroPointRepo/youtube-mcp: The fastest YouTube transcript + YouTube search MCP for AI agents. Try for free. Typing Mastery — climb toward 100+ WPM, deliberately GitHub - Andebugulin/Awareen GitHub - fayzan123/claude-workflow-composer: Visual desktop app for composing multi-agent coding workflows. Drag agents, attach skills and MCPs, wire handoffs, export to .claude/ GitHub - harshaneel/humanize: Best static AI text humanizer. Two research-grounded skills that work in any LLM (Claude, ChatGPT, Gemini, Codex): humanize beats perplexity-based detectors, ai-check produces forensic scoring with evidence-quoted flags. Nine levers, 50+ peer-reviewed sources, 2024-2026 detection literature. GitHub - StackOneHQ/stack-nudge GitHub - nodes-app/swift-markdown-engine: A native AppKit Markdown editor for macOS, built on TextKit 2 and bridged to SwiftUI. We hardened an LLM agent. Each defense we added made it more exploitable. GitHub - alkait/WhatsKept: Agent-queryable WhatsApp history from an iOS backup — a single Go binary. GitHub - octelium/cordium: Open-source, general-purpose sandbox platform for devs and AI agents that provides identity-based secure access to infrastructure without credentials. WAR.GOV/UFO Microfilm5 GitHub - scosman/videowright: Build animated explainer videos with your coding agent GitHub - dipankar/dscode: The code editor you can take apart. GitHub - zoharbabin/web-researcher-mcp: MCP server (Go) for AI assistants: web search, content extraction, academic/patent/news research. Multi-provider routing, 4-tier scraping, search lenses. Works with Claude, Cursor, and any MCP client. GitHub - ruvnet/RuView: π RuView turns commodity WiFi signals into real-time spatial intelligence, vital sign monitoring, and presence detection — all without a single pixel of video. GitHub - scanaislop/aislop: Catch the slop AI coding agents leave in your code: narrative comments, swallowed exceptions, as-any casts, dead code, oversized functions. 50+ rules across 7 languages (TypeScript, JavaScript, Python, Go, Rust, Ruby, PHP). Sub-second, deterministic, no LLM at runtime. MIT-licensed. GitHub - kouhxp/cheap-im: CPU-only voice agent approximating Thinking Machines' Interaction Models demo GitHub - unprovable/OrchidMantis: Orchid Mantis — standalone framework for Zero-Knowledge Proofs of eXploit (ZKPoX). GitHub - MarcellM01/TinySearch: Shrink the web for your local LLMs! GitHub - TangibleResearch/Halgorithem: A Algo designed to detect AI Hallucitions GitHub - DO-SAY-GO/freelang: I love freelang GitHub - CarpseDeam/Aura-IDE: An AI coding harness that shaped itself - Planner/Worker agents, repo awareness, surgical edits, validation, recovery, and safe diff approvals. GitHub - chojs23/concord: A feature-rich TUI client for Discord GitHub - tommyjepsen/awesome-ux-skills: UX & AI Product designs skills you can use today in Claude Code GitHub - aerf-spec/aerf: Agent Evidence Receipt Format (AERF) — an open specification for tamper-evident, independently verifiable records of AI agent actions. GitHub - kklimuk/docx-cli: CLI for AI agents (Claude, Codex) to read, edit, and comment on .docx files with full format fidelity. GitHub - Jwrede/tokentoll: Catch LLM cost changes in code review. Infracost for LLM spend. GitHub - samchon/ttsc: A `typescript-go` toolchain for compiler-powered plugins and type-safe execution + 500x faster lint integrated into compiler GitHub - Higangssh/homebutler: 🏠 Manage your homelab from chat. Single binary, zero dependencies. GitHub - olalie/tapmap: See where your computer connects and what stands out on a live world map. GitHub - Diplomat-ai/diplomat-agent: What can your AI agent do to the real world? Scan your code. See which tool calls have zero checks GitHub - Bajusz15/beacon: Open-source agent for secure remote access, monitoring, and deploys across home-lab and self-hosted machines like Raspberry Pi, N100, or any Linux server. Open web based TTY or tunnel Home Assistant and other local services securely without opening ports. BigTech AI News - Chrome 应用商店 GitHub - vinhnx/VTCode: VT Code is an open-source coding agent with LLM-native code understanding and robust shell safety. Supports multiple LLM providers with automatic failover and efficient context management. GitHub - michaelaz774/decision-engine: A decision operating system for startup founders, powered by Claude Code. Synthesizes wisdom from 25+ legendary founders and investors into interactive AI-driven decision frameworks. GitHub - Chrilleweb/dotenv-diff: Validate environment variable usage in your codebase GitHub - Lumen-Labs/brainapi2: BrainAPI is a knowledge graph–powered AI memory layer that transforms unstructured data into structured knowledge, enabling intelligent search, recommendations, and contextual memory for AI agents and applications. GitHub - familiar-software/familiar: Let AI watch you work. Familiar lets your AI update its memory, skills, and knowledge by watching your screen. GitHub - skorotkiewicz/rudo: A small, elegant dock for Wayland GitHub - muxshed/shed: One stream in, or many. Every destination, simultaneously. No cloud middleman, no per-channel fees, no limits. make sidebar/address bar rounded corner toggleable
Marketing Claim Audit — Phantom Chat by Veilus Digital
VeilusDigita · 2026-06-20 · via Show HN

