How WindowsHelper protects your PC + your phone, what cryptography we use, and what we explicitly don't defend against. Last updated: 2026-04-25.
Email windowshelperprogram@gmail.com with subject [security]. Please don't open public GitHub issues — give us a window to ship a fix before disclosure.
The pairing code is the shared secret every other crypto operation derives from. The full lifecycle:
[ Phone GENERATES random 8-char code ] ↓ [ Phone WRITES code + sessionId to Firestore in pc_connections doc ] ↓ [ Phone DISPLAYS code to user on screen ] ↓ [ User READS code, types it into companion's input field ] ↓ [ Companion QUERIES Firestore for waiting session matching the code ] ↓ [ Both sides DERIVE crypto keys from SHA-256(code, sessionId) ] ↓ [ Code STAYS in memory on both sides; never written to Firestore by either ] ↓ [ Disconnect / re-pair WIPES the code from both sides ]
pairingCode; once paired, the code stays in memory exclusively.Every command sent over the wire is encrypted with AES-256-GCM, an authenticated-encryption mode.
SHA-256("WH_SECURE_{code}_{sessionId}_CMD_KEY").Random.secure() on phone or RandomNumberGenerator on companion.AESGCM:<nonce_b64>:<ciphertext_b64>:<tag_b64>Every command also carries an HMAC signature so a phone that doesn't know the pairing code cannot inject commands even if it can write to Firestore.
SHA-256("WH_SECURE_{code}_{sessionId}_HMAC_KEY"). Separate from the encryption key.HMAC-SHA256(hmacKey, commandId | ciphertext | sentAtMillis). The pipes are literal pipe characters, not delimiters — three concatenated strings.| Threat | Status | Notes |
|---|---|---|
| Eavesdropper on the local network | Mitigated | AES-GCM ciphertext is opaque to MITM observers. |
| Eavesdropper on Firestore servers | Mitigated | Google sees AESGCM:... blobs, not commands. |
| Attacker who can write to Firestore but doesn't know the code | Mitigated | HMAC verification fails; companion logs the rejection + refuses execution. |
| Attacker who cracked / phished the pairing code | Residual | They can issue commands as if they were the user. Mitigation: rotate the code from the tray menu. |
| Replay of a recorded command | Residual | sentAtMillis is HMAC-bound; companion doesn't yet enforce a freshness window. Future fix adds a TTL. |
| LAN-mode unauthenticated attacker | Mitigated | WebSocket pair handshake validates the code; HMAC + AES gate every subsequent command. |
| Compromised phone with stolen pairing key | Residual | Indistinguishable from "the user themselves." Mitigation: rate limit (10 cmd/min) + destructive-command confirmation requires PC-side click. |
| Mistyped command from phone app | Mitigated | Phone-side allowlist blocks unrecognized prefixes; companion-side pre-flight blocks commands targeting nonexistent services. |
| Destructive command run accidentally | Mitigated | Companion-side modal requires user click to approve Remove-Item, Format-Volume, reg delete, shutdown /r, etc. |
| Hung / runaway PowerShell process | Mitigated | Hard 5-minute timeout kills the entire process tree. |
| Companion .exe tampering between download and run | Mitigated | SHA-256 published in companion-version.json; users can verify. Authenticode signing landing soon. |
| Companion crash leaking sensitive state | Mitigated | Crash reports + Firestore error writebacks sanitize %USERPROFILE% / %MACHINE% / %USER%. |
| Stolen device, persisted Registry pairing key | Residual | An attacker with disk + login access could read the persisted code. Future fix wraps it with Windows DPAPI. |
Things WindowsHelper explicitly does not defend against:
[security].