9.6 KiB
9.6 KiB
Montana iOS App — Audit Package
Bundle ID: network.montana.junona
Last Verified: 2026-05-02
Audit Readiness: Phase 2 + Phase 3 scaffold complete (code-only); pending Xcode XCTest verification на physical device + simulator
См. также: Протокол/Код/AUDIT.md — Rust reference implementation audit package (M1+M2+M3+M4+M5+M6+M9 ready).
TL;DR
Montana iOS app — постквантовый кошелёк + мессенджер с self-custody через Secure Enclave / Keychain. Обходится без backend infrastructure через direct connection к user's Montana node либо trusted third-party node (account-level IBT через ML-DSA-65).
| Layer | Готов? | Файлы | LOC |
|---|---|---|---|
| Auth (Keychain + Biometric + PIN + Passkey + CertPinning) | ✅ ready | Auth/ (8 файлов) | ~3500 |
| Crypto primitives (ML-DSA-65 + ML-KEM-768 + MontanaSeed) | ✅ ready | Crypto/ (3 + liboqs) | ~910 |
| Wire format (envelope + 12 payloads + IBT + PoW + seed deriv) | ✅ ready | Wire/ (5 файлов) | ~480 |
| Network transport (Network.framework + TLS 1.3 + IBT proof) | ✅ ready | Network/MontanaConnection | ~180 |
| Services (Wallet + Anchor + Messenger) | ✅ scaffold | Services/ (3 файла) | ~250 |
| Юнона LLM agent (permission + injection filter) | ✅ MVP scaffold | Junona/ (2 файла) | ~200 |
| Security utilities (jailbreak + anti-tampering) | ✅ scaffold | Security/ (2 файла) | ~190 |
| Conformance vectors (XCTest harness) | ✅ ready | MontanaTests/ (2 файла) | ~330 |
Total iOS Swift code: ~14 630 LOC across 34+ files.
Status delta from previous AUDIT.md (2026-05-02 morning):
- Phase 2.2 wire payloads: TODO → ✅ ready (12 structured wire types ported byte-exact)
- Phase 2.3 network transport: TODO → ✅ ready (Apple Network.framework + TLS 1.3)
- Phase 2.4 services: TODO → ✅ scaffold (Wallet/Anchor/Messenger)
- Phase 2.5 Юнона: TODO → ✅ MVP scaffold (permission system + injection filter)
- Phase 3 security utils: TODO → ✅ scaffold (jailbreak detect + anti-tampering)
Audit Chain (iOS-side)
iOS app composes 4 layers, each auditable independently:
Layer 1 — Apple platform frameworks
Foundation,CryptoKit(SHA-256, AES-GCM, HKDF) — Apple-audited, FIPS 140-3 validatedLocalAuthentication(biometric prompt) — system frameworkNetwork.framework(TLS 1.3 socket) — system, ATS-enforced; min TLS protocol enforced viasec_protocol_options_set_min_tls_protocol_version(.TLSv13)Security.framework(Keychain, Secure Enclave) — system
Layer 2 — liboqs (vendored C library)
- ML-DSA-65 (FIPS 204) sign / verify / keypair
- ML-KEM-768 (FIPS 203) encap / decap / keypair
- Source: open-quantum-safe/liboqs (GitHub)
- Build: pre-compiled
liboqs-macos/liboqs.aдля macOS arm64; iOS arm64 XCFramework — TODO Phase 4 (xcodebuild verification от автора)
Layer 3 — Montana Swift wrappers
Crypto/MLDSA65.swift(424 LOC) — Swift FFI wrapper to liboqsCrypto/MLKEM768.swift(198 LOC) — sameCrypto/MontanaSeed.swift(288 LOC) — mnemonic → master_seed → per-role keypairWire/MontanaEnvelope.swift— envelope encode/decode (port mt-net::envelope)Wire/MontanaPayloads.swift— 12 structured wire types (port mt-net::payloads)Wire/IBTProof.swift— IBT online + mesh proof constructionWire/BootstrapPow.swift— PoW target derivation + verify (full 256-bit integer division)Wire/MontanaSeedExt.swift— deterministic seed derivation для KAT vectorsNetwork/MontanaConnection.swift— Apple Network.framework wrapper с IBT handshakeServices/{Wallet,Anchor,Messenger}Service.swift— application logicJunona/{JunonaPermission,JunonaInjectionFilter}.swift— LLM agent permission + injection mitigationSecurity/{JailbreakDetector,AntiTampering}.swift— runtime security checksAuth/*.swift— auth flow (Keychain, biometric, PIN, passkey, cert pinning)
Layer 4 — Application logic
Views/*.swift— UI (TimeChainExplorer, Settings)MontanaApp.swift— @main entry point с migration logic
Cross-implementation conformance
iOS app должен пройти все binding test vectors из Rust mt-conformance crate byte-exact.
