SentinelPrivacy

Security Architecture Changelog

v1.0.9 · Reliability & Lockdown Hardening
SentinelPrivacy is an open-source, rooted Android security application for high-risk individuals. Every feature listed below was built in response to a documented threat vector. Nothing here is cosmetic.

v1.0.9 — Reliability & Lockdown Hardening

Released May 28, 2026

This release fixes a real reliability gap in the USB lockdown and tightens several safety behaviors so the protections hold up the way users expect — especially across restarts. No new attack surface; just the existing defenses doing what they were already supposed to do.

01USB stays locked even after a forced restart

Before, if someone cut power or forced a hard reboot while the phone was locked down, the USB data block could come back to life on restart. Now the USB lockdown is re-applied automatically every time the phone boots, so a reboot no longer reopens the door. An attacker can't just pull the battery or force a restart to get USB access back.

Show technical details
The persistent USB defense now runs from the Magisk module's boot daemon (udc_bfu_lockdown.sh), which reads a state file dropped by the app at lockdown and re-severs the USB data pipeline on every boot — re-applying sys.usb.config none / persist.sys.usb.config none and forcing the USB-C port into device/sink mode to block BadUSB host attacks. This release fixed the app/script coordination and rebuilt the Magisk module so the boot-time re-arm actually fires. Runtime-only kills (property writes, UDC unbind) are still used for the instant cut, but persistence no longer depends on them.

02Safe Shutdown — power off on purpose without triggering the seal

You can now deliberately power the phone off without it treating the shutdown as an attack. A normal power-off used to look identical to a tamper event.

Show technical details
A clearly labeled Safe Shutdown control marks the shutdown as intentional (RebootGuard.markIntentional()) before powering off. The unexpected-shutdown seal path (key destruction + hardening) is unchanged for any shutdown not marked intentional.

03Factory wipe now requires confirmation

The "wipe everything" action no longer fires from a single tap — you have to type WIPE to confirm. It's still only available when the app is set as the device owner.

Show technical details
The Device-Owner-gated wipeData call is now behind a typed-confirmation control, preventing an accidental irreversible reset.

04Quieter under the hood (no trace leaks in the SMS path)

On a rooted phone the system log can be read, and older builds left small traces showing when an emergency keyword was matched. Release builds now stay silent.

Show technical details
All diagnostic SMS logging is gated behind BuildConfig.DEBUG and the explicit match marker was removed entirely, so release builds emit nothing on the SMS command path.

05Stability and cleanup

Removed unused and duplicated code, fixed a clearing bug in the duress PIN, and added a crash guard so the emergency SMS receiver can't fail at the worst moment.

Show technical details
DuressPinManager.clear() now fully tears down duress-active state and marker files; removed a dead report-to-sender path and a stale duplicate source tree; added a PowerManager null guard in the SMS receiver.

This release was built from clean source and tested on a real OnePlus 12R running the latest available OS version. Testing was on that one device/OS combination; behavior on other phones or Android versions isn't guaranteed.

Full feature list — v1.0.9

Every feature the app has ever had, tagged with its status for this release.

New in 1.0.9 · 2

NewSafe ShutdownPower the phone off intentionally without triggering the lockdown seal.
NewWipe confirmationThe factory-wipe action now requires typing WIPE before it runs.

Updated in 1.0.9 · 4

UpdatedUSB lockdown / BFU USB defenseNow stays enforced across restarts via the boot-time daemon — the headline fix.
UpdatedDuress PIN / decoy profileClearing the duress PIN now fully resets all hidden duress state.
UpdatedEmergency SMS commandsRelease builds no longer leak diagnostic traces; added a crash guard.
UpdatedMagisk moduleRebuilt and version-matched to the app so boot-time defenses deploy correctly.

Unchanged (working as before) · 14

UnchangedInstant lockdownOne action locks the screen (credential required, biometrics disabled), kills USB data, and locks airplane mode off so emergency SMS can still send.
UnchangedDuress decoy user switchingEntering the duress PIN switches the phone to a clean decoy profile and hides the real data.
UnchangedPre-shutdown vault sealAn unexpected shutdown destroys the encryption keys and hardens the device before power cuts.
UnchangedEncryption-key destructionRenders the protected vault permanently unreadable when triggered.
UnchangedBoot-mode detectionBooting into recovery or fastboot triggers maximum lockdown.
UnchangedFailed-password auto-wipeOptional factory wipe after repeated wrong lock-screen PINs. Verify the device-owner admin binding on the target device.
UnchangedMicrophone / camera / motion-sensor locksDisable sensors on demand; restored automatically after reboot.
UnchangedNetwork watchdogsDead-man network monitoring and baseband-downgrade detection, restarted on boot.
UnchangedPhysical / kinetic monitoringDetects snatch-and-grab style physical events.
UnchangedEncrypted notes & vaultProtected on-device storage.
UnchangedLocation reportingIncludes coordinates in emergency telemetry.
UnchangedTamper / integrity checks & baseline custodyDetects changes to the app and module.
UnchangedSecurity-key (FIDO2) restoreHardware security key as a recovery path.
UnchangedQuick Settings duress tile & volume-button duressFast ways to trigger duress.

