SentinelPrivacy

Security Architecture Changelog

v1.0.8 · Public Release
SentinelPrivacy is an open-source, rooted Android security application for high-risk individuals. Every feature listed below was built in response to a documented threat vector. Nothing here is cosmetic.

Emergency Response

01Dual-Stage Red Button

FeatureSingle tap: immediate biometric killswitch and full sensor blackout. Long press: activates lockdown then reboots into Before First Unlock state.
ImplementationLockdownManager.activate() calls setKeyguardDisabledFeatures(KEYGUARD_DISABLE_BIOMETRICS | KEYGUARD_DISABLE_TRUST_AGENTS) then lockNow(). SensorLockManager disables mic, camera, and motion sensors. Long press runs activate() first, then RootShell.run("reboot").
Threat MitigatedBiometric coercion (single tap) — fingerprint can be compelled by force; PIN/password cannot. RAM forensics (long press) — BFU reboot purges all decrypted key material from memory before any imaging tool can reach it.

02Volume Button Duress

FeatureHolding both volume buttons simultaneously for 3 seconds triggers full lockdown silently, from any screen, without opening the app.
ImplementationVolumeButtonDuressService runs as a foreground service intercepting VOLUME_CHANGED_ACTION broadcasts. When both up and down volume changes are detected within the same 3-second window via Handler polling, LockdownManager.activate() is called.
Threat MitigatedCoercion under observation. An attacker watching the screen sees nothing — no app opens, no UI change. The lockdown is indistinguishable from accidentally adjusting volume.

03Quick Settings Tile

FeatureA tile labeled "Privacy" in the notification shade provides one-tap duress response accessible directly from the lock screen.
ImplementationDuressTileService extends TileService. On tap, it switches Android to the decoy user via UserSwitcherHardener. The tile label is deliberately generic to avoid drawing attention.
Threat MitigatedObserved duress scenarios. When a device owner is under observation and cannot reach the app, a swipe-down from the lock screen reaches the tile in under 2 seconds.

04Duress PIN

FeatureA second PIN at the app unlock screen that appears to authenticate successfully but silently switches the device to the decoy user profile.
ImplementationDuressPinManager stores the duress PIN as PBKDF2-SHA256 (310,000 iterations) in a separate SharedPreferences file from the real gate hash. On match, am switch-user is called via root to the pre-seeded decoy user ID.
Threat MitigatedCoerced PIN disclosure. Under legal or physical pressure, disclosing the duress PIN appears to comply while exposing only the decoy profile — no real data is accessible.

Physical Security

05Zero-Trust USB Kill

FeatureUSB data access is eliminated the instant a cable is inserted while the device screen is locked.
ImplementationUsbPlugReceiver intercepts USB_STATE and ACTION_POWER_CONNECTED broadcasts. Three commands execute: setprop sys.usb.config none (volatile), setprop persist.sys.usb.config none (persistent), svc usb setFunctions none (runtime). All three layers are required.
Threat MitigatedPhysical extraction via USB. Forensic tools (Cellebrite, GrayKey) require USB data negotiation. This closes the port before any handshake occurs.

06Dead-Man Faraday Defense

FeatureIf the device loses all network connectivity for more than 5 minutes, it automatically initiates full lockdown.
ImplementationAlarmManager.setExactAndAllowWhileIdle(RTC_WAKEUP) schedules a Doze-resistant watchdog every 5 minutes. LockdownAlarmReceiver fires on expiry and calls LockdownManager.activate() if network is still dead.
Threat MitigatedFaraday cage seizure. An adversary who places the device in a signal-blocking bag triggers automatic lockdown after 5 minutes. The device protects itself when it cannot call home.

07Airplane Snap-Back

FeatureIf airplane mode is enabled by anyone — through Settings, ADB, or physical buttons — the device immediately reverses the change during lockdown.
ImplementationAirplaneModeWatcher listens on android.intent.action.AIRPLANE_MODE. When fired during active lockdown, root commands immediately reverse the state. DevicePolicyManager.addUserRestriction(DISALLOW_AIRPLANE_MODE) applies a concurrent policy-layer block.
Threat MitigatedRadio isolation before extraction. First responders frequently enable airplane mode to prevent remote wipe before forensic imaging. This keeps radios active so the owner can issue remote commands.

