Threat Model.
UNDERWORLD is designed for high-risk communication in environments where the network may be monitored, metadata may be weaponized, and user exposure can create real-world consequences.
The system is built on four core assumptions:
The network may be hostile.
The relay must not be trusted.
Metadata can be as sensitive as message content.
Cloud recovery can become an attack surface.
UNDERWORLD does not claim to eliminate every risk. It reduces exposure through layered security: local encryption, device-bound identity, anonymity-network routing, fail-closed delivery, metadata minimization, attachment sanitization, active attack detection, and emergency local protections.
This page defines the threats UNDERWORLD is designed to reduce, the assets it protects, the adversaries it considers, and the limits that remain outside the control of any secure messenger.
SECURITY OBJECTIVES
UNDERWORLD is designed to protect sensitive communication before, during, and after transmission.
The main security objectives are:
Protect message confidentiality.
Protect message integrity.
Protect cryptographic identity.
Reduce metadata exposure.
Prevent insecure routing fallback.
Limit relay knowledge.
Reduce traffic-analysis clarity.
Protect sensitive attachments.
Detect active interference.
Protect local app access.
Support emergency communication conditions.
Make degraded trust visible to the user.
The goal is not only to encrypt messages. The goal is to reduce what can be learned from the entire communication environment.
PROTECTED ASSETS
UNDERWORLD treats the following as sensitive:
Message plaintext.
Voice message content.
Attachment content.
Attachment metadata.
User identity keys.
Session keys.
Ratchet state.
Contact identities.
Conversation history.
Blackout Mode capsules.
Silent Witness capsules.
Recipient verification data.
Routing state.
Security alarm state.
Local app data.
Contact relationship information.
These assets are protected through local encryption, local storage, minimized server knowledge, fail-closed routing, and restricted application behavior.
ADVERSARY CAPABILITIES
UNDERWORLD considers adversaries that may have one or more of the following capabilities.
Network Observation
An adversary may monitor traffic between the user’s device, anonymity networks, relays, or destination infrastructure.
They may try to identify users, infer locations, measure activity, observe timing, or correlate traffic patterns.
Network Interference
A hostile network may block, degrade, delay, inject, replay, or manipulate communication.
It may also attempt to force the app into a weaker routing mode.
Relay Compromise
A relay may be monitored, probed, seized, misconfigured, unavailable, or operated by an untrusted party.
UNDERWORLD assumes relay compromise is possible and designs the relay as ciphertext transport, not a trusted message authority.
Metadata Collection
An adversary may not need message content to create harm.
They may study who communicates, when communication happens, how often users are active, what files are exchanged, or which destinations are contacted.
Impersonation and Identity Substitution
An attacker may attempt to impersonate a contact, replace identity material, forge relay messages, or trick a user into trusting the wrong destination.
Message Manipulation
An attacker may inject, replay, duplicate, corrupt, modify, or forge encrypted payloads.
UNDERWORLD treats these conditions as security events rather than ordinary delivery errors.
Attachment-Based Attacks
Files may be used to leak metadata, disguise dangerous content, exploit parser behavior, misrepresent file type, or carry hidden identifying information.
Forced Access
A user may be pressured to unlock the app, reveal messages, disclose local identity, or expose sensitive material under coercion.
Long-Term Cryptographic Risk
Encrypted traffic captured today may be stored and attacked later using improved computational capabilities, including future quantum-relevant threats.
Compromised Endpoint Risk
A device may be affected by malware, spyware, hostile accessibility services, malicious keyboards, screen capture tools, or compromised firmware.
UNDERWORLD includes mobile hardening, but a fully compromised device remains one of the hardest threats for any messenger to solve.
THREATS AND MITIGATIONS
Network Surveillance
Risk:
A network observer may attempt to identify the user’s IP address, location, relay destination, timing behavior, or communication activity.
UNDERWORLD Mitigation:
UNDERWORLD routes communication through anonymity networks such as Tor and I2P to reduce direct network exposure. Release behavior is designed to avoid ordinary direct routing and block insecure fallback.