Previous release — v1.0.8 architecture

The 28 hardening controls shipped in v1.0.8, grouped by purpose. Each maps to a documented threat vector.

Emergency Response

01Dual-Stage Red Button

FeatureSingle tap: immediate biometric killswitch and full sensor blackout. Long press: activates lockdown then reboots into Before First Unlock state.
ImplementationLockdownManager.activate() calls setKeyguardDisabledFeatures(KEYGUARD_DISABLE_BIOMETRICS | KEYGUARD_DISABLE_TRUST_AGENTS) then lockNow(). SensorLockManager disables mic, camera, and motion sensors. Long press runs activate() first, then RootShell.run("reboot").
Threat MitigatedBiometric coercion (single tap) — fingerprint can be compelled by force; PIN/password cannot. RAM forensics (long press) — BFU reboot purges all decrypted key material from memory before any imaging tool can reach it.

02Volume Button Duress

FeatureHolding both volume buttons simultaneously for 3 seconds triggers full lockdown silently, from any screen, without opening the app.
ImplementationVolumeButtonDuressService runs as a foreground service intercepting VOLUME_CHANGED_ACTION broadcasts. When both up and down volume changes are detected within the same 3-second window via Handler polling, LockdownManager.activate() is called.
Threat MitigatedCoercion under observation. An attacker watching the screen sees nothing — no app opens, no UI change. The lockdown is indistinguishable from accidentally adjusting volume.

03Quick Settings Tile

FeatureA tile labeled "Privacy" in the notification shade provides one-tap duress response accessible directly from the lock screen.
ImplementationDuressTileService extends TileService. On tap, it switches Android to the decoy user via UserSwitcherHardener. The tile label is deliberately generic to avoid drawing attention.
Threat MitigatedObserved duress scenarios. When a device owner is under observation and cannot reach the app, a swipe-down from the lock screen reaches the tile in under 2 seconds.

04Duress PIN

FeatureA second PIN at the app unlock screen that appears to authenticate successfully but silently switches the device to the decoy user profile.
ImplementationDuressPinManager stores the duress PIN as PBKDF2-SHA256 (310,000 iterations) in a separate SharedPreferences file from the real gate hash. On match, am switch-user is called via root to the pre-seeded decoy user ID.
Threat MitigatedCoerced PIN disclosure. Under legal or physical pressure, disclosing the duress PIN appears to comply while exposing only the decoy profile — no real data is accessible.

Physical Security

05Zero-Trust USB Kill

FeatureUSB data access is eliminated the instant a cable is inserted while the device screen is locked.
ImplementationUsbPlugReceiver intercepts USB_STATE and ACTION_POWER_CONNECTED broadcasts. Three commands execute: setprop sys.usb.config none (volatile), setprop persist.sys.usb.config none (persistent), svc usb setFunctions none (runtime). All three layers are required.
Threat MitigatedPhysical extraction via USB. Forensic tools (Cellebrite, GrayKey) require USB data negotiation. This closes the port before any handshake occurs.

06Dead-Man Faraday Defense

FeatureIf the device loses all network connectivity for more than 5 minutes, it automatically initiates full lockdown.
ImplementationAlarmManager.setExactAndAllowWhileIdle(RTC_WAKEUP) schedules a Doze-resistant watchdog every 5 minutes. LockdownAlarmReceiver fires on expiry and calls LockdownManager.activate() if network is still dead.
Threat MitigatedFaraday cage seizure. An adversary who places the device in a signal-blocking bag triggers automatic lockdown after 5 minutes. The device protects itself when it cannot call home.

