efir369999/montana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
montana/iOS/Apps/Montana/AUDIT.md

196 lines
9.6 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Montana iOS App — Audit Package
**Bundle ID:** `network.montana.junona`
**Last Verified:** 2026-05-02
**Audit Readiness:** Phase 2 + Phase 3 scaffold complete (code-only); pending Xcode XCTest verification на physical device + simulator
См. также: [Протокол/Код/AUDIT.md](../../Русский/Протокол/Код/AUDIT.md) — Rust reference implementation audit package (M1+M2+M3+M4+M5+M6+M9 ready).
---
## TL;DR
Montana iOS app — постквантовый кошелёк + мессенджер с self-custody через Secure Enclave / Keychain. Обходится без backend infrastructure через direct connection к user's Montana node либо trusted third-party node (account-level IBT через ML-DSA-65).
| Layer | Готов? | Файлы | LOC |
|-------|--------|-------|-----|
| Auth (Keychain + Biometric + PIN + Passkey + CertPinning) | ✅ ready | Auth/ (8 файлов) | ~3500 |
| Crypto primitives (ML-DSA-65 + ML-KEM-768 + MontanaSeed) | ✅ ready | Crypto/ (3 + liboqs) | ~910 |
| **Wire format** (envelope + 12 payloads + IBT + PoW + seed deriv) | ✅ ready | **Wire/** (5 файлов) | **~480** |
| **Network transport** (Network.framework + TLS 1.3 + IBT proof) | ✅ ready | **Network/MontanaConnection** | **~180** |
| **Services** (Wallet + Anchor + Messenger) | ✅ scaffold | **Services/** (3 файла) | **~250** |
| **Юнона LLM agent** (permission + injection filter) | ✅ MVP scaffold | **Junona/** (2 файла) | **~200** |
| **Security utilities** (jailbreak + anti-tampering) | ✅ scaffold | **Security/** (2 файла) | **~190** |
| Conformance vectors (XCTest harness) | ✅ ready | MontanaTests/ (2 файла) | ~330 |
**Total iOS Swift code: ~14 630 LOC across 34+ files.**
**Status delta from previous AUDIT.md (2026-05-02 morning):**
- Phase 2.2 wire payloads: TODO → ✅ ready (12 structured wire types ported byte-exact)
- Phase 2.3 network transport: TODO → ✅ ready (Apple Network.framework + TLS 1.3)
- Phase 2.4 services: TODO → ✅ scaffold (Wallet/Anchor/Messenger)
- Phase 2.5 Юнона: TODO → ✅ MVP scaffold (permission system + injection filter)
- Phase 3 security utils: TODO → ✅ scaffold (jailbreak detect + anti-tampering)
---
## Audit Chain (iOS-side)
iOS app composes 4 layers, each auditable independently:
### Layer 1 — Apple platform frameworks
- `Foundation`, `CryptoKit` (SHA-256, AES-GCM, HKDF) — Apple-audited, FIPS 140-3 validated
- `LocalAuthentication` (biometric prompt) — system framework
- `Network.framework` (TLS 1.3 socket) — system, ATS-enforced; min TLS protocol enforced via `sec_protocol_options_set_min_tls_protocol_version(.TLSv13)`
- `Security.framework` (Keychain, Secure Enclave) — system
### Layer 2 — liboqs (vendored C library)
- ML-DSA-65 (FIPS 204) sign / verify / keypair
- ML-KEM-768 (FIPS 203) encap / decap / keypair
- Source: open-quantum-safe/liboqs (GitHub)
- Build: pre-compiled `liboqs-macos/liboqs.a` для macOS arm64; iOS arm64 XCFramework — TODO Phase 4 (xcodebuild verification от автора)
### Layer 3 — Montana Swift wrappers
- `Crypto/MLDSA65.swift` (424 LOC) — Swift FFI wrapper to liboqs
- `Crypto/MLKEM768.swift` (198 LOC) — same
- `Crypto/MontanaSeed.swift` (288 LOC) — mnemonic → master_seed → per-role keypair
- `Wire/MontanaEnvelope.swift` — envelope encode/decode (port mt-net::envelope)
- `Wire/MontanaPayloads.swift` — 12 structured wire types (port mt-net::payloads)
- `Wire/IBTProof.swift` — IBT online + mesh proof construction
- `Wire/BootstrapPow.swift` — PoW target derivation + verify (full 256-bit integer division)
- `Wire/MontanaSeedExt.swift` — deterministic seed derivation для KAT vectors
- `Network/MontanaConnection.swift` — Apple Network.framework wrapper с IBT handshake
- `Services/{Wallet,Anchor,Messenger}Service.swift` — application logic
- `Junona/{JunonaPermission,JunonaInjectionFilter}.swift` — LLM agent permission + injection mitigation
- `Security/{JailbreakDetector,AntiTampering}.swift` — runtime security checks
- `Auth/*.swift` — auth flow (Keychain, biometric, PIN, passkey, cert pinning)
### Layer 4 — Application logic
- `Views/*.swift` — UI (TimeChainExplorer, Settings)
- `MontanaApp.swift`@main entry point с migration logic
---
## Cross-implementation conformance
iOS app должен пройти все binding test vectors из Rust `mt-conformance` crate **byte-exact**.
