Loxation
Security & privacy
- All communications with the server are authenticated and encrypted even when you don't give your name
- You control any information that is made available to other people or parties
- When you use the application anonymously, your device is authenticated with Apple (iPhone) and Google (for Android)
- Messages to other people are not stored on the server after transient transmission and transmissions are encrypted using MTS (IETF RFC 9420) key exchange/management and with AES-GCM as the underlying cryptographic algorithm
- Your location is transiently sent to the server for locating other people matching privacy filters you create. Locations are not tracked over time nor after you leave a location
- Beacons: BLE and UWB are used to identify locations and other users in your proximity
- Profiles, messages, and notes you create are specific to these locations and only available at the location they are created at
- Messages are end to end encrypted
- Your private notes are only kept on your mobile device
- No one else is allowed access to your data
- We keep your private data private and on your device, and let you control who has access to your public info
- Your public information is only available at your current location
- We do not sell your data to third parties
Security & Privacy
- Encrypted and private communications to local users using Bluetooth Low Energy (BLE)
- Messages are encrypted end-to-end with AES-GCM
- Ephemeral keys are exchanged using the Noise Protocol for direct messaging and MLS (IETF RFC 9420) for group messaging
- End to end encrypted messages may be routed to known and verified users who are mutual favorites or members of an MLS group
- Loxation enables location based authentication and geofencing
- Geofenced authentication provider using TOTP one time codes
Technical Details
This application is designed so that your physical presence is discoverable only in the moment. BLE beacons use rapidly rotating, memory-only cryptographic keys and private addresses, so there are no stable identifiers that third parties can use to track or profile your movements over time.
Once an encrypted channel is established, device and user identities are authenticated using App Attest / Play Integrity and MLS, but those identifiers never appear in public radio traffic. Messages are protected with modern end-to-end encryption and periodic rekeying to maintain forward secrecy.
For a full technical description of this, see the Loxation Technical Privacy Whitepaper.