07Airplane Snap-Back

FeatureIf airplane mode is enabled by anyone — through Settings, ADB, or physical buttons — the device immediately reverses the change during lockdown.
ImplementationAirplaneModeWatcher listens on android.intent.action.AIRPLANE_MODE. When fired during active lockdown, root commands immediately reverse the state. DevicePolicyManager.addUserRestriction(DISALLOW_AIRPLANE_MODE) applies a concurrent policy-layer block.
Threat MitigatedRadio isolation before extraction. First responders frequently enable airplane mode to prevent remote wipe before forensic imaging. This keeps radios active so the owner can issue remote commands.

08Shutdown Vault Seal

FeatureOn any shutdown not initiated by SentinelPrivacy, the app destroys Keystore-backed encryption keys in the seconds before power cuts.
ImplementationShutdownReceiver intercepts ACTION_SHUTDOWN at priority 999. goAsync() extends the window past 10 seconds. RebootGuard.isIntentional() distinguishes deliberate reboots from seizure-triggered shutdowns. On unexpected shutdown, KeyDestroyer wipes all app Keystore keys.
Threat MitigatedPost-shutdown key extraction. A powered-off device with intact keys can be imaged and decrypted offline. Destroyed keys render the encrypted storage permanently inaccessible.

Coercion & Decoy

09Decoy User Profile

FeatureAn isolated Android user seeded with realistic lived-in content — contacts, messages, browsing history — that an adversary sees instead of real data.
ImplementationDecoyUserSeeder creates a secondary Android user via pm create-user and populates it with synthetic content. UserSwitcherHardener locks user-switcher settings during lockdown to prevent switching back without the real PIN.
Threat MitigatedCompelled device inspection. When an adversary is shown the device and it appears normal and lived-in, there is no immediate indication a decoy is active.

10Sensor Lockdown

FeatureMicrophone, camera, and motion sensors can be individually or collectively disabled via Device Policy Manager restrictions.
ImplementationSensorLockManager calls DevicePolicyManager sensor restriction APIs independently for microphone, camera, and motion sensors. Lockdown activation enables all three automatically.
Threat MitigatedPassive surveillance. A device in adversary hands with sensors active can record audio and capture images. DPM-level restrictions cannot be bypassed by any user-space app.

Data Protection

11Encrypted Vault

FeatureAES-256-GCM encrypted file storage with hardware-backed keys. Biometric authentication gates Class A (strongest) protection level.
ImplementationCryptoStore generates keys in StrongBox (preferred) or TEE via Android Keystore. DataProtectionManager implements Class A protection using BiometricPrompt.CryptoObject — keys only accessible within an active biometric session.
Threat MitigatedData extraction without authentication. Hardware-backed keys cannot be exported or used without the device unlocked by the legitimate owner.

12Encrypted Notes

FeatureA secure notes interface where content is encrypted at rest using AES-256-GCM before being written to storage.
ImplementationEncryptedNotesManager encrypts note content via CryptoStore before any write to getFilesDir(). Notes are never written in plaintext.
Threat MitigatedNotes are a high-value forensic target. Plaintext notes in app storage are trivially extracted via root or backup. Encrypted notes yield only ciphertext.

13Clipboard Guard

FeatureMonitors the system clipboard and automatically clears it after 60 seconds. Logs all clipboard activity to the audit log.
ImplementationClipboardGuard registers a ClipboardManager.OnPrimaryClipChangedListener. On each change, a Handler posts a delayed clear at 60 seconds.
Threat MitigatedClipboard exfiltration. Copied passwords and sensitive text persist indefinitely by default. Any app with clipboard access can read them silently.

14Metadata Scrubber

FeatureStrips GPS coordinates, timestamps, device model, and 14 other EXIF fields from photos before they leave the device.
ImplementationMetadataScrubber uses ExifInterface to zero out TAG_GPS_LATITUDE, TAG_GPS_LONGITUDE, TAG_GPS_ALTITUDE, TAG_MAKE, TAG_MODEL, TAG_SOFTWARE, TAG_DATETIME, TAG_ARTIST, TAG_COPYRIGHT, and additional fields.
Threat MitigatedLocation disclosure via image metadata. EXIF GPS data reveals home address, workplace, and travel routes to anyone who receives the image.

15Location Kill Switch

FeatureRevokes location access for all installed apps in a single operation without disabling GPS at the system level.
ImplementationPrivacyLocationManager calls pm revoke <package> android.permission.ACCESS_FINE_LOCATION and ACCESS_COARSE_LOCATION via root for each installed package.
Threat MitigatedPassive location tracking. Apps with background location permission report position continuously. A single kill stops all of them without a reboot.