Residual Limit:
No anonymity network can guarantee absolute protection against every form of large-scale traffic correlation. UNDERWORLD reduces exposure; it does not claim mathematical invisibility.
Relay Compromise
Risk:
An attacker who observes or compromises relay infrastructure may attempt to read messages, identify users, reconstruct conversations, or collect sensitive delivery data.
UNDERWORLD Mitigation:
The relay is designed to handle ciphertext only. Message content is encrypted before transport, private keys remain local, and the relay is not trusted with plaintext, cloud backups, or identity recovery.
Residual Limit:
Relay compromise may still affect availability, timing, and delivery behavior. It should not reveal plaintext message content if the encryption layer remains intact.
Routing Downgrade
Risk:
A hostile network may attempt to force communication away from protected routing and into a weaker direct path.
UNDERWORLD Mitigation:
UNDERWORLD is designed to fail closed. If protected routing cannot be established, the message does not silently fall back to plaintext relay, direct internet delivery, or ordinary insecure transport.
Residual Limit:
Fail-closed behavior may prevent delivery when the network is blocked or unstable. In high-risk environments, failed secure delivery is safer than unsafe delivery.
Metadata Exposure
Risk:
Even encrypted communication can expose sensitive information through contact discovery, online status, typing indicators, notification previews, file metadata, timing, or traffic patterns.
UNDERWORLD Mitigation:
UNDERWORLD removes or restricts common metadata leaks: no contact-list upload, no typing indicators, no online status, no last-seen markers, no notification previews, no cloud identity recovery, and no public social graph.
Residual Limit:
Some metadata can still exist at the device, network, or recipient side. UNDERWORLD minimizes exposure but cannot erase all observable behavior.
Traffic Analysis
Risk:
An observer may analyze timing, volume, activity bursts, message size, and communication frequency to infer user behavior.
UNDERWORLD Mitigation:
UNDERWORLD combines anonymity-network routing, decoy relay traffic, metadata minimization, and restricted presence behavior to reduce the clarity of traffic-analysis signals.
Residual Limit:
Decoy traffic reduces signal quality but does not guarantee invisibility against all traffic-analysis capabilities.
Message Tampering
Risk:
An attacker may modify ciphertext, inject malformed packets, forge relay payloads, or corrupt message data.
UNDERWORLD Mitigation:
Authenticated encryption and integrity checks are used to reject modified or invalid encrypted content. Authentication-tag failure, malformed packets, and relay forgery attempts are treated as security-relevant events.
Residual Limit:
Tampering can still cause denial of service, but it should not produce trusted plaintext.
Replay and Duplicate Messages
Risk:
An attacker may resend old encrypted messages or duplicate message identifiers to confuse state or make stale communication appear fresh.
UNDERWORLD Mitigation:
UNDERWORLD detects replay behavior, duplicate message IDs, duplicate encrypted payloads, and suspicious message reuse. These conditions can trigger blocking or warning behavior.
Residual Limit:
Replay attacks may disrupt delivery or trust state. The security model focuses on preventing unsafe acceptance.
Identity Substitution
Risk:
An attacker may attempt to replace a contact identity, impersonate a sender, or redirect communication to the wrong cryptographic identity.
UNDERWORLD Mitigation:
UNDERWORLD uses contact-bound cryptographic state, sender-binding checks, and identity-substitution detection. Unexpected identity changes are treated as serious security events.
Residual Limit:
Users must still verify sensitive contacts carefully. No system can fully protect users who trust the wrong identity through an unsafe channel.
Ratchet-State Manipulation
Risk:
An attacker may attempt to exploit message ordering, skipped keys, replayed encrypted payloads, or invalid ratchet state.
UNDERWORLD Mitigation:
The Double Ratchet-style model is hardened through state validation, message-key isolation, duplicate detection, and alarm behavior for suspicious ratchet conditions.
Residual Limit:
Severe state corruption may require the user to re-establish trust or reset communication.
