EN DE
VeilVault Logo

Documentation

Threat Model

← Back to Docs Back to VeilVault →

Threat Model

This document describes the threat model of VeilVault: which threats it is designed to mitigate, which assumptions it makes, and which threats are explicitly out of scope.

VeilVault is a security-first, offline-only password vault developed by CodeVeil.

This document exists to set clear expectations and to prevent misunderstandings about what VeilVault can and cannot protect against.

Purpose of This Threat Model

No security product can defend against all possible threats.

VeilVault defines its security boundaries explicitly so users understand:

  • what protections are provided
  • what responsibilities remain theirs
  • where VeilVault intentionally draws the line

Clarity is a security feature.

Assets Being Protected

VeilVault is designed to protect:

  • Stored passwords and secure notes at rest
  • Vault data if the device is lost or stolen
  • Vault integrity against offline tampering
  • Secrets against offline brute-force attacks

The master password is the single root of trust.

Assumptions

VeilVault operates under the following assumptions:

  • The device operating system is not compromised
  • The device is not rooted
  • Android’s application sandboxing is intact
  • The user does not voluntarily disclose their master password

If these assumptions are violated, VeilVault’s guarantees no longer apply.

Threats VeilVault Is Designed to Mitigate

1. Lost or Stolen Device (Locked State)

VeilVault protects against attackers who obtain physical access to a device while the vault is locked.

Mitigations include:

  • Encrypted vault storage
  • Memory-hard key derivation
  • No plaintext secrets stored on disk
  • No cloud or server-side copies

2. Offline Brute-Force Attacks

VeilVault is designed to make offline password guessing attacks computationally expensive.

  • Encryption keys are derived using a memory-hard function
  • Vault data cannot be partially decrypted
  • Incorrect passwords result in full authentication failure

3. Vault File Tampering

VeilVault detects unauthorized modification of vault data.

  • Encrypted vault data includes integrity protection
  • Modified or corrupted vault files fail authentication
  • There is no fallback or degraded unlock mode

4. Casual or Opportunistic Access

VeilVault mitigates accidental or casual access through:

  • Automatic locking
  • Explicit unlock actions
  • Optional biometric gating
  • Panic actions that immediately obscure sensitive content or lock the vault

5. Coercion Scenarios (Limited)

VeilVault includes optional features intended to reduce harm in coercive situations:

  • A decoy unlock mode that presents non-sensitive data
  • Emergency wipe actions that permanently delete vault data

These features are defensive measures, not guarantees of plausible deniability.

Threats VeilVault Does NOT Claim to Mitigate

VeilVault does not claim to protect against:

1. Compromised Devices

  • Rooted devices
  • Devices with kernel-level malware
  • Modified operating systems
  • Debug or instrumentation frameworks

An attacker controlling the operating system can bypass application-level protections.

2. Attacks While the Vault Is Unlocked

VeilVault applies operating-system–level protections to restrict screenshots and screen recording while sensitive content is visible.

As with all application-level protections, this mitigation relies on operating system enforcement and does not apply if the device is compromised.

VeilVault does not protect against:

  • Shoulder surfing
  • Malicious accessibility services
  • Malware with elevated or system-level privileges
  • Attacks performed while the user is actively using the vault on a compromised device

3. Advanced Physical Attacks

VeilVault does not claim to resist:

  • Hardware extraction attacks
  • Chip-level analysis
  • Nation-state or lab-grade adversaries

Such threats are outside the scope of a consumer mobile application.

4. User Mistakes

VeilVault cannot protect against:

  • Weak master passwords
  • Reusing the master password elsewhere
  • Storing sensitive information insecurely outside the vault
  • Voluntary disclosure of credentials

Security ultimately depends on user choices.

Decoy Mode Considerations

Decoy mode is designed to reduce risk in high-pressure situations.

Important limitations:

  • Decoy mode does not hide the existence of VeilVault
  • It does not cryptographically disguise real data
  • It does not protect against determined forensic analysis

Its purpose is risk reduction, not absolute concealment.

PanicHold & Emergency Wipe Limitations

PanicHold features are designed for immediate response:

  • PanicHold actions obscure sensitive content or lock the vault
  • PanicHold actions are non-destructive and reversible

Emergency wipe actions are destructive and irreversible:

  • Once triggered, vault data is permanently deleted
  • There is no undo mechanism
  • Wipes do not affect licensing or app installation

Emergency wipe is the only destructive action.

Summary

VeilVault provides strong protections within clearly defined boundaries.

It prioritizes:

  • Offline security
  • Predictable behavior
  • Explicit user control
  • Honest limitations

VeilVault does not attempt to provide universal or absolute security. It provides clear guarantees where possible and clear warnings where not.

← Back to Docs