This document maps every technical claim made on veilusdigital.co and inside the iOS app to the specific Swift source file that implements it. Each row reflects what the code actually does — not what marketing copy aspires to. Where a claim is partial or unimplemented, that is noted explicitly. The goal is to make this product easy to fact-check before you write or record about it.

On line numbers: the line references below were accurate when re-verified on the date above. Line numbers drift as code evolves — the file name + symbol/function name is the durable reference. If a line has moved, search for the named symbol in that file. Happy to share the exact commit on request.

If anything here is unclear, contact support@veilusdigital.co and I'll walk through the relevant code or schedule a screen-share.


1. Cryptography

1.1 Post-Quantum Key Exchange (PQXDH / Hybrid Curve25519 + ML-KEM-768)

Claim Every new conversation uses NIST FIPS 203 ML-KEM-768 (Kyber) hybridised with classical Curve25519 — if either survives the next 20 years, messages stay safe.
Status ✅ Verified, executes on every new conversation. Not dead code.
Code path Phantom Chat/X3DHProtocol.swift:64-80 (Kyber-768 keypair generation, integrated into bundle)
Phantom Chat/X3DHProtocol.swift:161-191 (PQXDH hybrid is engaged for both initiator and responder)
Phantom Chat/X3DHProtocol.swift:182PQXDHHybrid.combine() merges classical X3DH with Kyber shared secret via HKDF
Phantom Chat/KeyStore.swift:329-352ensureKyberKey() generates and persists Kyber-768 keypairs (2400 bytes)
Note Implementation is custom Swift, not libsignal. The algorithms (X3DH, Double Ratchet, ML-KEM-768) are standard and publicly documented; the Swift code re-implements them rather than linking the Rust libsignal library.

1.2 Double Ratchet (Signal Protocol)

Claim Every message uses a fresh derived key, rotated automatically per message with a Diffie-Hellman ratchet step on conversation-direction change.
Status ✅ Verified — full implementation of all 5 algorithm components.
Code path Phantom Chat/DoubleRatchet.swift:20-33 (root key + send/receive chain keys + DH ratchet keys)
Phantom Chat/DoubleRatchet.swift:45-46 (skipped-message-keys dictionary for out-of-order delivery)
Phantom Chat/DoubleRatchet.swift:66-88 (encryptMessage() derives the next message key, advances send chain)
Phantom Chat/DoubleRatchet.swift:112-114 (performDHRatchet() step)
Phantom Chat/DoubleRatchet.swift:117-128 (skipped-keys path)

1.3 AES-256-GCM

Claim Messages and media are encrypted with AES-256-GCM.
Status ✅ Verified — used everywhere.
Code path Phantom Chat/DoubleRatchet.swift:71AES.GCM.seal() for message encryption
Phantom Chat/SecureMediaManager.swift:41AES.GCM.seal(data, using: key) for media
Phantom Chat/ChatAPI.swift:978, 1338AES.GCM.SealedBox for decrypt
Phantom Chat/VerificationStore.swift:388 — AES-GCM for stored fingerprint encryption

1.4 Hardware-Bound Identity (Secure Enclave)

Claim Long-term identity key generated inside the iPhone's Secure Enclave; private key never leaves hardware.
Status ✅ Verified — SE preferred on first launch.
Code path Phantom Chat/KeyStore.swift:40, 60, 78, 109SecureEnclave.P256.KeyAgreement.PrivateKey creation and persistence
Phantom Chat/KeyStore.swift:192 — biometric access control on SE key
Phantom Chat/KeyStore.swift:554-580createAndPersistSecureEnclaveKey() and loadSecureEnclaveKey() via SE blob
Caveat Falls back to software key only if the device does not have a Secure Enclave (older simulators, jailbroken devices missing SEP). Software fallback preserved for backward compatibility.