Attachment Metadata Leakage
Risk:
Files can expose GPS data, device information, author names, embedded thumbnails, file paths, misleading extensions, or application metadata.
UNDERWORLD Mitigation:
UNDERWORLD includes attachment sanitization designed to reduce exposed metadata before files are shared.
Residual Limit:
Sanitization reduces risk but cannot guarantee removal of every possible hidden signal in every file format.
Dangerous Attachments
Risk:
An attacker may use attachments to exploit file handling, disguise dangerous content, abuse size limits, or misrepresent file type.
UNDERWORLD Mitigation:
UNDERWORLD checks for risky MIME mismatches, oversized payload abuse, path-traversal attempts, malformed attachment packets, metadata deception, and dangerous attachment patterns.
Residual Limit:
Users should still avoid opening unknown files outside trusted environments.
Forced Unlock
Risk:
A user may be forced to unlock the app or expose local content.
UNDERWORLD Mitigation:
UNDERWORLD includes App Lock and optional duress PIN protection. The duress PIN is designed to trigger irreversible local security action when disclosure may be more dangerous than data loss.
Residual Limit:
No software can prevent every form of coercion or physical pressure. Duress protection is a last-resort mechanism, not a complete safety guarantee.
Store-Now-Crack-Later Attacks
Risk:
An adversary may capture encrypted traffic today and attempt to decrypt it in the future.
UNDERWORLD Mitigation:
UNDERWORLD implements a post-quantum hybrid defense model aligned with NSA-published CNSA 2.0 cryptographic direction, combining classical protection with quantum-resistant security planning.
Residual Limit:
Post-quantum defense reduces long-term cryptographic risk, but implementation quality, audits, and protocol validation remain essential.
Blackout Conditions
Risk:
The internet may be unavailable, blocked, surveilled, or unsafe to use.
UNDERWORLD Mitigation:
Blackout Mode allows users to prepare encrypted offline message capsules for later transfer through controlled local carriers such as QR, file transfer, Wi-Fi, Bluetooth, or physical handoff.
Residual Limit:
Blackout Mode protects content before handoff, but users must still control the physical transfer path and recipient trust.
Silent Witness Endpoint Risk
Risk:
A user may be tricked into sending sensitive evidence to a fake destination, wrong endpoint, phishing address, or unsafe reporting channel.
UNDERWORLD Mitigation:
Silent Witness focuses on local preparation, encryption, endpoint verification, fingerprint checks, Tor-routed transmission, and source-side protection.
Residual Limit:
UNDERWORLD does not control the receiving organization, human handler, inbox security, or post-submission process.
THREAT COVERAGE MATRIX
UNDERWORLD applies layered mitigation across multiple threat categories.
Network surveillance is reduced through Tor and I2P routing, release fail-closed delivery, and avoidance of direct relay exposure.
Relay compromise is reduced through end-to-end encryption, ciphertext-only relay transport, no server-side private keys, and no remote message recovery.
Message manipulation is reduced through authenticated encryption, authentication-tag validation, malformed packet rejection, replay detection, and duplicate-message controls.
Identity substitution is reduced through contact-bound cryptographic state, sender-binding checks, local identity storage, and security alarms when trust assumptions change.
Traffic analysis is reduced through anonymity-network routing, decoy relay traffic, metadata minimization, no presence indicators, and notification privacy.
Attachment-based exposure is reduced through metadata sanitization, MIME validation, dangerous attachment detection, path-traversal protection, and oversized payload controls.
Forced access is reduced through App Lock, local-only identity storage, no cloud recovery path, and optional duress PIN protection.
Long-term decryption risk is reduced through post-quantum hybrid defense aligned with NSA-published CNSA 2.0 cryptographic direction.
Offline or blocked-network scenarios are addressed through Blackout Mode encrypted capsules, designed for controlled local transfer without plaintext handoff.
Sensitive evidence routing is addressed through Silent Witness, destination verification, endpoint checks, fingerprint checks, local encryption, and Tor-routed transmission.
