Security Whitepaper

Security Is Architecture,
Not a Feature

Vockal was built so that not even we can control your desktop. The cryptographic key that authorizes every action exists only on your devices. Our server is an untrusted relay by design.

Architecture

Zero-Trust by Design

The secret key never leaves your devices. The server relays signed commands but cannot read, forge, or modify them.

Mobile

Has Secret Key

SecureStore / Keychain

signed

Server

No Key Access

Untrusted relay

signed

Desktop

Has Secret Key

DPAPI / Credential Manager

Shared secret generated during QR pairing. Stored on-device only. The server never sees this key.

Cryptography

The Secret Key

When you scan the QR code on your desktop, a shared cryptographic secret is generated between your phone and desktop. This key is immediately stored in platform-native encrypted storage:

Windows

DPAPI

Data Protection API

iOS

Keychain

Keychain Services

Android

EncryptedSharedPreferences

Android Keystore

Every action dispatched to your desktop carries a cryptographic signature created with this key. The desktop verifies the signature before executing anything. An unsigned or incorrectly signed action is rejected immediately.

The key is never transmitted to our server. It is never included in API requests. It is never logged. The server's role is strictly limited to relaying pre-signed payloads between your devices.

Permissions

Strict Action Allowlist

Vockal operates on an explicit allowlist. Only a defined set of action types can be executed. Everything else is rejected at the protocol level.

Permitted Actions

  • Click at coordinates
  • Type text
  • Scroll
  • Switch application
  • Navigate to URL
  • Take screenshot

Permanently Banned

  • Shell commands
  • System modifications
  • Direct file system access
  • Registry edits
  • Process management
  • Network configuration

The allowlist is enforced at multiple layers: the server validates action types before relaying, and the desktop app independently validates before executing. Both must agree for an action to proceed.

Transparency

Honest Threat Model

We believe transparency builds more trust than marketing claims. Here are the only two scenarios where Vockal's security could theoretically be bypassed, and why neither represents a new risk.

Scenario 1: Device Compromise

Requires physical or root-level access to your device

If an attacker gains access to your device and extracts the secret key from encrypted storage, they could forge Vockal actions.

However, an attacker with that level of device access already has direct control of your machine. They can click, type, read files, and install software without Vockal. Extracting the secret key provides no capability they do not already have.

Vockal adds zero additional attack surface to an already compromised device.

Scenario 2: Unofficial Builds

Requires installing software from untrusted sources

A modified version of Vockal's desktop or mobile app could bypass signature verification entirely. The tampered binary could accept unsigned actions or connect to a different server.

This is why we distribute exclusively through official channels: our website for the desktop app, Google Play and the App Store for mobile. This is the exact same trust model used by every banking app, password manager, and security tool on the market.

If you install only from official sources, this vector does not apply.

Constraints

What Our Server Cannot Do

We designed the server to be as limited as possible. Even if our entire server infrastructure were compromised, an attacker still could not control your desktop.

The server can:

  • Relay signed commands between your devices
  • Store action counts for plan enforcement
  • Manage device pairing state
  • Forward audio to the speech-to-text provider

The server cannot:

  • Forge actions without the secret key
  • Execute commands on your desktop
  • Access your screen without an active session
  • Decrypt or read action payloads
  • Store or replay your audio
  • Recover or reset your secret key

Privacy

Minimal Data, Maximum Privacy

Audio

Streamed in real-time to a third-party speech-to-text provider. Never stored on Vockal servers. Discarded immediately after transcription.

Screenshots

Used only for AI action verification during your active session. Auto-deleted within 1 hour of capture.

Accounts

There are none. No usernames, no passwords, no profiles. Device pairing is the only authentication mechanism. There is nothing to breach.

Data sales

Your data is never sold, rented, or traded. Not to advertisers, not to data brokers, not to anyone.