RelayPony
get notified
// security

The security model.

What protects your transfer, what the threat model is, and where the boundaries are, stated plainly, because security you can't understand isn't security.

Cryptography

  • Transfer encryption: the age protocol, X25519 key agreement with ChaCha20-Poly1305 in the STREAM construction. The same crypto core used by AgePony, verified against age reference behavior.
  • End to end: the file is encrypted on the sending phone and decrypted on the receiving phone. Nothing in between can read it, because nothing in between exists.
  • Wire protocol: a frozen, cipher-agnostic framing carries the encrypted stream, so the transport format stays stable and auditable as the app evolves.

Pairing and device identity

Two phones pair by scanning a QR code. That scan exchanges device identities on a trust-on-first-use basis: once you have paired with a device, RelayPony recognizes it for later transfers. Each device's identity is held in the Android Keystore, hardware-backed where the phone supports it, so the private key is not sitting in app storage where it could be copied off.

The transport

On a shared Wi-Fi network, RelayPony finds nearby devices using local network discovery (mDNS / Android NSD) and streams the file directly between them. When there is no common network, it falls back to a direct device-to-device link, so you can still send without joining the same Wi-Fi. In every case the bytes go phone to phone. They are never relayed through a server.

Threat model

RelayPony protects the confidentiality and integrity of a file in transit between two phones you control, against an attacker on the network who does not control either unlocked device. It assumes the operating system's keystore and secure hardware behave as documented. It does not defend against malware running on a compromised, unlocked phone, and trust-on-first-use means the security of a brand-new pairing rests on you scanning the right device's code.

No server surface

There is no RelayPony server, so there is no server to breach, no database to leak, and no account credentials to steal. Files are not uploaded, queued, or cached anywhere off your devices. See the privacy policy for exactly what does and does not leave the phone.

Honest permissions

  • Camera is used only to scan a pairing QR code.
  • Nearby Wi-Fi / local network is used only to discover and connect to the other phone.
  • Storage is touched only to read the files you choose to send and to save received files to Downloads.

Open to inspection

The app is open source under Apache-2.0. You don't have to take any of the above on faith. Read the crypto module, read the transport, and check the behavior yourself.

Reporting a vulnerability

If you find a security issue, email NorseHorse@norsehor.se with details and, ideally, a way to reproduce it. To encrypt the report, use the OpenPGP public key and send it with subject SECURITY. Please give a reasonable window to ship a fix before public disclosure. RelayPony is a one-person project, so a clear report gets a faster fix.