1.5 App Attest (Device Attestation)

Claim Server verifies that the connecting device is a real iPhone running unmodified Phantom Chat code.
Status ✅ Verified — wired end-to-end (client + server).
Code path Phantom Chat/AuthService.swift:329, 410-475AppAttestService instantiates DCAppAttestService.shared
Phantom Chat/AuthService.swift:469service.generateKey() called and cached
Phantom Chat/AuthService.swift:452, 475-485attestKey(keyID, clientDataHash:) + POST to verifyAppAttestKey Cloud Function
Phantom Chat/functions_index_consolidated.ts:1390-1410 — server-side attestation verification

2. Privacy & Anonymity

2.1 Anonymous Sign-up

Claim No phone number, email, real name, or personal information collected at sign-up. Username only.
Status ✅ Verified.
Code path Phantom Chat/AuthView.swift:6@State private var username: String = "" (the only signup field)
Phantom Chat/AuthView.swift:239-241 — signup collects only username, trims whitespace, calls viewModel.signIn(username: name)

2.2 What the Server Stores

Claim The server (Firebase/Firestore) holds only: username, public key bundle (keyBundle), push/FCM token, subscription status, and encrypted message ciphertext while it is in transit. It cannot read message content, contacts, or who you talk to.
Status ✅ Verified, with the two clarifications below.
Code path Phantom Chat/ChatAPI.swift:2820, 2835 — user doc: username + keyBundle written
Phantom Chat/EncryptedProfileStore.swift:82-92 — profile write
Phantom Chat/SignalSessionInitiationView.swift:281-282 — public keyBundle upload
Phantom Chat/IAPService.swift:263 — subscription status
Phantom Chat/firestore.rulesfcmTokens / fcm / tokens subcollections (push token)
Clarification 1 — the username is plaintext The username is stored as a plaintext field, because it is the routing address other people redeem an invite against. It is not encrypted. No phone number, email, or real name is stored anywhere (ChatAPI.swift:2820).
Clarification 2 — diagnostic probes are transient During connection setup the app writes a tiny probe doc to users/{uid}/diagProbes/ to measure write latency, then immediately deletes it in the same call (ChatAPI.swift:316-327). It contains only a server timestamp + the string "diag" — never user content.

2.2b Message Retention — How Long the Server Keeps Ciphertext

Claim Encrypted message ciphertext is removed from the server when its disappearing-message timer expires, or when the account / conversation is deleted.
Status ✅ Verified — and stated honestly: messages are not wiped the instant they're delivered.
What actually happens Ciphertext stays on the server until (a) the per-message expireAt timer fires, or (b) the user deletes their account or conversation. This is deliberate: Firestore re-delivers the message backlog to a device that was offline, which is exactly why the client keeps a persisted seenRemoteIDs dedup set (ChatAPI.swift:508, 608). Throughout, the payload stays end-to-end encrypted and unreadable by the server.
Code path expireAt set on send: Phantom Chat/ChatAPI.swift:1696, 1895, 2168-2170, 2231-2233
expiry honoured on read: Phantom Chat/ChatAPI.swift:1359-1365
account deletion: Phantom Chat/ChatAPI.swift:4395 (deleteAccount())
What we do NOT claim We deliberately avoid saying "deleted from our servers immediately after delivery" or "messages live only on your device." The honest framing is: the server holds only ciphertext it cannot read, removed on timer expiry or account/conversation deletion.