08Shutdown Vault Seal

FeatureOn any shutdown not initiated by SentinelPrivacy, the app destroys Keystore-backed encryption keys in the seconds before power cuts.
ImplementationShutdownReceiver intercepts ACTION_SHUTDOWN at priority 999. goAsync() extends the window past 10 seconds. RebootGuard.isIntentional() distinguishes deliberate reboots from seizure-triggered shutdowns. On unexpected shutdown, KeyDestroyer wipes all app Keystore keys.
Threat MitigatedPost-shutdown key extraction. A powered-off device with intact keys can be imaged and decrypted offline. Destroyed keys render the encrypted storage permanently inaccessible.

Coercion & Decoy

09Decoy User Profile

FeatureAn isolated Android user seeded with realistic lived-in content — contacts, messages, browsing history — that an adversary sees instead of real data.
ImplementationDecoyUserSeeder creates a secondary Android user via pm create-user and populates it with synthetic content. UserSwitcherHardener locks user-switcher settings during lockdown to prevent switching back without the real PIN.
Threat MitigatedCompelled device inspection. When an adversary is shown the device and it appears normal and lived-in, there is no immediate indication a decoy is active.

10Sensor Lockdown

FeatureMicrophone, camera, and motion sensors can be individually or collectively disabled via Device Policy Manager restrictions.
ImplementationSensorLockManager calls DevicePolicyManager sensor restriction APIs independently for microphone, camera, and motion sensors. Lockdown activation enables all three automatically.
Threat MitigatedPassive surveillance. A device in adversary hands with sensors active can record audio and capture images. DPM-level restrictions cannot be bypassed by any user-space app.

Data Protection

11Encrypted Vault

FeatureAES-256-GCM encrypted file storage with hardware-backed keys. Biometric authentication gates Class A (strongest) protection level.
ImplementationCryptoStore generates keys in StrongBox (preferred) or TEE via Android Keystore. DataProtectionManager implements Class A protection using BiometricPrompt.CryptoObject — keys only accessible within an active biometric session.
Threat MitigatedData extraction without authentication. Hardware-backed keys cannot be exported or used without the device unlocked by the legitimate owner.

12Encrypted Notes

FeatureA secure notes interface where content is encrypted at rest using AES-256-GCM before being written to storage.
ImplementationEncryptedNotesManager encrypts note content via CryptoStore before any write to getFilesDir(). Notes are never written in plaintext.
Threat MitigatedNotes are a high-value forensic target. Plaintext notes in app storage are trivially extracted via root or backup. Encrypted notes yield only ciphertext.

13Clipboard Guard

FeatureMonitors the system clipboard and automatically clears it after 60 seconds. Logs all clipboard activity to the audit log.
ImplementationClipboardGuard registers a ClipboardManager.OnPrimaryClipChangedListener. On each change, a Handler posts a delayed clear at 60 seconds.
Threat MitigatedClipboard exfiltration. Copied passwords and sensitive text persist indefinitely by default. Any app with clipboard access can read them silently.

14Metadata Scrubber

FeatureStrips GPS coordinates, timestamps, device model, and 14 other EXIF fields from photos before they leave the device.
ImplementationMetadataScrubber uses ExifInterface to zero out TAG_GPS_LATITUDE, TAG_GPS_LONGITUDE, TAG_GPS_ALTITUDE, TAG_MAKE, TAG_MODEL, TAG_SOFTWARE, TAG_DATETIME, TAG_ARTIST, TAG_COPYRIGHT, and additional fields.
Threat MitigatedLocation disclosure via image metadata. EXIF GPS data reveals home address, workplace, and travel routes to anyone who receives the image.

15Location Kill Switch

FeatureRevokes location access for all installed apps in a single operation without disabling GPS at the system level.
ImplementationPrivacyLocationManager calls pm revoke <package> android.permission.ACCESS_FINE_LOCATION and ACCESS_COARSE_LOCATION via root for each installed package.
Threat MitigatedPassive location tracking. Apps with background location permission report position continuously. A single kill stops all of them without a reboot.

Hardening & Anti-Tamper

16App Immortality

FeatureSentinelPrivacy cannot be uninstalled from Settings, safe mode cannot disable it, and factory reset is blocked — all at the Device Policy Manager layer.
ImplementationLockdownManager.enforceImmortal() calls dpm.setUninstallBlocked(true) on every launch. Lockdown adds DISALLOW_SAFE_BOOT and DISALLOW_FACTORY_RESET via dpm.addUserRestriction(). Enforced by the Android framework, not the app process.
Threat MitigatedTrivial removal. Safe mode disables third-party apps on boot. Factory reset wipes the app and its audit log. All three surfaces are closed.