Hardening & Anti-Tamper

16App Immortality

FeatureSentinelPrivacy cannot be uninstalled from Settings, safe mode cannot disable it, and factory reset is blocked — all at the Device Policy Manager layer.
ImplementationLockdownManager.enforceImmortal() calls dpm.setUninstallBlocked(true) on every launch. Lockdown adds DISALLOW_SAFE_BOOT and DISALLOW_FACTORY_RESET via dpm.addUserRestriction(). Enforced by the Android framework, not the app process.
Threat MitigatedTrivial removal. Safe mode disables third-party apps on boot. Factory reset wipes the app and its audit log. All three surfaces are closed.

17Forensic Hardening

FeatureZero backup surface, no unnecessary permissions, and the SMS command channel protected against broadcast spoofing.
Implementationandroid:allowBackup="false" and android:fullBackupContent="false" remove the app from all backup pipelines. SmsCommandReceiver requires android.permission.BROADCAST_SMS — held only by the system telephony stack.
Threat MitigatedBackup extraction (`adb backup` pulls SharedPreferences without root), broadcast spoofing (any app could trigger the SMS handler without the permission guard).

18APK Tamper Detection

FeatureHashes the live APK and Magisk module, verifies the signing certificate SHA-256, and alerts if any value changes from the stored baseline.
ImplementationTamperDetector reads the live APK path from PackageManager, computes SHA-256 via MessageDigest, and compares against a stored expected hash. Signing certificate extracted via PackageInfo.signatures and compared separately.
Threat MitigatedSupply chain attack. A modified APK that passes visual inspection would produce a different hash. A signing certificate mismatch indicates the APK was re-signed by a different party.

19Developer Options Hardening

FeatureDisables ADB, revokes stored ADB keys, and locks developer options in a single operation.
ImplementationDeveloperOptionsHardener executes: settings put global adb_enabled 0, rm -f /data/misc/adb/adb_keys, and settings put global development_settings_enabled 0 via root.
Threat MitigatedADB access is the primary vector for most Android forensic tools. Revoked ADB keys mean trusted computers must re-authenticate even if ADB is re-enabled.

20Auto-Wipe Self-Destruct

FeatureAfter 5 consecutive failed PIN unlock attempts, the device performs a cryptographic factory reset including external storage.
ImplementationDevicePolicyManager.setMaximumFailedPasswordsForWipe(admin, 5) set during Device Owner provisioning. Android enforces this at the system level. wipeData(WIPE_EXTERNAL_STORAGE) includes SD card.
Threat MitigatedBrute-force PIN attacks. Automated tools attempt thousands of PINs per minute without a wipe policy enforced at the system layer.

21Unexpected Reboot Alert

FeatureDetects reboots not initiated by SentinelPrivacy and alerts the user with a high-priority notification on next unlock.
ImplementationRebootGuard.markIntentional() is called before any deliberate reboot. BootReceiver checks on BOOT_COMPLETED whether the last reboot was marked intentional. UnexpectedRebootNotification fires a high-priority notification with a reboot counter if not.
Threat MitigatedCovert reboot during seizure. Forensic jailbreaks require a device reboot. An unexpected reboot count of 1 or more when you regain the device is a strong indicator of tampering.

22Direct Boot SMS Trigger

FeatureSend a pre-configured keyword via SMS to receive GPS coordinates and device status — works even before the PIN is entered after a reboot.
ImplementationPBKDF2-SHA256 keyword hash (100k iterations, 32-byte salt) stored in Device Protected Storage. SmsCommandReceiver is directBootAware=true. On match, abortBroadcast() hides the message, the SMS is deleted from inbox, and a reply with GPS + status is sent.
Threat MitigatedPost-reboot interception window. A device seized and rebooted for a jailbreak attempt still responds to owner commands before first unlock.

Forensics & Audit

23Signed Device Baseline

FeatureCaptures a cryptographically signed snapshot of full device state — packages, USB config, ADB state, signing cert, boot state — comparable after a custody event.
ImplementationDeviceStateManager.createSignedBaseline() takes a full snapshot and signs it with CryptoStore.sign(). compareToBaseline() diffs across 8 scalar fields and 3 array sizes, reporting changes with confidence levels.
Threat MitigatedPost-custody denial. Without a signed pre-custody baseline, there is no way to prove what changed on a device during seizure.

24Privacy Posture Score

FeatureA 0–100 real-time score across 15+ security factors with specific recommended actions for each penalty.
ImplementationDeviceStateManager.privacyPostureReport() evaluates: APK integrity, ADB state, USB functions, bootloader state, SELinux mode, account count, package count, key security level (StrongBox/TEE/Software), USB lock state, BFU/AFU status, sensor locks, clipboard guard, and location exposure.
Threat MitigatedUnknown exposure surface. Most device owners do not know their actual security posture. The score quantifies risk and produces actionable steps.

