Security by architecture, not by promise

Static is designed around an explicit threat model. Rather than making vague claims about privacy, we define what we protect against, what we cannot protect against, and why. The goal is not to be invulnerable — it is to be honest about the boundaries of the system and to push those boundaries as far as current cryptography allows.

Threat model

We define six adversary classes and specify what Static protects in each scenario.

Passive network observer

An ISP, Wi-Fi operator, or state-level entity monitoring traffic on the wire.

What's protected

Message content, file content, voice audio, member identities. Traffic is padded and routed through relays to resist correlation.

Active network attacker

An adversary who can inject, modify, or replay packets.

What's protected

QUIC provides authenticated encryption in transit. MLS provides end-to-end authentication. Replayed or tampered messages are rejected at the protocol level.

Malicious supernode operator

The person running the relay server is actively hostile.

What's protected

Message content, member identities, channel names, file content, voice audio. The supernode only handles encrypted blobs and cannot derive plaintext.

Compromised group member

A current member whose device or keys are under adversary control.

What's protected

Post-compromise security: once the compromised member is removed, the group re-keys and all future messages are protected. Past messages received before compromise remain at risk on the compromised device.

Device theft or seizure

Physical access to an unlocked or locked device.

What's protected

Local database encrypted with SQLCipher (AES-256). Key material stored in OS keychain. A locked device with full-disk encryption provides the strongest protection.

Global passive adversary

An entity that can observe all network traffic simultaneously.

What's protected

Traffic padding and relay routing raise the cost of correlation analysis. This is an active area of research — no system provides complete protection against a GPA.

Encryption layers

At rest

All local data is stored in a SQLCipher database encrypted with AES-256-CBC. The encryption key is derived from device-specific secrets stored in the OS keychain. No plaintext touches the filesystem.

SQLCipher AES-256-CBC

In transit

All network communication uses QUIC with TLS 1.3 for transport security. On top of that, message payloads are end-to-end encrypted using MLS with the ciphersuite below.

MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519

Ephemeral sessions

Session keys are rotated every 4 hours by default. Each rotation produces new key material, ensuring that compromise of a session key limits exposure to a bounded time window.

X25519 ephemeral key exchange, 4h rotation

Metadata protection

What IS protected

Message content (plaintext never leaves the device)
Member list in transit (encrypted within MLS group)
File content (encrypted before upload)
Voice and video audio streams
Channel names and topics
User display names and profiles

What is NOT protected

Community existence (the supernode knows it is hosting a community)
Approximate channel count (observable from encrypted blob patterns)
Approximate message timing at the supernode level
Connection frequency and duration patterns
Approximate group size (from MLS Welcome message patterns)

Wire traffic analysis resistance

Static pads all outgoing messages into fixed-size buckets to prevent content-length analysis. An observer cannot determine message length from packet size.

Bucket sizes 256 · 1,024 · 4,096 · 16,384 bytes

Shannon entropy 7.999996 / 8.0 bits per byte

Chi-squared test 283.45 < 310.457 threshold (passes randomness test)

Padded ciphertext is statistically indistinguishable from random data. The chi-squared value falls well below the critical threshold, confirming that an observer cannot differentiate Static traffic from noise.

How Static compares

Feature	Static	Signal	Matrix
End-to-end encryption	Always on	Always on	Opt-in (rooms)
Group encryption protocol	MLS (RFC 9420)	Sender Keys	Megolm
Identity requirements	None	Phone number	Email or phone
Message metadata	Padded + relayed	Sealed sender	Visible to homeserver
Server operator visibility	Encrypted blobs only	Minimal metadata	Full metadata
Open source	Full (AGPL-3.0)	Full (AGPL-3.0)	Full (Apache-2.0)
Self-hostable	Yes	No	Yes

Known limitations

No system is perfect. We believe honesty about limitations is more valuable than implying invulnerability.

Device compromise defeats all protections. If an attacker has full access to your unlocked device, they can read everything you can read. Encryption protects data in transit and at rest on a locked device — not against a live session.
Screenshots exist. A group member can always take a screenshot or photograph their screen. No protocol can prevent this.
A global passive adversary can perform traffic analysis. While padding and relay routing raise the cost, an entity capable of observing all network traffic simultaneously may still correlate timing patterns. This is a fundamental limitation of internet-based communication.
The supernode is a single point of availability (not security). If the supernode goes offline, message delivery pauses until it returns. It cannot read your data, but it can deny service. Self-hosting mitigates this.
Forward secrecy has a time granularity. Messages sent between epoch updates (triggered by membership changes or scheduled rotation) share the same key material. Compromise of that material exposes all messages within that epoch.

Full privacy model documentation The math behind your privacy