17Forensic Hardening

FeatureZero backup surface, no unnecessary permissions, and the SMS command channel protected against broadcast spoofing.
Implementationandroid:allowBackup="false" and android:fullBackupContent="false" remove the app from all backup pipelines. SmsCommandReceiver requires android.permission.BROADCAST_SMS — held only by the system telephony stack.
Threat MitigatedBackup extraction (`adb backup` pulls SharedPreferences without root), broadcast spoofing (any app could trigger the SMS handler without the permission guard).

18APK Tamper Detection

FeatureHashes the live APK and Magisk module, verifies the signing certificate SHA-256, and alerts if any value changes from the stored baseline.
ImplementationTamperDetector reads the live APK path from PackageManager, computes SHA-256 via MessageDigest, and compares against a stored expected hash. Signing certificate extracted via PackageInfo.signatures and compared separately.
Threat MitigatedSupply chain attack. A modified APK that passes visual inspection would produce a different hash. A signing certificate mismatch indicates the APK was re-signed by a different party.

19Developer Options Hardening

FeatureDisables ADB, revokes stored ADB keys, and locks developer options in a single operation.
ImplementationDeveloperOptionsHardener executes: settings put global adb_enabled 0, rm -f /data/misc/adb/adb_keys, and settings put global development_settings_enabled 0 via root.
Threat MitigatedADB access is the primary vector for most Android forensic tools. Revoked ADB keys mean trusted computers must re-authenticate even if ADB is re-enabled.

20Auto-Wipe Self-Destruct

FeatureAfter 5 consecutive failed PIN unlock attempts, the device performs a cryptographic factory reset including external storage.
ImplementationDevicePolicyManager.setMaximumFailedPasswordsForWipe(admin, 5) set during Device Owner provisioning. Android enforces this at the system level. wipeData(WIPE_EXTERNAL_STORAGE) includes SD card.
Threat MitigatedBrute-force PIN attacks. Automated tools attempt thousands of PINs per minute without a wipe policy enforced at the system layer.

21Unexpected Reboot Alert

FeatureDetects reboots not initiated by SentinelPrivacy and alerts the user with a high-priority notification on next unlock.
ImplementationRebootGuard.markIntentional() is called before any deliberate reboot. BootReceiver checks on BOOT_COMPLETED whether the last reboot was marked intentional. UnexpectedRebootNotification fires a high-priority notification with a reboot counter if not.
Threat MitigatedCovert reboot during seizure. Forensic jailbreaks require a device reboot. An unexpected reboot count of 1 or more when you regain the device is a strong indicator of tampering.

22Direct Boot SMS Trigger

FeatureSend a pre-configured keyword via SMS to receive GPS coordinates and device status — works even before the PIN is entered after a reboot.
ImplementationPBKDF2-SHA256 keyword hash (100k iterations, 32-byte salt) stored in Device Protected Storage. SmsCommandReceiver is directBootAware=true. On match, abortBroadcast() hides the message, the SMS is deleted from inbox, and a reply with GPS + status is sent.
Threat MitigatedPost-reboot interception window. A device seized and rebooted for a jailbreak attempt still responds to owner commands before first unlock.

Forensics & Audit

23Signed Device Baseline

FeatureCaptures a cryptographically signed snapshot of full device state — packages, USB config, ADB state, signing cert, boot state — comparable after a custody event.
ImplementationDeviceStateManager.createSignedBaseline() takes a full snapshot and signs it with CryptoStore.sign(). compareToBaseline() diffs across 8 scalar fields and 3 array sizes, reporting changes with confidence levels.
Threat MitigatedPost-custody denial. Without a signed pre-custody baseline, there is no way to prove what changed on a device during seizure.

24Privacy Posture Score

FeatureA 0–100 real-time score across 15+ security factors with specific recommended actions for each penalty.
ImplementationDeviceStateManager.privacyPostureReport() evaluates: APK integrity, ADB state, USB functions, bootloader state, SELinux mode, account count, package count, key security level (StrongBox/TEE/Software), USB lock state, BFU/AFU status, sensor locks, clipboard guard, and location exposure.
Threat MitigatedUnknown exposure surface. Most device owners do not know their actual security posture. The score quantifies risk and produces actionable steps.

