GhostHow it worksPrivacyJoin waitlist
Trust

Security

Last updated · July 12, 2026

Ghost's security model is simple to state: messages are encrypted on your device, decrypted only on your contact's device, and never pass through a server we control. Removing the server removes the single biggest target. Here is exactly how that works and, just as importantly, where its limits are.

Cryptography

Ghost uses standard, modern primitives — the same core as Signal — with no third-party dependencies (SwiftUI + CryptoKit on iOS).

  • Identity. Ed25519 signatures authenticate every peer.
  • Key agreement. X25519 ECDH, combined in an X3DH handshake that is interactive and mutually authenticated.
  • Messages. A Double Ratchet (the Signal protocol) derives a fresh key for every message, sealed with ChaCha20-Poly1305 AEAD. Keys are derived with HKDF-SHA256 and HMAC-SHA256.
  • Verification. Signal-style numeric safety numbers let two people confirm they share the right keys.

What that buys you

  • Forward secrecy.Every message uses a unique key that is deleted after use, so a key compromised today can't decrypt yesterday's messages.
  • Post-compromise security. After a full state compromise, the session self-heals on the next ratchet step.
  • Authenticated everywhere. The handshake is signed and each message header is bound as AEAD associated data; forged or tampered frames are silently dropped.
  • Keys stay on the phone. Private identity keys live only in the iOS Keychain (this-device-only, after-first-unlock). Message history is stored with complete file protection, and ratchet session state is never persisted — a fresh session is negotiated per connection.

How the two phones connect

Both transports move only opaque ciphertext frames — no transport, relay, or STUN responder ever sees keys or plaintext.

  • Local network (zero-config). Over Wi-Fi and Bluetooth, peers on the same network discover each other automatically.
  • Serverless global. A from-scratch ICE/STUN implementation over UDP. QR pairing is the only signaling — peers swap a compact connection ticket by showing/scanning a code (or copy/paste via AirDrop or Messages). Each device acts as its own STUN responder, and authenticated UDP hole-punching establishes the direct path. No signaling server, no external STUN, no relay.

The one honest caveat

Connecting two phones that are eachbehind a separate carrier-grade NAT — for example both on cellular, on different networks — is impossible for any purely serverless system; discovering your own public address across the open internet is precisely what an external STUN/TURN server exists to bootstrap. Ghost's global path works serverlessly wherever a reachable path exists — the same Wi-Fi, one phone's hotspot, or the local network — and tells you plainly when it can't find one, instead of silently contacting a server. (An optional TURN relay is left as a pluggable, off-by-default slot for anyone who wants to run their own.)

What Ghost cannot protect against

Being honest about this is part of taking security seriously. Ghost does not defend against:

  • A compromised or unlocked device — anyone with access to your phone can read what is stored on it.
  • Someone reading over your shoulder, or a contact choosing to share what you sent them.
  • A network attacker who controls the path can drop packets (denial of service), but cannot read or forge messages — every frame is authenticated.
  • A global observer performing large-scale traffic and timing analysis. Ghost stores no metadata and uses no server, but no practical system fully hides that two devices are communicating from an adversary who can watch the whole network.

Verify it yourself

The app ships a built-in self-test (Diagnostics → “Run crypto self-test”) that runs two simulated peers in-memory and checks X3DH key agreement, Double Ratchet round-trips, out-of-order delivery, forward-secrecy rotation, AEAD tamper detection, forged-identity rejection, and the pairing codecs. The same suite runs headless as a native binary.

Reporting a vulnerability

If you find a security issue, please report it privately before disclosing it publicly, so a fix can ship first.

  • Email ghost@gaithano.com.
  • Include steps to reproduce and, if you can, an assessment of impact.
  • Good-faith research that avoids privacy violations, data destruction, and service disruption is welcome; we will not pursue action against it.

We aim to acknowledge reports within [72 hours] and to keep you updated through to a fix. Credit is offered to reporters who want it.

Ghost

Peer-to-peer chat that never touches a server. No accounts, no numbers, no trace.

iOS · Coming soon

Product

  • How it works
  • Privacy
  • Join the waitlist

Legal

  • Privacy Policy
  • Terms of Service
  • Security

Security

  • Security overview
  • Report a vulnerability
© 2026 GhostPrivacyTermsSecurity