Auditability

In a privacy-focused ecosystem like DecoyPhrase, "Don't Trust, Verify" is our guiding principle. This document provides a roadmap for security researchers and auditors to independently verify our claims.

Verifiable Source Code

Our critical logic is open source and separated from UI code to make auditing easier.

Cryptographic Core

The encryption/decryption logic is isolated in the decoyphrase (Core) repository.

Location: lib/crypto/
Key Files:
- aes.ts: Implementation of AES-256-GCM.
- hash.ts: SHA-256 hashing utilities.
- key_derivation.ts: PBKDF2 logic.

Note: The Web and Mobile projects import or replicate this standard logic strictly. We do not use proprietary or "home-rolled" algorithms.

Mobile Security

For the mobile app, auditors should focus on how keys are stored at rest.

Location: decoyphrase_mobile/lib/
Key Dependencies:
- flutter_secure_storage: Wrapper for iOS Keychain and Android Keystore.
- local_auth: Biometric authentication implementation.

Build Verification

We aim for reproducible builds. You can verify that the code on GitHub matches the deployed artifact.

Web Build

Clone the repository

Clone the decoyphrase-web repo.

Install dependencies

Use the lockfile for exact versions.

Install dependencies

npm ci

Build the project

Build

npm run build

Inspect build artifacts

Inspect the .next output directory.

Tip: Check page chunks for any unauthorized external script injections (e.g., analytics trackers not disclosed in docs).

Mobile Build

Clone the repository

Clone the decoyphrase_mobile repo.

Verify dependencies

Check the pubspec.lock file hash to ensure no dependencies have been tampered with.

Build the release APK/IPA

Build APK (example)

flutter build apk --release

Compare build hashes

Compare the SHA-256 hash of your local build with the official release on GitHub Releases.

Note: Hash differences may occur due to timestamps/signing keys, but the DEX code content should be functionally identical.

Dependency Auditing

We minimize external dependencies to reduce the attack surface. However, we do use standard libraries.

Automated Checks

We encourage all users to run their own audits on our dependency tree.

For Web/Core (NPM):

Audit NPM dependencies

# Checks for known vulnerabilities in the dependency tree
npm audit

For Mobile (Pub): We pin versions in pubspec.yaml to avoid surprise updates. You can review the full tree:

List Flutter dependencies

flutter pub deps

Critical Third-Party Libraries

Library

Usage

Justification

crypto-js

Web/Core Encryption

Standard, battle-tested JS crypto library.

flutter_secure_storage

Mobile Storage

Industry standard for accessing Keychain/Keystore.

arweave

Core Storage

Required for interacting with the Permaweb.

PreviousArchitecture & Design NextRelease & Roadmap

Good afternoon

hashtagVerifiable Source Code

hashtagCryptographic Core

hashtagMobile Security

hashtagBuild Verification

hashtagWeb Build

hashtagClone the repository

hashtagInstall dependencies

hashtagBuild the project

hashtagInspect build artifacts

hashtagMobile Build

hashtagClone the repository

hashtagVerify dependencies

hashtagBuild the release APK/IPA

hashtagCompare build hashes

hashtagDependency Auditing

hashtagAutomated Checks

hashtagCritical Third-Party Libraries

Verifiable Source Code

Cryptographic Core

Mobile Security

Build Verification

Web Build

Clone the repository

Install dependencies

Build the project

Inspect build artifacts

Mobile Build

Clone the repository

Verify dependencies

Build the release APK/IPA

Compare build hashes

Dependency Auditing

Automated Checks

Critical Third-Party Libraries