FlashDesk Security

FlashDesk is designed to handle the communication, connection approval, device verification, and operational management required for remote control. Screen video and control data are encrypted per session, and access to the destination can be controlled through manual approval or a password.

Per-session encryption

FlashDesk media communication and control data are encrypted with keys generated when a session starts. Key exchange uses ECDH P-256, key derivation uses HKDF-SHA256, and encryption uses AES-256-GCM.
Each packet includes a sequence number and authentication tag so tampering and replayed old packets can be detected.

P2P first, relay when needed

During a session, video and control data are sent directly between devices whenever possible. If the network environment prevents direct connection, FlashDesk switches to relay routing, while media and control payloads continue to be sent encrypted with the session key.

Explicit permission on the destination side

On the destination side, access can be allowed through manual approval or password-based authorization. Manual approval can allow a connection only once, or allow it for a selected amount of time. Time-limited sessions disconnect automatically when the limit is reached.

Device fingerprint verification

FlashDesk creates a device identity key for each installation and derives a fingerprint from its public key. If the fingerprint of a previously trusted destination changes, FlashDesk warns so you can check whether the destination device has changed.

Signaling and license communication

FlashDesk uses WebSocket over TLS (wss://) to start connections and exchange candidate information. API communication such as license verification uses HTTPS. The signaling server relays the information needed to start a connection, while media communication is handled by the encrypted session after it is established.

OS permissions and local protection

FlashDesk follows the permission flows required by each OS, such as macOS Screen Recording and Accessibility permissions, and Linux Wayland screen sharing permissions. Saved connection information and passwords are processed to avoid plaintext storage.

Operational recommendations

We recommend avoiding saved passwords on shared PCs, deleting destinations you no longer need, not approving fingerprint changes you do not recognize, and using time limits or automatic disconnect for long-running sessions.

View features Security contact

Design highlights

  • Screen video and control data are encrypted per session
  • Direct connections are preferred, with relay routing used when needed
  • Manual approval and password-based authorization are supported
  • Device fingerprints help detect destination changes
  • Pro adds team management through the admin console