UltraLocked
Security

UltraLocked security model

A clear explanation of what UltraLocked protects, what it does not protect, and which security components are open for review.

Review the public security coreOpen GitHub

Threat model

Bounded claims are the point.

Protects against

  • Sensitive files scattered across Photos, Notes, Files, email, and cloud drives
  • Casual access to private documents
  • Cloud sync exposure
  • Device loss with locked vault
  • Coercive unlock scenarios where duress workflows are configured
  • Accidental retention of sensitive screenshots and documents

Does not protect against

  • A fully compromised iOS device
  • Kernel-level malware or jailbreak compromise
  • Shoulder surfing or screen recording while unlocked
  • Weak device passcodes
  • Legal compulsion or operational mistakes outside the app
  • Advanced forensic access to an already-unlocked device

Architecture

Local import to encrypted storage

The high-level app flow keeps files local, encrypts vault contents, protects key material with Secure Enclave-backed controls, and uses explicit encrypted transfer when data moves between devices.

User file

Local import

Vault encryption

Secure Enclave-backed key protection

Local encrypted storage

Optional encrypted local transfer

Public Review

What public review does and does not prove

Open components are useful because they make security claims inspectable. They are not a substitute for device-level testing, operational security, or Apple platform trust.

Public review can verify

  • Shows how public .ultralocked export bundles are encrypted, parsed, authenticated, and bounded
  • Lets reviewers inspect malformed input handling and tamper-detection tests
  • Documents the portable transfer format, threat model, and non-goals

Public review does not prove

  • Prove Apple Secure Enclave internals or biometric enforcement
  • Prove every runtime behavior of the private App Store client
  • Eliminate device compromise, weak passcodes, screen exposure, or operational mistakes

Open-source review

Open components for review

The sensitive security architecture is documented, and core security components are available for public review. The goal is not to ask users to blindly trust a black box, but to make the key lifecycle, vault behavior, and limitations inspectable.

Read whitepaperView GitHubReview security componentsResponsible disclosure

We especially welcome review of

  • Secure Enclave key lifecycle
  • vault encryption and deletion semantics
  • duress workflow edge cases
  • encrypted transfer model
  • metadata exposure
  • recovery-key handling

If you believe you found a security issue, please report it privately first. We will acknowledge good-faith reports and credit researchers when appropriate.

Contact: security@ultralocked.com

Reviewer page

Security engineers and iOS reviewers can start with scope, links, limitations, and requested review areas.

Review UltraLocked

Disclosure policy

Report suspected vulnerabilities privately with reproduction details and expected impact.

Responsible disclosure

Related reading

The blog has deeper background on Secure Enclave usage, duress workflows, and offline transfer.

Secure Enclave deep dive