Accounts - SafeSlingerProject/SafeSlinger-Media GitHub Wiki

SafeSlinger Messenger keeps your account information locally on your device and does not store any of it on its servers. Account information includes: your encryption key pair, your signing key pair, push registration id, and choices made on the Settings menu. All of your key pairs are protected using password-based encryption using your passphrase and a random salt.

Account Generation

At setup each user is asked to create a passphrase. Then, the application generates a new set of key pairs and protects it at rest using the passphrase and a random salt.

Account Recovery

We do not allow recovery or resetting of forgotten passphrases. You may generate a new set of application keys instead. From the login splash screen choose "Forgot Passphrase?" to generate a new set of keys. Any system that allows recovery of account information when the user has forgotten their passphrase has the potential for backdoors, which is why we don't allow this.

Account Backup

This is an optional feature which can backup your encrypted application key to the cloud in case you want to move your account to another phone. Only your passphrase can decrypt your application key. Currently backup is supported only between devices using the same operating system (Android to Android and iOS to iOS), and not all manufacturers support backup.

Account Removal

Since none of your account information is stored on our servers, the only thing you need to remove is your push registration with iCloud or Google so that anyone attempting to send you a message will receive an error message stating that your device is no longer registered to receive messages. To do this, you must uninstall the application from your device which will notify the push service you are no longer able to receive messages. This also removes any data backups for the application. After this is done, if a contact should attempt to send you a message, your name in their SafeSlinger contacts list will be permanently marked as unreachable.

Account Revocation

Generating a new set of keys is possible using the "Forgot Passphrase?" button from the login screen. We are also working on a process for users to send key revocation updates for older keys. If you are able to help with the development of a key revocation feature we love to get pull requests.