Status
- ✅ Conformance vectors port: done (
MontanaTests/MTConformanceVectors.swiftmirrorcrates/mt-conformance/src/vectors.rs) - ✅ XCTest harness: scaffolded (
MontanaTests/MTConformanceTests.swift) — 7 tests (envelope A1-A3 + PoW F1-F2 + IBT B1 seed/keypair/proof) - ✅ Required Swift implementations done:
MontanaEnvelope.encode(msgType:requestId:payload:) -> Data✅BootstrapPow.target(difficulty:) -> Data✅MontanaSeed.detSeed(label:) -> Data✅IBTProof.online(secretKey:serverNodeId:windowIndex:) -> Data✅
- ⏳ XCTest verification execution: pending Xcode build/test (требует автора)
- ⏳ Differential testing iOS liboqs ML-DSA vs Rust mt-crypto OpenSSL ML-DSA — pending Phase 2.1 verify
Verification command
cd /Users/kh./Python/Ничто/Монтана/iOS/Apps/Montana
xcodebuild test -project Montana.xcodeproj -scheme Montana \
-destination 'platform=iOS Simulator,name=iPhone 15 Pro'
Expected output: Test Suite 'MTConformanceTests' passed at ... с 7/7 tests passing.
Out of scope (audit exclusions)
- Apple platform vulnerabilities (Keychain bypass на jailbroken devices)
- liboqs internal cryptanalysis — defer to NIST PQC validation + open-quantum-safe community
- iOS simulator-only tests — production audit on physical devices
- App Store review process — compliance only
Phase roadmap status (final)
| Phase | Scope | Status |
|---|---|---|
| 2.1 | Crypto conformance vs Rust mt-crypto byte-exact | ✅ done (code) — pending Xcode test |
| 2.2 | Wire format encode/decode iOS-side (port mt-net) | ✅ done |
| 2.3 | Network transport (TLS 1.3 + IBT) | ✅ done (Network.framework) |
| 2.4 | Wallet + Anchor + Messenger services | ✅ scaffold |
| 2.5 | Юнона MVP (permission + LLM runtime + injection mitigation) | ✅ MVP (LLM runtime defer to operator choice) |
| 3.0 | Internal security utilities (jailbreak / anti-tampering) | ✅ scaffold |
| 4.0 | External audit firm engagement | ⏳ требует автора |
Build & reproduction
Toolchain
- Xcode 15.4+ (Swift 5.9+)
- iOS deployment target: 17.0+
- macOS for development: Sequoia 15.7.3+
Build
cd /Users/kh./Python/Ничто/Монтана/iOS/Apps/Montana
xcodebuild -project Montana.xcodeproj -scheme Montana -configuration Release \
-destination 'platform=iOS Simulator,name=iPhone 15 Pro' build
Run XCTest conformance
xcodebuild test -project Montana.xcodeproj -scheme Montana \
-destination 'platform=iOS Simulator,name=iPhone 15 Pro'
Manual reproduction Rust reference values
cd /Users/kh./Python/Ничто/Монтана/Русский/Протокол/Код
cargo test -p mt-conformance
cargo test -p mt-net-transport --features testing
cargo test -p mt-net --features testing
Audit firm checklist (Phase 4 deliverable)
Полный checklist в Протокол/Код/AUDIT.md + Протокол/Код/docs/audit-checklist.md + iOS-specific items ниже:
iOS-specific
- Privacy manifest (
PrivacyInfo.xcprivacy) compliance App Store 2024+ - App Transport Security (ATS) policies в
Info.plist(TLS 1.3 enforced + cert pinning) - Entitlements review (
Montana.entitlements) - Code signing chain validation
- Jailbreak detection effectiveness (Frida-resistant?) —
JailbreakDetector.detect()baseline есть - Runtime memory protection (heap dump для secrets)
- IPC surface (Custom URL schemes, Universal Links, App Groups)
- Keychain access groups configuration —
kSecAttrAccessibleWhenUnlockedThisDeviceOnly - Secure Enclave usage где возможно
- Biometric authentication flow correctness —
LocalAuthenticationframework
Cross-platform conformance
- All KAT vectors из mt-conformance byte-exact в iOS — XCTest harness ready
- Differential testing iOS liboqs vs Rust OpenSSL для ML-DSA-65
- Differential testing iOS liboqs vs Rust для ML-KEM-768
- Mnemonic → seed → keypair end-to-end (M1 recovery flow) — Swift impl ready
- Transfer signing flow byte-exact —
WalletService.buildTransferModeAready - IBT proof construction iOS-side byte-exact —
IBTProof.onlineready
Юнона (App spec section 17 compliance)
- 3-level permission model enforced (
JunonaPermissionEnforcer.decide) - 8 write ops × whitelist + per-op confirmation для Assistant level
- daily_write_op_cap rolling per τ₂ window
- Indirect prompt injection mitigation (
JunonaInjectionFilter.sanitize+detectAnomalousOutput) - LLM runtime sandboxing (operator choice — defer to Phase 4 selection)
Production audit firms (рекомендации)
- NCC Group — strong PQ crypto + iOS wallet experience
- Trail of Bits — blockchain wallet specialty
- Cure53 — Berlin, mobile + crypto
- Quarkslab — French firm, hardware + iOS
- Cryspen — formal verification (HACL* contributors), для PQ crypto bottom layer
Estimated cost / timeline
- iOS-only audit: $30k-$100k за 3-6 недель (smaller scope чем full protocol audit)
- Combined Rust + iOS audit: $50k-$250k за 4-8 недель (recommended — single firm для cross-implementation conformance verification)