Security model
July 2026
This page explains, in plain language, how Ahillah is built so that the Amanah Pledge is not a promise but a property of the architecture. Everything here is checkable in the open-source repository.
End-to-end encryption
Messages and one-to-one calls run on the Matrix protocol, using the Olm and Megolm cryptographic ratchets through vodozemac — the same audited Rust implementation used across the Matrix ecosystem. The encryption keys are generated and stored on your devices. Ahillah’s homeserver relays ciphertext; it cannot decrypt it.
Call media (audio and video) travels peer-to-peer where the network allows, encrypted with the standard WebRTC security layer (DTLS-SRTP), with a self-hosted TURN relay as fallback. The relay forwards encrypted packets; it cannot read them.
Push notifications that carry nothing
When a message arrives while the app is asleep, the push notification contains an opaque event ID only — never the message content, never the sender. The app wakes, connects, and decrypts locally. Someone watching the push pipeline learns only that something arrived.
Accounts without identity
Your account is a username and a password, plus a recovery key that only you hold. There is no phone number, no email address, and no contact-book upload — the server has no identity graph to protect because it never builds one.
This has one honest consequence, stated plainly: if you lose both your password and your recovery key, no one can restore your account. We consider that the right trade.
What runs on your device (and never leaves it)
- Prayer-time calculation, Qibla direction, and the hijri calendar — computed from your coordinates on the phone. Coordinates are never transmitted.
- The complete Quran, translations, duas, and adhkar — bundled with the app.
- Your prayer tracker and khatmah progress — stored locally, never synced.
What the server can see
- Your username and display name.
- Questions you send to verified scholars. These must be readable by the service so they can be routed, moderated, and — only with your explicit consent — published in the public answers library. The app states this on the ask screen itself, offers anonymous asking, and links the fully private alternative: an end-to-end encrypted DM to a scholar.
- Mosque-directory edits you submit — community iqamah times are public by design.
Mosque search never sends your GPS location in the background: nothing is queried until you explicitly tap “Search this area”, the search endpoint is unauthenticated so area queries are never linked to your account, and the API server runs with access logging off.
Self-hosting
The entire stack — homeserver, TURN relay, API — is open source and designed to be self-hostable. A community that wants to run its own Ahillah infrastructure can.
Reporting a vulnerability
Found something? Write to the contact address in the footer, or open a security advisory on GitHub. We will respond, credit you if you wish, and publish the fix.
What comes next
Independent security review of the client is on the roadmap ahead of wide launch; findings will be published here.