Noghteha engaged 7ASecurity to perform an independent security and privacy assessment of its Android mesh messaging application, with the goal of strengthening user safety and validating privacy-by-design controls in high-risk connectivity environments.
Note: The audit was conducted on version 1.0.34 with fixes verified in version 1.0.35
Why independent testing matters for high-risk mobile apps
For mobile products that support communications under censorship, congestion, or outages, the security bar is fundamentally different. Attack surfaces expand beyond typical “app + API” patterns to include proximity networking, device-resident artifacts, and the operational realities of users who may face device seizure or targeted surveillance. Independent testing helps teams identify the most important risks early, prioritize mitigations, and maintain confidence as features evolve.
What Noghteha is building
Noghteha is designed for secure, decentralized messaging when internet access is unreliable or unavailable. It supports nearby peer-to-peer communication over Bluetooth mesh networking, with additional transport options such as WiFi Aware and optional online routing through decentralized networks when connectivity exists. The product emphasizes end-to-end encryption, cryptographic identities (no phone number), encrypted local storage, and user-focused safety features such as Panic Mode and Stealth Mode.
- Offline-first communications via Bluetooth mesh networking
- Multiple transport layers for resilience (including WiFi Aware and optional online routing when available)
- End-to-end encryption and cryptographic identities (no phone number required)
- Encrypted local storage, with transparent permission explanations
- User safety controls such as Panic Mode and Stealth Mode
Engagement overview
The engagement focused on the Android application and followed a whitebox methodology: source code review combined with targeted dynamic verification using release and debug builds. The work emphasized practical, developer-actionable outcomes and prioritized realistic abuse cases for a decentralized communications client.
Typical areas covered in an Android security and privacy assessment
- Authentication and sensitive-action gating (including idle/lock behavior where applicable)
- Cryptography and key management (correctness, lifecycle, and safe usage patterns)
- Local storage and device-resident artifacts (databases, caches, logs, media handling)
- Transport security across networking modes (peer-to-peer and online paths, where present)
- Hardening of release builds and reduction of exposed debug/diagnostic surfaces
- Privacy data-flow verification: what is stored, what is transmitted, and what third parties can infer
How security testing adds value beyond a checklist
For engineering leaders, an effective assessment is not just about coverage; it is about clarity. The best outcomes are a prioritized remediation plan, clear replication guidance, and measurable changes that reduce real-world risk. This is especially important for mobile apps where threats often combine platform behavior, network conditions, and user workflows.
- Focused on realistic attacker models and operational constraints
- Validated controls end-to-end (not only in code, but in runtime behavior)
- Delivered remediation guidance that supports iterative hardening over time
About 7ASecurity
7ASecurity is an ISO 27001 and SOC 2 certified cybersecurity consultancy and an OWASP Platinum Supporter. Since 2011, we have delivered manual, researcher-led penetration tests and secure code audits for commercial teams and major foundations. Our engagements are tailored to the client’s architecture and release cadence, with clear replication steps and remediation guidance so engineering teams can measure and sustain improvements.
Further reading and community resources
For examples of our public technical work and community initiatives, see:
- 7ASecurity Publications (selected public research, reports, and write-ups)
- Free Pentest Contest (a way for early-stage teams to access independent testing)
- You can read the full report HERE
Next steps
If you are building an Android product where user safety depends on secure local storage, resilient transports, and trustworthy privacy guarantees, we are happy to discuss an assessment approach tailored to your architecture and release cadence.