25Custody Report

FeatureA signed, exportable report combining posture score, baseline comparison, tamper report, and surveillance scan results.
ImplementationDeviceStateManager.exportCustodyReport() assembles all components into a single JSON object, signs it with CryptoStore, and writes to getFilesDir(). Class A biometric protection available for the export.
Threat MitigatedPost-custody documentation. A signed report with timestamps and a valid digital signature creates a verifiable record for legal or journalistic purposes.

26Surveillance Scan

FeatureScans for network taps, rogue WiFi access points, physical access indicators, and known spyware package signatures.
ImplementationNetworkTapDetector, WifiThreatDetector, PhysicalAccessDetector, and SpywareDetector each produce severity-rated findings (HIGH/MEDIUM/LOW). Results are persisted and summarized in the posture score.
Threat MitigatedPassive surveillance infrastructure. Network taps and rogue WiFi are commonly deployed near border crossings. Known spyware packages can be detected by package name and signing certificate.

27Travel Profile

FeatureSuspends a user-defined list of apps, kills USB and ADB, hardens notifications, and disables account sync in a single operation.
ImplementationDeviceStateManager.applyTravelProfile() executes ADB disable, ADB key revocation, USB kill, then loops over packages calling cmd package suspend per app. ContentResolver.setMasterSyncAutomatically(false) disables background sync.
Threat MitigatedExcessive data exposure at border. Every installed app and signed-in account increases the surface available to a device inspection.

Exit

28Secure Decommission

FeatureAn authenticated removal sequence that relinquishes Device Owner, restores all defaults, and self-removes — leaving no DPM restrictions or artifacts.
ImplementationLockdownManager.decommission() in strict order: restore USB to mtp,adb via root → unlock mic/camera/motion → clear DISALLOW_AIRPLANE_MODE + DISALLOW_CONFIG_MOBILE_NETWORKS + DISALLOW_SAFE_BOOT + DISALLOW_FACTORY_RESET + setKeyguardDisabledFeatures(NONE)setUninstallBlocked(false)clearDeviceOwnerApp()pm uninstall via root. UI requires typing "DECOMMISSION" verbatim.
Threat MitigatedIrremovable malware profile. An app holding Device Owner with no removal path is structurally identical to enterprise stalkerware.

// Summary

#FeatureGroupPrimary Threat
1Dual-Stage Red ButtonEmergency ResponseBiometric coercion + RAM forensics
2Volume Button DuressEmergency ResponseCoercion under observation
3Quick Settings TileEmergency ResponseObserved duress scenarios
4Duress PINEmergency ResponseCoerced PIN disclosure
5Zero-Trust USB KillPhysical SecurityUSB extraction tools
6Dead-Man Faraday DefensePhysical SecurityFaraday cage + delayed seizure
7Airplane Snap-BackPhysical SecurityRadio isolation before extraction
8Shutdown Vault SealPhysical SecurityPost-shutdown key extraction
9Decoy User ProfileCoercion & DecoyCompelled device inspection
10Sensor LockdownCoercion & DecoyPassive surveillance
11Encrypted VaultData ProtectionHardware-extracted data
12Encrypted NotesData ProtectionPlaintext forensic extraction
13Clipboard GuardData ProtectionClipboard exfiltration
14Metadata ScrubberData ProtectionLocation via EXIF
15Location Kill SwitchData ProtectionPassive location tracking
16App ImmortalityHardening & Anti-TamperTrivial removal
17Forensic HardeningHardening & Anti-TamperBackup extraction + broadcast spoofing
18APK Tamper DetectionHardening & Anti-TamperSupply chain attack
19Developer Options HardeningHardening & Anti-TamperADB forensic access
20Auto-Wipe Self-DestructHardening & Anti-TamperBrute-force PIN attacks
21Unexpected Reboot AlertHardening & Anti-TamperCovert reboot during seizure
22Direct Boot SMS TriggerHardening & Anti-TamperPost-reboot interception window
23Signed Device BaselineForensics & AuditPost-custody denial
24Privacy Posture ScoreForensics & AuditUnknown exposure surface
25Custody ReportForensics & AuditPost-custody documentation
26Surveillance ScanForensics & AuditPassive surveillance infrastructure
27Travel ProfileForensics & AuditData surface at border
28Secure DecommissionExitIrremovable DPM artifacts