Security Engineering and Threat Model

This page is written for security researchers, engineers, and technical advisors. If you are an at-risk user or frontline journalist, you do not need to understand this page to use Kyntab safely. You can download the app and follow the instructions on our home page.

Designed to Protect Lives

Our engineering objective is maximizing the cost of a compromise for hostile actors and sophisticated adversaries. Kyntab is not built to replace communications tools; it is purpose-built for emergency safety signaling with low information latency, when a user's life or physical security is at risk. These are higher stakes than traditional informational security use cases. Data or a previous system state can be recovered; a life cannot. This reality informs and justifies our conservative, defensive approach to protecting our users.

No Identification Information Requested

To insulate our infrastructure from database profiling and identity correlation techniques, we do not require or verify static personal identifiers (such as phone numbers or personal emails).

• Disposable email for registration advised: We instruct high-risk users to register using single-use, one-time disposable email addresses

• No email or phone communications: We do not conduct email verification checks, nor do we transmit alerts, logs, or updates via email. All communications and cryptographic validation happen natively inside the closed application environment

No Identifiable Data or Metadata Storage

If our core infrastructure or database is compromised, an adversary will find no real-world identities linked to our users. To be precise, our database stores only the following elements:

1. The disposable email used for registration

2. A status indicator specifying whether that disposable email has initiated or received an SOS payload

3. Designated "Trusted Contacts" (represented only by their disposable emails).

4. Anonymized transaction tokens and receipt identifiers for any payments made via Apple or Google

We don't conduct telemetry (collect user behavior data such as log in times) for security reasons and because we don't need the data. All other data, including a user's journal data and a user-generated location stamp, is stored exclusively in encrypted form, leaving zero extractable user content for a hostile or criminal actor. A user's registration email address and its associated metadata is immediately deleted upon request in our app or on our site. This data may persist in encrypted form in our back-end database for a standard cloud rotation cycle (90 days), when it is overwritten.

Defenses Against Impersonation

A common threat vector involves adversaries compromising a trusted contact’s account credentials to intercept signals or map a user's trusted network. Kyntab cryptographically validates a Trusted Contact upon onboarding. If our system detects anomalies indicating a contact is being spoofed or impersonated, that contact is blocked, and the user is alerted within the application.

Defenses Protecting our Public Key

If our website or infrastructure suffers an intrusion that results in an unauthorized modification of our public keys, an alert is broadcast to active clients.

Warrant Canaries for Law Enforcement Requests

We are committed to absolute transparency. While non-disclosure orders often prohibit the explicit publication of law enforcement information requests, Kyntab maintains user group canaries. Kyntab publishes Warrant Canaries corresponding to specific user groups in this section. The continuous presence of a canary indicates that the user cohort has not been subjected to data or legal compliance demands. If a canary is removed, it signals silently to that group that a compliance event has occurred.

Legal Identification

Apple and Google store your credit card numbers and legal names. Kyntab helps protect you physically, and against illegal actors digitally by storing no real-world identities, but law enforcement agencies can request platform transaction logs from Apple or Google to track your real-world billing identity. This is an inherent property of global banking when using the Apple or Android ecosystems.

Open Sourcing for Information Security vs. Life Security

A point of discussion within the security community is whether to maintain a closed-source model during early phases of a product lifecycle. Traditional engineering models lean on open-source structures because information security flaws can typically be mitigated by reverting system states, deploying hotfixes, or rotating compromised credentials.

Kyntab’s threat model is different: we operate in the domain of absolute physical safety. The compromise of a user at risk in a hostile environment cannot be remedied by rolling back a code commit or patching a repository. Our early-stage user base consists of active frontline users facing sophisticated adversaries, so the stakes of a zero-day exploit are immediate and irreversible.

Increasing Costs for Adversaries

We operate on the realistic engineering assumption that no codebase is 100% secure. Open-sourcing is very useful for informational security on infrastructure with a broad community committed to real-time patching. Even so, trusted sources have confirmed to Kyntab (without access to our code or infrastructure) that hostile actors have compromised open-source applications widely used by journalists and the general public.

For early-stage deployments, open access to our code introduces even more severe risks from such adversaries. The lives of users on our network can be exposed faster than code can be patched, especially when competing against AI-enabled systems synthesizing zero-day exploits. Our active user cohort includes the founder, an active reporter covering war and dictatorships who has received recent threats for his reporting.

Peer Security Validation

To ensure our closed-source posture is never used as a cover for "security through obscurity" or structural deficiencies, our codebases, cryptographic implementations, and back-end architectures are continuously and rigorously audited by security researchers and experts who are comfortable with staking their names and public reputations on the security of our application. Our security auditors continuously verify that we do not store unauthorized data, maintain backdoors, or violate our cryptographic promises. We can provide credentials for these auditors to peer organizations and partners upon request via our contact form.

As our platform achieves scale, engineering redundancy, and a hardened architecture, we anticipate transitioning toward an open-source model. At this current product phase, our priority remains the absolute enforcement of defensive asymmetry against hostile actors.

The Journalistic Contract

This initial phase of our product is guaranteed by a reputed journalist working in a tradition where even a single error can end a reporter's career or cost a life. A dedicated community of reporters and international institutions have chosen to trust this application, and community discussions with them will shape the evolution of our architecture.

Kyntab represents a significant improvement over the vulnerable digital tools currently being used by the vast majority of reporters, human rights defenders and at-risk people in the world today.