2.3 Push Notifications Carry No Content

Claim Push notifications never include message content — only an opaque wake signal and metadata so the app can fetch and decrypt locally.
Status ✅ Verified.
Code path Phantom Chat/MessagePreviewExtention/NotificationService.swift:30-43 — security comment explicitly forbids sending message content; payload shows only "New Message" + sender pseudonym
Phantom Chat/functions_notifyGroupInvitation.js:107 — push body is "${inviterUsername} invited you to join ${groupName}" (metadata only)

2.4 No In-App User Search / No Public Directory

Claim There is no feature in the app to search for or browse other users by name. Contact discovery is invite-code / QR only.
Status ✅ Verified for the app. ⚠️ See the honest backend note below.
Code path Client-side username-search code removed entirely (commits 2026-05-27).
RedeemInviteView / GenerateInviteView are the only discovery paths.
Phantom Chat/firestore.rules:78-79 — legacy usernameIndex/{hash} read locked to allow read: if false, so the leftover index documents on existing accounts cannot be enumerated.
Honest backend note The users/{uid} profile documents are readable by any authenticated app user (firestore.rules:66-68, allow read: if isSignedIn()). In normal use the app fetches a single profile by a known UID (a get). Because Firestore's read permission also grants list, a determined authenticated client could in principle enumerate the users collection — which would expose usernames and public key bundles only. It would never expose a phone number, email, real name (none are stored) or any message content (end-to-end encrypted). There is no in-app feature that performs this enumeration.

2.5 Invitation Code Discovery (1-on-1)

Claim One-shot invite codes (XXXX-XXXX-XXXXXX) or QR codes are the only contact-discovery method.
Status ✅ Verified.
Code path Phantom Chat/ChatListView.swift:1341+RedeemInviteView + GenerateInviteView
Phantom Chat/functions_index_consolidated.tsgenerateInvitationCode + redeemInvitationCode cloud functions

2.6 Group Invitation Codes (1–500 redemptions per code)

Claim Each group invite code can be redeemed up to 500 times; expiry from 1 day to never; creator can issue multiple codes.
Status ✅ Verified.
Code path Phantom Chat/GroupInviteCodeManagerView.swift:458Stepper(value: $maxJoins, in: 1...500)
Phantom Chat/GroupInviteCodeManagerView.swift:729-746 — expiry options including "Never"
Note There is no per-group total cap in the code; the 500 is per-code. Multiple codes pointing at the same group are supported. The website wording reflects this honestly.

2.7 Metadata the Server Can See (full disclosure)

Claim Message content is end-to-end encrypted and unreadable by us. We are honest that some metadata exists server-side, like every messenger.
Status ✅ Content encrypted. ⚠️ Metadata disclosed honestly below — we do not claim "zero metadata" or "we can't see who talks to whom."
What the server CAN see (plaintext) • 1-on-1 pairing: pairs/{id} stores a plaintext participants:[uidA,uidB] (ChatAPI.swift ~1668-1674).
• Group membership + title: groups/{id} stores plaintext name, participants, createdBy (ChatAPI.swift ~3373-3380).
• Per-message envelope: plaintext senderId, createdAt, expireAt (the body/ciphertext is encrypted).
• Account: username (plaintext), public key bundle, push token, subscription status.
What the server CANNOT see Message text, media, and any conversation content — all AES-256-GCM under the Double-Ratchet/PQXDH session keys, which never leave the devices.
Honest framing "We can't read your messages — there's no content for us to disclose. The minimal account metadata we hold (username, which accounts share a conversation, timestamps, push token, subscription) we minimise and resist requests for." This is the Signal trust model. Reducing metadata further (sealed sender) is a roadmap item.

2.8 Emergency Destruct — exactly what is deleted, and what is recoverable

Claim Emergency Reset / account destruct removes your account, conversations, and media from our servers, and destroys the encryption keys on your device so any residual data is undecryptable.
Status ✅ Accurate with the honest scope/recoverability notes below. We do not claim we can forcibly overwrite data on Google's physical servers (no cloud service can).

On the device — SecureDataDestruction.killSwitch():

  • Calls the server deleteAccount cloud function.
  • Deletes the user's Firebase Storage media (personal / pair / group).
  • Keychain wipeSecItemDelete across all key classes (SecureDataDestruction.swift:158-176). This destroys the encryption keys = crypto-erase.
  • 7-pass DoD 5220.22-M overwrite of every file in Documents/Caches/App Support/tmp, then delete (SecureDataDestruction.swift:222-254).
  • Clears UserDefaults, Firebase cache, overwrites heap memory.

