← Back to WindowsHelper

Security Model

How WindowsHelper protects your PC + your phone, what cryptography we use, and what we explicitly don't defend against. Last updated: 2026-04-25.

reporting a vulnerability

Email windowshelperprogram@gmail.com with subject [security]. Please don't open public GitHub issues — give us a window to ship a fix before disclosure.

Pairing-code lifecycle

The pairing code is the shared secret every other crypto operation derives from. The full lifecycle:

[ Phone GENERATES random 8-char code ]
   ↓
[ Phone WRITES code + sessionId to Firestore in pc_connections doc ]
   ↓
[ Phone DISPLAYS code to user on screen ]
   ↓
[ User READS code, types it into companion's input field ]
   ↓
[ Companion QUERIES Firestore for waiting session matching the code ]
   ↓
[ Both sides DERIVE crypto keys from SHA-256(code, sessionId) ]
   ↓
[ Code STAYS in memory on both sides; never written to Firestore by either ]
   ↓
[ Disconnect / re-pair WIPES the code from both sides ]

Cryptography

AES-256-GCM (command confidentiality + integrity)

Every command sent over the wire is encrypted with AES-256-GCM, an authenticated-encryption mode.

HMAC-SHA256 (command authenticity)

Every command also carries an HMAC signature so a phone that doesn't know the pairing code cannot inject commands even if it can write to Firestore.

Threat model

ThreatStatusNotes
Eavesdropper on the local networkMitigatedAES-GCM ciphertext is opaque to MITM observers.
Eavesdropper on Firestore serversMitigatedGoogle sees AESGCM:... blobs, not commands.
Attacker who can write to Firestore but doesn't know the codeMitigatedHMAC verification fails; companion logs the rejection + refuses execution.
Attacker who cracked / phished the pairing codeResidualThey can issue commands as if they were the user. Mitigation: rotate the code from the tray menu.
Replay of a recorded commandResidualsentAtMillis is HMAC-bound; companion doesn't yet enforce a freshness window. Future fix adds a TTL.
LAN-mode unauthenticated attackerMitigatedWebSocket pair handshake validates the code; HMAC + AES gate every subsequent command.
Compromised phone with stolen pairing keyResidualIndistinguishable from "the user themselves." Mitigation: rate limit (10 cmd/min) + destructive-command confirmation requires PC-side click.
Mistyped command from phone appMitigatedPhone-side allowlist blocks unrecognized prefixes; companion-side pre-flight blocks commands targeting nonexistent services.
Destructive command run accidentallyMitigatedCompanion-side modal requires user click to approve Remove-Item, Format-Volume, reg delete, shutdown /r, etc.
Hung / runaway PowerShell processMitigatedHard 5-minute timeout kills the entire process tree.
Companion .exe tampering between download and runMitigatedSHA-256 published in companion-version.json; users can verify. Authenticode signing landing soon.
Companion crash leaking sensitive stateMitigatedCrash reports + Firestore error writebacks sanitize %USERPROFILE% / %MACHINE% / %USER%.
Stolen device, persisted Registry pairing keyResidualAn attacker with disk + login access could read the persisted code. Future fix wraps it with Windows DPAPI.

Out of scope

Things WindowsHelper explicitly does not defend against:

Disclosure