eCall Security Architecture Proposal¶

Zero-Trust E2EE — Military-grade security for calls¶

Version: 1.0 Date: April 16, 2026 Author: Security Engineering Team Classification: CONFIDENTIAL — Internal Use Only

1. Executive Summary¶

eCall currently implements End-to-End Encryption (E2EE) for voice and video calls, utilizing AES-256-GCM (audio) and P-256 ECDH via the Secure Enclave (key exchange). However, after a comprehensive security review (STRIDE + OWASP), we discovered 2 Critical vulnerabilities and 4 High vulnerabilities that require immediate remediation, alongside the realization that the current Key Transparency (KT) architecture is insufficient against scenarios where the Provider is compromised or acting maliciously.

Proposal: Deploy the "5-Layer Zero-Trust Shield" architecture — a security model equivalent to Signal, surpassing WhatsApp, and integrating the benefits of Apple iMessage Contact Key Verification, within a 10-week timeframe.

2. Problem: Why upgrade?¶

2.1. Vulnerabilities in the current system¶

Level	Count	Notable Examples
🔴 Critical	2	Video E2EE uses weak encryption (AES-CTR without Auth Tag — allows stream tampering); API Secret exposed via logs
🟠 High	4	Debug flag disables E2EE in Production; SSL Pinning disabled in Staging; AES key lacks access control
🟡 Medium	5	User IP exposed via STUN; Google knows call metadata; Thread-safety race condition
🔵 Low	3	Silent fallback instead of error reporting; Timing bug in WebSocket

2.2. Unmitigated Attack Scenarios¶

Scenario	Description	Beneficiary
Split-View Attack	Server provides different public keys to each user → Undetected MITM	Provider / Coerced Entity
Rollback Attack	Server reverts to an old Merkle tree, reusing compromised keys	Hacker controlling server
Key Signing Compromise	Private key for checkpoint signing leaked → hacker signs fake checkpoint	Hacker / Insider
Malicious Update	Provider releases an iOS update disabling E2EE	Coerced Provider
Enumeration	Hacker scans KT API to map entire user network	Hacker / Surveillance

3. Proposed Solution: "5-Layer Zero-Trust Shield"¶

3.1. Architecture Overview¶

╔═══════════════════════════════════════════════════════════════════╗
║                 eCall Zero-Trust Security Shield                  ║
║                                                                   ║
║  ┌─────────────────────────────────────────────────────────────┐  ║
║  │ Layer 5: OUT-OF-BAND VERIFICATION                          │  ║
║  │ QR Code / Safety Number — Human verifies human             │  ║
║  │ → Mitigates ALL scenarios (even compromised Provider)      │  ║
║  └─────────────────────────────────────────────────────────────┘  ║
║  ┌─────────────────────────────────────────────────────────────┐  ║
║  │ Layer 4: PUBLIC TRANSPARENCY MONITOR                       │  ║
║  │ GitHub + Public API — Publicly auditable                   │  ║
║  │ → Mitigates Split-View, early detection of Key Leaks       │  ║
║  └─────────────────────────────────────────────────────────────┘  ║
║  ┌─────────────────────────────────────────────────────────────┐  ║
║  │ Layer 3: THIRD-PARTY AUDITOR                               │  ║
║  │ Independent service cross-checks every 5 minutes           │  ║
║  │ → Mitigates Split-View via neutral third-party             │  ║
║  └─────────────────────────────────────────────────────────────┘  ║
║  ┌─────────────────────────────────────────────────────────────┐  ║
║  │ Layer 2: CONSISTENCY PROOF                                 │  ║
║  │ App remembers old Root, detects rewrite/rollback           │  ║
║  │ → Mitigates Split-View + Rollback Attack                   │  ║
║  └─────────────────────────────────────────────────────────────┘  ║
║  ┌─────────────────────────────────────────────────────────────┐  ║
║  │ Layer 1: INCLUSION PROOF (Implemented)                     │  ║
║  │ Ed25519 Signature + Merkle Proof                           │  ║
║  │ → Mitigates basic Fake Key attacks                         │  ║
║  └─────────────────────────────────────────────────────────────┘  ║
╚═══════════════════════════════════════════════════════════════════╝

3.2. Layer Details¶

Layer 1: Inclusion Proof ✅ (Existing)¶

Mechanism: When App A requests B's public key, the KT Server returns the key with a Merkle proof proving its inclusion in the tree. The App verifies the Ed25519 signature on the checkpoint.
Status: Implemented in KTVerifier.swift. Stabilizing test suite.