On the server — deleteAccount (functions_index_consolidated.ts:212-740):

  • 1-on-1 pairs: deleted entirely — both halves, all messages, all media.
  • Account: user doc, all sub-collections, username index, push tokens, invites, invite codes deleted; then Firebase Auth account deleted (auth.deleteUser).
  • Groups: the user is removed (sender key + receipts deleted). The group is fully wiped only if no participants remain; otherwise the group persists and messages the user already sent into it remain (encrypted) for the other members (functions_index_consolidated.ts:438-494).

Recoverability — the honest answer:

  • Device: effectively permanent. The Keychain key-destruction is a cryptographic erase — any residual flash data is ciphertext with no key, mathematically unrecoverable. (On iOS flash/APFS a multi-pass overwrite isn't guaranteed to hit the original physical cells; the crypto-erase is the real guarantee, the overwrite is secondary.)
  • Server: the app issues a logical delete — data is removed from the live Firestore database and Storage and is gone from the app, queries, and console. We cannot securely overwrite data on Google's infrastructure; after deletion it follows Google Cloud's deletion process. If Point-in-Time Recovery or scheduled backups are enabled on the project, deleted data is restorable by the project owner for that window (PITR ≤ 7 days). Mitigation: the server only ever held encrypted ciphertext, so any residual copy is undecryptable once the device keys are crypto-erased.
  • Not in scope of destruct: the recipient's device still holds its own decrypted copy of any messages they received (no messenger can reach into another user's phone), and group messages the user contributed remain with groups that still have members.

Honest one-liner: "Destruct deletes your account, 1-on-1 conversations, and media from our servers and crypto-erases your keys on-device, so any encrypted copy that briefly persists in our provider's backups can never be read. We don't claim to physically overwrite Google's disks — no service can."


3. Emergency Account Reset (Three Independent Paths)

3.1 Shake-to-Wipe

Claim Shaking the phone four times in roughly one second surfaces the destruction confirmation.
Status ✅ Verified — uses CoreMotion accelerometer thresholds, not motionEnded.
Code path Phantom Chat/RootView.swift:16-102PanicShakeDetector (4+ reversal peaks within a 1.2s window)
Phantom Chat/RootView.swift:91-92 — peak-count threshold
Phantom Chat/RootView.swift:436-440 — callback sets showPanicConfirm = true

3.2 Lock Screen Widget

Claim A Lock Screen widget that, on tap (Face ID required by iOS), opens the app to the destruction confirmation.
Status ✅ Verified — iOS enforces Face ID on Lock Screen widget delivery.
Code path PhantomPanicWidget/PhantomPanicWidget.swift:51.widgetURL(URL(string: "phantomchat://panic"))
Phantom Chat/RootView.swift:374-397.onOpenURL catches the panic URL, triggers confirmation alert
Phantom Chat/PhantomPanicWidget.swift:8-10 — comment notes Face ID is system-enforced for Lock Screen variant

3.3 Duress Passcode

Claim A separate "duress" PIN entered at App Lock looks identical to the real PIN but silently destroys all data while presenting the decoy persona pack to whoever is holding the phone.
Status ✅ Verified.
Code path Phantom Chat/RootView.swift:526AppPasscodeStore.verify(entered) returns .duress verdict
Phantom Chat/RootView.swift:535-553 — duress branch triggers silent wipe via deleteAccount() while showing decoy UI
Phantom Chat/SettingsView.swift:536-548 — "Set Duress Passcode" UI

3.4 Multi-Pass Secure Deletion (DoD 5220.22-M, 7 passes)

Claim Emergency Destruction overwrites local files 7 times before deletion.
Status ✅ Verified — the code literally performs DoD 5220.22-M (3 random + 3 complement + 1 zero passes).
Code path Phantom Chat/SecureDataDestruction.swift:227-250 — exact 7-pass implementation
Caveat (technical) iOS uses APFS on flash storage with copy-on-write semantics. Multi-pass overwrites of file contents don't necessarily hit the original physical NAND blocks — that is a known property of flash storage, not specific to this app. The cryptographic-erase approach (destroying the data-protection key) is the primary defense; the multi-pass overwrite is a secondary belt-and-braces layer. We do both. The bare minimum guarantee — that the data is no longer cryptographically accessible — is satisfied either way.

