Core Security Principles
Self-Custody
Your keys, your Bitcoin. Sovran never has access to your private keys or funds.
Local-First Storage
All sensitive data is stored locally on your device using encrypted secure storage.
No Data Collection
Sovran collects zero analytics, telemetry, or personal information.
Open Source
Fully transparent codebase that you can audit and verify.
Security Architecture
Key Management
Sovran uses industry-standard cryptographic derivation paths:- BIP-39: 12-word mnemonic seed phrase
- BIP-32: Hierarchical Deterministic (HD) key derivation
- NIP-06: Nostr key derivation from mnemonic
- NUT-13: Cashu wallet key derivation
All keys are derived from a single master mnemonic stored in your device’s secure enclave (iOS Keychain / Android Keystore).
Encryption Layers
| Layer | Technology | Purpose |
|---|---|---|
| Secure Storage | expo-secure-store | Mnemonic and derived keys |
| Passcode Lock | 4-digit PIN | App access protection |
| Nostr Encryption | NIP-04, NIP-17, NIP-44 | Encrypted direct messages |
| Cashu Proofs | HMAC-SHA256 | Ecash token integrity |
Privacy Features
Zero Data Collection
Zero Data Collection
Sovran does not collect, transmit, or store:
- Analytics or usage data
- IP addresses or location data (unless you enable location stamps)
- Personal information
- Transaction history on remote servers
Local-Only Storage
Local-Only Storage
All wallet data is stored locally using:
- expo-secure-store: For mnemonics and private keys
- expo-sqlite: For transaction history and mint data
- AsyncStorage: For app settings and preferences
Privacy-Preserving Ecash
Privacy-Preserving Ecash
Cashu tokens provide strong privacy guarantees:
- Unlinkable transactions
- No transaction graph analysis
- Mint cannot track spending patterns
- Blinded signatures for anonymity
Optional Location Privacy
Optional Location Privacy
Location stamps are:
- Disabled by default
- Only stored locally
- Use jittered coordinates (±50m randomization)
- Never transmitted to mints or third parties
Security Best Practices
Backup Your Seed Phrase
Write down your 12-word recovery phrase on paper and store it securely offline. This is the only way to recover your wallet.
Enable Passcode Lock
Set a 4-digit PIN to protect app access. The passcode is never persisted to disk.
Verify Mint Authenticity
Only add mints you trust. Use the Know Your Mint feature to check mint metadata and health.
Threat Model
What Sovran Protects Against
Device loss or theft (with passcode enabled)
Network eavesdropping on Nostr messages (NIP-17 encryption)
Mint tracking of spending patterns (Cashu privacy)
Unauthorized app access (passcode gate)
Key compromise via cloud storage (local-only secure storage)
What Sovran Does NOT Protect Against
Security Audits
Sovran is open source and welcomes security research. Report vulnerabilities responsibly via GitHub Security Advisories.
Related Documentation
Wallet Recovery
Restore your wallet from seed phrase
Passcode Lock
Configure 4-digit PIN protection
Key Derivation
Technical details of key management
Privacy Features
Privacy-preserving design patterns