25Custody Report

FeatureA signed, exportable report combining posture score, baseline comparison, tamper report, and surveillance scan results.
ImplementationDeviceStateManager.exportCustodyReport() assembles all components into a single JSON object, signs it with CryptoStore, and writes to getFilesDir(). Class A biometric protection available for the export.
Threat MitigatedPost-custody documentation. A signed report with timestamps and a valid digital signature creates a verifiable record for legal or journalistic purposes.

26Surveillance Scan

FeatureScans for network taps, rogue WiFi access points, physical access indicators, and known spyware package signatures.
ImplementationNetworkTapDetector, WifiThreatDetector, PhysicalAccessDetector, and SpywareDetector each produce severity-rated findings (HIGH/MEDIUM/LOW). Results are persisted and summarized in the posture score.
Threat MitigatedPassive surveillance infrastructure. Network taps and rogue WiFi are commonly deployed near border crossings. Known spyware packages can be detected by package name and signing certificate.

27Travel Profile

FeatureSuspends a user-defined list of apps, kills USB and ADB, hardens notifications, and disables account sync in a single operation.
ImplementationDeviceStateManager.applyTravelProfile() executes ADB disable, ADB key revocation, USB kill, then loops over packages calling cmd package suspend per app. ContentResolver.setMasterSyncAutomatically(false) disables background sync.
Threat MitigatedExcessive data exposure at border. Every installed app and signed-in account increases the surface available to a device inspection.

Exit

28Secure Decommission

FeatureAn authenticated removal sequence that relinquishes Device Owner, restores all defaults, and self-removes — leaving no DPM restrictions or artifacts.
ImplementationLockdownManager.decommission() in strict order: restore USB to mtp,adb via root → unlock mic/camera/motion → clear DISALLOW_AIRPLANE_MODE + DISALLOW_CONFIG_MOBILE_NETWORKS + DISALLOW_SAFE_BOOT + DISALLOW_FACTORY_RESET + setKeyguardDisabledFeatures(NONE)setUninstallBlocked(false)clearDeviceOwnerApp()pm uninstall via root. UI requires typing "DECOMMISSION" verbatim.
Threat MitigatedIrremovable malware profile. An app holding Device Owner with no removal path is structurally identical to enterprise stalkerware.

// Summary

#FeatureGroupPrimary Threat
1Dual-Stage Red ButtonEmergency ResponseBiometric coercion + RAM forensics
2Volume Button DuressEmergency ResponseCoercion under observation
3Quick Settings TileEmergency ResponseObserved duress scenarios
4Duress PINEmergency ResponseCoerced PIN disclosure
5Zero-Trust USB KillPhysical SecurityUSB extraction tools
6Dead-Man Faraday DefensePhysical SecurityFaraday cage + delayed seizure
7Airplane Snap-BackPhysical SecurityRadio isolation before extraction
8Shutdown Vault SealPhysical SecurityPost-shutdown key extraction
9Decoy User ProfileCoercion & DecoyCompelled device inspection
10Sensor LockdownCoercion & DecoyPassive surveillance
11Encrypted VaultData ProtectionHardware-extracted data
12Encrypted NotesData ProtectionPlaintext forensic extraction
13Clipboard GuardData ProtectionClipboard exfiltration
14Metadata ScrubberData ProtectionLocation via EXIF
15Location Kill SwitchData ProtectionPassive location tracking
16App ImmortalityHardening & Anti-TamperTrivial removal
17Forensic HardeningHardening & Anti-TamperBackup extraction + broadcast spoofing
18APK Tamper DetectionHardening & Anti-TamperSupply chain attack
19Developer Options HardeningHardening & Anti-TamperADB forensic access
20Auto-Wipe Self-DestructHardening & Anti-TamperBrute-force PIN attacks
21Unexpected Reboot AlertHardening & Anti-TamperCovert reboot during seizure
22Direct Boot SMS TriggerHardening & Anti-TamperPost-reboot interception window
23Signed Device BaselineForensics & AuditPost-custody denial
24Privacy Posture ScoreForensics & AuditUnknown exposure surface
25Custody ReportForensics & AuditPost-custody documentation
26Surveillance ScanForensics & AuditPassive surveillance infrastructure
27Travel ProfileForensics & AuditData surface at border
28Secure DecommissionExitIrremovable DPM artifacts