Secure By Design
Status aims to be a truly decentralized communication tool – eventually removing all third parties and minimizing the attack vectors for malicious actors.
The true benefit of Web3 is the ability to transact and communicate on our own terms – without middle men. In order to enjoy this type of free communication, we must be confident that our messages, transactions, identities, and funds are safe and secure. Learn more about Status' approach to security below.
Secure Messaging at Status
Messages are not censored, blocked, and they remain pseudo-anonymous if the user chooses so. Only intended recipients are able to view messages.
Sending, storing, and receiving cryptocurrencies or tokens within the Status wallet is safe from attack. Private keys are never exposed. Transactions are only processed when initiated and confirmed by the owner of the private keys.
When browsing Web3, end user data and browsing information is not accessible by any third parties without consent. Any transactions made while using the Status browser implement the same security standards and best practices used in the Status wallet.
Your identity in Status starts with a locally generated cryptographic keypair, which is then protected via a password. That's all that is required. The user then has the ability to add information to their profile to build up who they are in Status. At all times the user has full control over their information, and who has access to it. The end user can be as public or private as they want.
Peer-to-Peer Messaging Protocol
Status uses the Waku protocol for peer-to-peer (p2p) communication. Waku relies on a network of peers to route messages to each other. Each message sent is broadcast to the entire network, and encrypted for only the intended recipient to open. By removing centralize choke points, the content of your messages and the metadata remain your own. However, Status and Waku are not entirely peer-to-peer yet as mailservers are used to manage messages when a peer is offline. A Waku mailserver is a Waku extension that stores messages and delivers them when the peer comes back online.
End-to-End Encryption by Default
All private messages sent in Status are encrypted end-to-end by default. When you create a Status account, a cryptographic keypair is generated to encrypt your messages and stored locally on your device. When you add a new contact in Status, you exchange public keys so that that person can decrypt your messages when received over the network.
Perfect Forward Secrecy
PFS is a feature of specific key-agreement protocols which provide assurances that your session keys will not be compromised even if the private keys of the participants are compromised. Specifically, past messages cannot be decrypted by a third-party who manages to get a hold of a private key. It builds on the X3DH and Double Ratchet specifications from Open Whisper Systems, with some adaptations to operate in a decentralized environment. Perfect Forward Secrecy is an added layer of security for all of your 1:1 private chats.
Pseudo-Anonymous Account Generation
When you create a new account on Status, you will never be asked for third party verification such as an email or phone number. This means you can sign up for and create a Status account and remain pseudo-anonymous. When you create an account, it is simply you and your keys. This also means that two factor authentication and password recovery are not features within Status - so be sure to remember your password and mnemonic phrase and store them offline somewhere extremely safe.
How are my keys stored?
Status will never use third party services for managing and storing your public and private keys. Once generated, the first BIP44 key is saved in a keystore json file locally on your device. This file is encrypted with the password you choose for your Status account and only accessible by the Status app. We prioritize storing sensitive information in secure hardware when it is available on your device.
For an additional layer of security, we have introduced Keycard which serves as offline cold storage for private key management and their operations.
For more information on Keycard, visit keycard.tech.
The Status browser is designed to keep the end user informed and their funds safe. Browser Privacy mode is enabled by default. This means that DApps will be required to ask permission before connecting to your wallet, and it may cause some DApps to break (if they are not compatible with this security measure). Finally, the Status browser implements EIP712 which aims to improve the usability of off-chain message signing for use on-chain. We are seeing growing adoption of off-chain message signing as it saves gas and reduces the number of transactions on the blockchain. Currently signed messages are an opaque hex string displayed to the user with little context about the items that make up the message.
How does Status protect my cryptocurrency?
Status is built with a non-custodial wallet, giving you full control over your funds without the use of a server. The private keys are stored in an encrypted manner on your device. Your money is under your control, and cannot be accessed by anyone without the private key. Therefore, if you lose your mnemonic phrase, you will never be able to restore access to your funds. So keep your private keys somewhere safely offline.
Signing Phrase to protect from phishing attacks
Status implements a signing phrase required to confirm and “sign” all transactions. The signing phrase is a 3 word phrase randomly generated for you and stored locally on your device that is presented each time you attempt to send a transaction. You will be presented your signing phrase and be required to accept it before a transaction will be confirmed. If you do not recognize your three words, or are not presented with the three words at all, cancel the transaction, log out of Status and report the issue to email@example.com
As we reach major milestones in development, after rounds of internal review and auditing, we reach out to industry leading, third-party auditing firms to verify our sanity, and double/triple check the work that we do. These security audits are not guarantees of security in the projects they pertain to. They are additional checks from objective third parties to help bolster confidence in the security of intended functionality.
For information and details on all external audits, please see the security repository.
If you find a bug or vulnerability in our code, please report it to firstname.lastname@example.org.
Educate yourself to stay safe
Decentralized, serverless products such as Status remove a number of unnecessary intermediaries, enabling you to chat, transact, and browse without fear of surveillance, censorship, and data leakage. This is because you are in control of your data and your own digital safety. Therefore, it is important you understand how to protect yourself. Learn more about how to stay safe with this Status Security Best Practice Guide.
Bug Bounty Program
If you are a security researcher or developer and want to report a vulnerability, please contact email@example.com regarding the Status Bug Bounty Program. We also have a campaign with HackerOne, a bug bounty program that incentivizes hackers to look at projects. We're actively ramping up our private campaign, and will open it to public disclosures soon! For more information on the Bug Bounty Program, please contact firstname.lastname@example.org.
Deja Vu Beta Audit
Status is built with state of the art technology to ensure the product is a secure as possible. When it comes to navigating Web3, you are in control. See our list of security best practices and take control.
Start enjoying Status on iOS and Android.Download Apps