Layer 2: Consistency Proof 🆕¶

Mechanism: App stores the last (TreeSize, RootHash) in Keychain. On subsequent queries, the Server must include a Consistency Proof — proving the new Root is a valid extension of the old Root.
Mitigates:
Split-View: If Server creates different trees for users, consistency proof fails.
Rollback: If Server reverts to an older tree, TreeSize decreases → App detects immediately.
Effort: ~2 weeks (iOS + Server API)

Layer 3: Third-Party Auditor 🆕¶

Mechanism: An independent service (Cloudflare Worker / AWS Lambda) pings the KT Server every 5 minutes and records the checkpoint. iOS App cross-checks checkpoints from the Auditor.
Mitigates: Split-View — If Server sends a different Root to the App vs Auditor → immediate detection.
Effort: ~1 week (Cloudflare Worker + iOS integration)

Layer 4: Public Transparency Monitor 🆕¶

Mechanism: All checkpoints are published to a public GitHub repo or Public API. Anyone (journalists, researchers, community) can verify.
Value: Builds brand trust — proves eCall "walks the talk" on security.
Effort: ~1 week (CI/CD automation)

Layer 5: Out-of-Band Verification (QR / Safety Number) 🆕¶

Mechanism: Each user pair has a unique "Safety Number" (10 groups × 5 digits = 50 digits). Users compare this number in person or scan a QR code. Mismatch indicates Provider tampering.
Mitigates: ALL scenarios — even if Provider controls server + auditor + malicious update. Validation is human-to-human.
Effort: ~2 weeks (UI/UX + crypto logic)

3.3. Defense Matrix¶

Attack Scenario	L1	L2	L3	L4	L5
Fake Key (MITM)	✅	—	—	—	✅
Split-View	❌	✅	✅	✅	✅
Rollback Attack	❌	✅	✅	✅	—
Key Signing Leak	❌	⚠️	✅	✅	✅
Enumeration	VRF	—	—	—	—
Malicious Update	❌	❌	❌	⚠️	✅

Conclusion: A minimum of 5 layers is required to defend against ALL scenarios, including intentional Provider tampering.

4. Competitor Comparison¶

Feature	Signal	WhatsApp	Apple iMessage	Telegram	eCall (Current)	eCall (Upgraded)
E2EE Audio/Video	✅	✅	✅	❌ (Server-side)	✅	✅
Key Transparency	✅	✅	✅	❌	⚠️	✅
Inclusion Proof	✅	✅	✅	❌	✅	✅
Consistency Proof	✅	✅	✅	❌	❌	✅
Third-party Auditor	❌	✅ (Cloudflare)	❌	❌	❌	✅
Safety Number / QR	✅	✅	✅	❌	❌	✅
Public Monitor	❌	⚠️	❌	❌	❌	✅ (Unique!)
Secure Enclave Key	❌	❌	✅	❌	✅	✅
IP Privacy (TURN)	✅	❌	N/A	❌	❌	✅
Open Source	✅	❌	❌	Partial	❌	TBD

Highlight: Post-upgrade, eCall will be the only calling app featuring a Public Transparency Monitor + Secure Enclave + Third-party Auditor combination — surpassing Signal (no Auditor) and WhatsApp (no Secure Enclave).