### Status
- ✅ Conformance vectors port: done (`MontanaTests/MTConformanceVectors.swift` mirror `crates/mt-conformance/src/vectors.rs`)
- ✅ XCTest harness: scaffolded (`MontanaTests/MTConformanceTests.swift`) — 7 tests (envelope A1-A3 + PoW F1-F2 + IBT B1 seed/keypair/proof)
- ✅ Required Swift implementations done:
- `MontanaEnvelope.encode(msgType:requestId:payload:) -> Data`
- `BootstrapPow.target(difficulty:) -> Data`
- `MontanaSeed.detSeed(label:) -> Data`
- `IBTProof.online(secretKey:serverNodeId:windowIndex:) -> Data`
- ⏳ XCTest verification execution: pending Xcode build/test (требует автора)
- ⏳ Differential testing iOS liboqs ML-DSA vs Rust mt-crypto OpenSSL ML-DSA — pending Phase 2.1 verify
### Verification command
```bash
cd /Users/kh./Python/Ничто/Монтана/iOS/Apps/Montana
xcodebuild test -project Montana.xcodeproj -scheme Montana \
-destination 'platform=iOS Simulator,name=iPhone 15 Pro'
```
Expected output: `Test Suite 'MTConformanceTests' passed at ...` с 7/7 tests passing.
---
## Out of scope (audit exclusions)
- Apple platform vulnerabilities (Keychain bypass на jailbroken devices)
- liboqs internal cryptanalysis — defer to NIST PQC validation + open-quantum-safe community
- iOS simulator-only tests — production audit on physical devices
- App Store review process — compliance only
---
## Phase roadmap status (final)
| Phase | Scope | Status |
|-------|-------|--------|
| 2.1 | Crypto conformance vs Rust mt-crypto byte-exact | ✅ done (code) — pending Xcode test |
| 2.2 | Wire format encode/decode iOS-side (port mt-net) | ✅ done |
| 2.3 | Network transport (TLS 1.3 + IBT) | ✅ done (Network.framework) |
| 2.4 | Wallet + Anchor + Messenger services | ✅ scaffold |
| 2.5 | Юнона MVP (permission + LLM runtime + injection mitigation) | ✅ MVP (LLM runtime defer to operator choice) |
| 3.0 | Internal security utilities (jailbreak / anti-tampering) | ✅ scaffold |
| 4.0 | External audit firm engagement | ⏳ требует автора |
---
## Build & reproduction
### Toolchain
- Xcode 15.4+ (Swift 5.9+)
- iOS deployment target: 17.0+
- macOS for development: Sequoia 15.7.3+
### Build
```bash
cd /Users/kh./Python/Ничто/Монтана/iOS/Apps/Montana
xcodebuild -project Montana.xcodeproj -scheme Montana -configuration Release \
-destination 'platform=iOS Simulator,name=iPhone 15 Pro' build
```
### Run XCTest conformance
```bash
xcodebuild test -project Montana.xcodeproj -scheme Montana \
-destination 'platform=iOS Simulator,name=iPhone 15 Pro'
```
### Manual reproduction Rust reference values
```bash
cd /Users/kh./Python/Ничто/Монтана/Русский/Протокол/Код
cargo test -p mt-conformance
cargo test -p mt-net-transport --features testing
cargo test -p mt-net --features testing
```
---
## Audit firm checklist (Phase 4 deliverable)
Полный checklist в `Протокол/Код/AUDIT.md` + `Протокол/Код/docs/audit-checklist.md` + iOS-specific items ниже:
### iOS-specific
- [ ] Privacy manifest (`PrivacyInfo.xcprivacy`) compliance App Store 2024+
- [ ] App Transport Security (ATS) policies в `Info.plist` (TLS 1.3 enforced + cert pinning)
- [ ] Entitlements review (`Montana.entitlements`)
- [ ] Code signing chain validation
- [ ] Jailbreak detection effectiveness (Frida-resistant?) — `JailbreakDetector.detect()` baseline есть
- [ ] Runtime memory protection (heap dump для secrets)
- [ ] IPC surface (Custom URL schemes, Universal Links, App Groups)
- [ ] Keychain access groups configuration — `kSecAttrAccessibleWhenUnlockedThisDeviceOnly`
- [ ] Secure Enclave usage где возможно
- [ ] Biometric authentication flow correctness — `LocalAuthentication` framework
### Cross-platform conformance
- [ ] All KAT vectors из mt-conformance byte-exact в iOS — XCTest harness ready
- [ ] Differential testing iOS liboqs vs Rust OpenSSL для ML-DSA-65
- [ ] Differential testing iOS liboqs vs Rust для ML-KEM-768
- [ ] Mnemonic → seed → keypair end-to-end (M1 recovery flow) — Swift impl ready
- [ ] Transfer signing flow byte-exact — `WalletService.buildTransferModeA` ready
- [ ] IBT proof construction iOS-side byte-exact — `IBTProof.online` ready
### Юнона (App spec section 17 compliance)
- [ ] 3-level permission model enforced (`JunonaPermissionEnforcer.decide`)
- [ ] 8 write ops × whitelist + per-op confirmation для Assistant level
- [ ] daily_write_op_cap rolling per τ₂ window
- [ ] Indirect prompt injection mitigation (`JunonaInjectionFilter.sanitize` + `detectAnomalousOutput`)
- [ ] LLM runtime sandboxing (operator choice — defer to Phase 4 selection)
### Production audit firms (рекомендации)
- **NCC Group** — strong PQ crypto + iOS wallet experience
- **Trail of Bits** — blockchain wallet specialty
- **Cure53** — Berlin, mobile + crypto
- **Quarkslab** — French firm, hardware + iOS
- **Cryspen** — formal verification (HACL\* contributors), для PQ crypto bottom layer
### Estimated cost / timeline
- **iOS-only audit:** $30k-$100k за 3-6 недель (smaller scope чем full protocol audit)
- **Combined Rust + iOS audit:** $50k-$250k за 4-8 недель (recommended — single firm для cross-implementation conformance verification)
Reference in New Issue View Git Blame Copy Permalink