4. UI & State Privacy

4.1 App Switcher Blackout (Privacy Overlay)

Claim When the app moves to the background or App Switcher, a solid black overlay covers any sensitive content before iOS takes its snapshot.
Status ✅ Verified, covers both .background and .inactive scene phases.
Code path Phantom Chat/RootView.swift:354-355.onChange(of: scenePhase)
Phantom Chat/RootView.swift:630-690 — three explicit handlers:
.background → sets isScreenObscured = true immediately
.inactive → debounced obscure via 400ms delay (suppresses transient push flickers)
.active → cancels any pending obscure
Phantom Chat/RootView.swift:238-243 — black overlay renders when appState.isScreenObscured && !appState.isLocked

4.2 Screenshot Detection

Claim If someone screenshots a 1-on-1 chat, the other party is notified with a system message.
Status ✅ Verified.
Code path Phantom Chat/ConversationScreen.swift:363 — listens for UIApplication.userDidTakeScreenshotNotification
Phantom Chat/ConversationScreen.swift:801-826handleScreenshot() sends "📸 Screenshot taken" as an actual encrypted message to the peer

4.3 Disappearing Messages

Claim Per-conversation timers that auto-delete messages from both devices after a chosen interval.
Status ⚠️ Range verified. The minimum is 10 seconds, not 1 second. Maximum is ~30 days (1 month = 2.59 million seconds). The website was updated 2026-05-27 to reflect this.
Code path Phantom Chat/DisappearingMessagesView.swift:11-32 — timer options: 10s, 30s, 1m, 2m, 5m, 10m, 15m, 30m, 1h, 2h, 3h, 6h, 12h, 1d, 2d, 3d, 1w, 2w, 1mo

5. Customisation

5.1 76 Alternate App Icons

Claim 76+ alternate app icons available in Settings → App Icon.
Status ✅ Verified — exactly 76 unique icons in the bundle.
Code path Phantom Chat/Phantom Chat/AlternateIcons/*@2x.png — 76 unique base names (each icon has @2x and @3x variants for 152 files total)

6. Coming Soon — Honestly Marked, Not Yet Built

6.1 Tor Relay Routing (Anonymous Tier)

Marketing label "Coming Soon"
Status ❌ Not implemented in shipping build.
Code path Phantom Chat/ChatAPI.swift:29-31 — Tor integration explicitly disabled with comment "DISABLED: Tor integration (types not available)"
Phantom Chat/CURRENT_ISSUES_SUMMARY.md:10-19 — open test failure Code=-1004
Note Framework scaffolding exists in the build but is not functional. "Coming Soon" label on the website is accurate.

6.2 Offline Bluetooth / P2P Mesh (Anonymous Tier)

Marketing label "Coming Soon"
Status ❌ Not implemented. Zero scaffolding.
Code path No MultipeerConnectivity, CoreBluetooth, or mesh implementation in the Swift code. Pure roadmap item.
Note "Coming Soon" label is honest — not even a stub exists yet.

7. Things Removed From Marketing After Code Audit

These claims previously appeared on the website or in the in-app onboarding tour and have been removed because the code does not back them:

Claim removed Reason
"Sealed Sender envelopes" No Sealed Sender implementation exists. (Signal-style "sealed sender" is a specific protocol feature that requires server-side blinding — Phantom Chat does not implement it.)
"iMessage doesn't have post-quantum encryption" Apple shipped PQ3 on iMessage in iOS 17.4 (March 2024). The comparison table was corrected.
"Air-gapped servers" The backend runs on Firebase (Google Cloud). "Air-gapped" — meaning no network connection at all — is provably false for any cloud-hosted service. Replaced with "encrypted-at-rest infrastructure".
"No metadata stored" (in hero) The Privacy Policy enumerates what IS stored (username, push token, subscription). "No metadata" was an overclaim. Replaced with "No phone. No email. No tracking."

8. How to Verify This Yourself

The TestFlight beta is open: https://testflight.apple.com/join/rmSrMch9

For a deeper look:

  • Open Wireshark or a similar tool on a Wi-Fi network with TestFlight running — confirm only encrypted Firestore + APNs traffic.
  • Read the on-device logs — enable Settings → Logs & Support → File Logging, do anything, then tap "Send Logs to Veilus" — the log file shows every cryptographic operation step-by-step.
  • Request the cloud functions source — happy to share functions_index_consolidated.ts (~1700 lines) for review of the server-side claims.

For deeper questions: support@veilusdigital.co.

— Curtis Tunaley Founder, Veilus Digital Western Australia