5. Implementation Roadmap¶

Phase 0: Critical Security Fixes — Week 1¶

Absolute Priority — Fix vulnerabilities currently in production

Task	Details	Impact
Video E2EE: AES-CTR → AES-GCM	Replace entire `CRTEncryptionManager` (Obj-C) with native AES-GCM	Mitigate bit-flip attack
Redact Janus API Secret	Remove secret from logs + plan per-session JWT	Mitigate secret leak
`simulateWrongKey` → `#if DEBUG`	Wrap debug flag	Prevent E2EE disabling
AES key access control	`private(set)` for session keys	Mitigate key theft

Phase 1: Consistency Proof — Week 2-3¶

Task	Details
Server: API `GET /kt/consistency`	Return Merkle consistency proof between 2 tree sizes
iOS: `KTConsistencyStore`	Store epoch state in Keychain
iOS: `KTVerifier` extension	Verify consistency proof before accepting key

Phase 2: Safety Number & QR Verification — Week 4-5¶

Task	Details
Safety Number algorithm	SHA-512 based numeric fingerprint (Signal-compatible)
QR Code generation/scan	Encode Safety Number into QR
UI: Contact Profile "Security" section	Display Safety Number + verification status
Key Change Warning	Alert upon unexpected key changes

Phase 3: Third-Party Auditor — Week 6¶

Task	Details
Cloudflare Worker: KT Checkpoint Monitor	5-minute cron, verify + store checkpoint
iOS: Cross-check API	App verifies Root against both KT Server + Auditor
Dashboard: Audit log viewer	Web dashboard for team monitoring

Phase 4: Public Transparency Monitor — Week 7¶

Task	Details
GitHub Action: Auto-publish checkpoints	Push JSON checkpoint every epoch
Public API: `kt-monitor.ecall.org`	REST API for community audit
Documentation	Guide for community verification

Phase 5: Server Hardening — Week 8-9¶

Task	Details
Rate Limiting KT API	Max 10 lookups/min/device
DeviceCheck / AppAttest integration	Defend against bots + Sybil attacks
Ed25519 Key Rotation	HSM-backed key + 90-day rotation
STUN → TURN-only (relay)	Hide true user IP

Phase 6: Stabilization & Third-party Audit — Week 10¶

Task	Details
Penetration Testing	Hire third-party firm for evaluation
Security Documentation	Publish whitepaper
App Store Release	Production deployment

6. Cost Estimation¶

Item	Cost
iOS Development (10 weeks × 1 dev)	Internal
Server Development (6 weeks × 1 dev)	Internal
Cloudflare Worker (Auditor)	$0 (Free tier: 100K req/day is sufficient)
GitHub (Public Monitor)	$0 (Public repo)
AWS KMS / GCP Cloud HSM (Key rotation)	~$1/month
Third-party Penetration Testing	$5,000 - $15,000 (one-time)
Total External Cost	~$5,001 - $15,001

ROI: Very low cost (primarily dev time) with massive brand value — eCall can claim "security surpassing WhatsApp" with concrete technical proof.

7. Risks & Mitigations¶

Risk	Probability	Mitigation
Video AES-GCM causes lag on old devices	Low	Benchmark on iPhone 11; fallback to AES-GCM-SIV if necessary
Server KT lacks Consistency API	Medium	Parallel iOS + Server development
Users ignore Safety Number	High	Gentle UX integration (non-blocking, but clearly visible)
Auditor service downtime	Low	Graceful degradation — App functions normally, missing only 1 verification layer

8. Conclusion¶

Why approve this proposal?¶

Absolute Security: 5 overlapping layers — attackers must breach all 5 layers simultaneously to eavesdrop. Even if the Provider is coerced, Layer 5 (human-to-human verification) will detect it.
Low Cost: ~10 weeks dev time + <$15K external cost. No complex infrastructure required.
Competitive Advantage: eCall will be the only calling app in the market with a Public Transparency Monitor — anyone can verify eCall is not cheating. Strong selling point for B2B/Gov clients.
Legal Compliance: Meets GDPR (data encryption), HIPAA (healthcare call encryption), and military security standards (Zero-Knowledge architecture).

Approval:

Role	Name	Signature	Date
CTO / Tech Lead	_____	_____	//2026
Security Officer	_____	_____	//2026
Product Manager	_____	_____	//2026