DETECTABLE SECURITY EVENTS
UNDERWORLD can classify suspicious conditions as security-relevant events.
These may include:
Packet injection attempt.
Replay attack.
Message tampering.
Authentication-tag failure.
Malformed encrypted packet.
Duplicate message-ID attack.
Duplicate encrypted-message attack.
Relay message-forgery attempt.
Sender-binding failure.
Contact identity substitution.
Ratchet-state anomaly.
Skipped-key abuse.
Attachment path-traversal attempt.
Dangerous attachment behavior.
Risky MIME mismatch.
Oversized attachment abuse.
Attachment metadata deception.
Tapjacking attempt.
Obscured-touch event.
Screen overlay attack.
Insecure routing downgrade attempt.
Tor routing loss.
Relay unavailability.
Repeated relay timeout.
Suspicious relay failure pattern.
These events are not treated as cosmetic errors. Depending on severity, they may trigger blocking, warning, escalation, or loss-of-trust behavior.
OUT OF SCOPE
UNDERWORLD is hardened, but it cannot protect against every possible condition.
The following risks are outside the full control of the app:
A fully compromised device.
Advanced spyware already running on the phone.
Hostile operating-system control.
Malicious firmware.
Compromised keyboards.
Hostile accessibility services.
External camera recording.
Physical surveillance of the user.
A recipient who exposes messages.
Screenshots taken with another device.
Coerced disclosure outside the app.
Unsafe operational behavior.
Users ignoring security warnings.
Use on already compromised hardware.
Destination-side compromise.
Legal, political, institutional, or physical consequences of the information itself.
UNDERWORLD reduces technical exposure. It does not make unsafe environments safe by itself.
TRUST BOUNDARIES
The Device
The device is the primary boundary for identity keys, local app data, encrypted content before sending, and decrypted content after receiving.
A secure device strengthens UNDERWORLD. A compromised device weakens every secure messenger.
The App
The app performs local encryption, identity management, routing enforcement, attachment sanitization, active alarm handling, Blackout Mode capsule preparation, Silent Witness preparation, and local access protection.
The Relay
The relay is untrusted transport. It should move encrypted payloads without holding plaintext, private keys, contact books, cloud backups, or identity recovery material.
The Network
The network is treated as hostile by default. Tor and I2P reduce direct exposure, while fail-closed delivery prevents unsafe downgrade.
The Recipient
The recipient is trusted only to the extent the sender chooses to trust them. UNDERWORLD can protect delivery and cryptographic assumptions, but it cannot control what the recipient does after decryption.
The Cloud
The cloud is excluded from private message recovery and cryptographic identity restoration. This removes convenience, but it also removes a concentrated recovery risk.
USER RESPONSIBILITIES
UNDERWORLD provides technical protection, but secure communication also depends on disciplined use.
Users should:
Keep the device updated.
Use a strong device lock.
Avoid untrusted keyboards.
Avoid unnecessary screenshots.
Verify sensitive contacts.
Treat security warnings seriously.
Avoid using UNDERWORLD on compromised devices.
Understand that lost device-bound identity cannot be recovered from the cloud.
Use Blackout Mode only when offline capsule handling is appropriate.
Use Silent Witness only for lawful public-interest reporting and verified destinations.
Security is strongest when the software model and user behavior work together.
FINAL POSITION
UNDERWORLD is designed for environments where ordinary messenger assumptions are not enough.
It assumes the network may be watched, relays may be probed, metadata may be valuable, and unsafe fallback may be more dangerous than failed delivery.
The system reduces risk by encrypting locally, limiting retained data, minimizing metadata, routing through anonymity networks, treating the relay as untrusted, detecting active interference, and failing closed when secure conditions cannot be maintained.
That is the UNDERWORLD threat model:
Trust less.
Expose less.
Store less.
Route carefully.
Reject unsafe input.
Warn when trust breaks.
Fail closed when protection cannot be guaranteed.