A Security Audit of ShellDrop with Project Glasswing

10 June 2026 · Daniel Bilsborough

Worked with Fable 5 on a security audit of ShellDrop today. It used Glasswing, Cloudflare's multi-agent security-review pipeline. Agents were 8 hunters, 3 verifiers.

The architecture strengths it confirmed

• SSH passwords + private keys live in the iOS Keychain, device-only. Never synced to iCloud, excluded from backups.
• Secure Enclave-backed keys. The private key is generated inside the hardware and never leaves it; the app never holds the bytes.
• No analytics or telemetry, no third-party SDKs. Nothing phones home.
• Nothing sensitive is logged. No passwords, hostnames, or terminal output written to logs.
• TOFU host-key verification. Pins each server's key on first connect and blocks the session if it changes (MITM protection).
• Only public key + metadata sync. Private key material never touches CloudKit; connection sync carries no credentials.
• Encrypted/malformed key import is rejected safely. The key parser is bounds-checked, no crash-on-hostile-input.
• Keys generated with the system CSPRNG (CryptoKit), and there's no private-key export path (only the public key can be copied).
• App Store privacy label: "Data Not Collected." True, the app transmits nothing.

ShellDrop is on the App Store. Universal iPhone and iPad, iOS 17+.

Download on the App Store