v1.0.9 — Reliability & Lockdown Hardening
Released May 28, 2026
This release fixes a real reliability gap in the USB lockdown and tightens several safety behaviors so the protections hold up the way users expect — especially across restarts. No new attack surface; just the existing defenses doing what they were already supposed to do.
01USB stays locked even after a forced restart
Before, if someone cut power or forced a hard reboot while the phone was locked down, the USB data block could come back to life on restart. Now the USB lockdown is re-applied automatically every time the phone boots, so a reboot no longer reopens the door. An attacker can't just pull the battery or force a restart to get USB access back.
Show technical details
udc_bfu_lockdown.sh), which reads a state file dropped by the app at lockdown and re-severs the USB data pipeline on every boot — re-applying sys.usb.config none / persist.sys.usb.config none and forcing the USB-C port into device/sink mode to block BadUSB host attacks. This release fixed the app/script coordination and rebuilt the Magisk module so the boot-time re-arm actually fires. Runtime-only kills (property writes, UDC unbind) are still used for the instant cut, but persistence no longer depends on them.02Safe Shutdown — power off on purpose without triggering the seal
You can now deliberately power the phone off without it treating the shutdown as an attack. A normal power-off used to look identical to a tamper event.
Show technical details
RebootGuard.markIntentional()) before powering off. The unexpected-shutdown seal path (key destruction + hardening) is unchanged for any shutdown not marked intentional.03Factory wipe now requires confirmation
The "wipe everything" action no longer fires from a single tap — you have to type WIPE to confirm. It's still only available when the app is set as the device owner.
Show technical details
wipeData call is now behind a typed-confirmation control, preventing an accidental irreversible reset.04Quieter under the hood (no trace leaks in the SMS path)
On a rooted phone the system log can be read, and older builds left small traces showing when an emergency keyword was matched. Release builds now stay silent.
Show technical details
BuildConfig.DEBUG and the explicit match marker was removed entirely, so release builds emit nothing on the SMS command path.05Stability and cleanup
Removed unused and duplicated code, fixed a clearing bug in the duress PIN, and added a crash guard so the emergency SMS receiver can't fail at the worst moment.
Show technical details
DuressPinManager.clear() now fully tears down duress-active state and marker files; removed a dead report-to-sender path and a stale duplicate source tree; added a PowerManager null guard in the SMS receiver.This release was built from clean source and tested on a real OnePlus 12R running the latest available OS version. Testing was on that one device/OS combination; behavior on other phones or Android versions isn't guaranteed.
Full feature list — v1.0.9
Every feature the app has ever had, tagged with its status for this release.
New in 1.0.9 · 2
Updated in 1.0.9 · 4
Unchanged (working as before) · 14
Previous release — v1.0.8 architecture
The 28 hardening controls shipped in v1.0.8, grouped by purpose. Each maps to a documented threat vector.
Emergency Response
01Dual-Stage Red Button
LockdownManager.activate() calls setKeyguardDisabledFeatures(KEYGUARD_DISABLE_BIOMETRICS | KEYGUARD_DISABLE_TRUST_AGENTS) then lockNow(). SensorLockManager disables mic, camera, and motion sensors. Long press runs activate() first, then RootShell.run("reboot").02Volume Button Duress
VolumeButtonDuressService runs as a foreground service intercepting VOLUME_CHANGED_ACTION broadcasts. When both up and down volume changes are detected within the same 3-second window via Handler polling, LockdownManager.activate() is called.03Quick Settings Tile
DuressTileService extends TileService. On tap, it switches Android to the decoy user via UserSwitcherHardener. The tile label is deliberately generic to avoid drawing attention.04Duress PIN
DuressPinManager stores the duress PIN as PBKDF2-SHA256 (310,000 iterations) in a separate SharedPreferences file from the real gate hash. On match, am switch-user is called via root to the pre-seeded decoy user ID.Physical Security
05Zero-Trust USB Kill
UsbPlugReceiver intercepts USB_STATE and ACTION_POWER_CONNECTED broadcasts. Three commands execute: setprop sys.usb.config none (volatile), setprop persist.sys.usb.config none (persistent), svc usb setFunctions none (runtime). All three layers are required.06Dead-Man Faraday Defense
AlarmManager.setExactAndAllowWhileIdle(RTC_WAKEUP) schedules a Doze-resistant watchdog every 5 minutes. LockdownAlarmReceiver fires on expiry and calls LockdownManager.activate() if network is still dead.07Airplane Snap-Back
AirplaneModeWatcher listens on android.intent.action.AIRPLANE_MODE. When fired during active lockdown, root commands immediately reverse the state. DevicePolicyManager.addUserRestriction(DISALLOW_AIRPLANE_MODE) applies a concurrent policy-layer block.08Shutdown Vault Seal
ShutdownReceiver intercepts ACTION_SHUTDOWN at priority 999. goAsync() extends the window past 10 seconds. RebootGuard.isIntentional() distinguishes deliberate reboots from seizure-triggered shutdowns. On unexpected shutdown, KeyDestroyer wipes all app Keystore keys.Coercion & Decoy
09Decoy User Profile
DecoyUserSeeder creates a secondary Android user via pm create-user and populates it with synthetic content. UserSwitcherHardener locks user-switcher settings during lockdown to prevent switching back without the real PIN.10Sensor Lockdown
SensorLockManager calls DevicePolicyManager sensor restriction APIs independently for microphone, camera, and motion sensors. Lockdown activation enables all three automatically.Data Protection
11Encrypted Vault
CryptoStore generates keys in StrongBox (preferred) or TEE via Android Keystore. DataProtectionManager implements Class A protection using BiometricPrompt.CryptoObject — keys only accessible within an active biometric session.12Encrypted Notes
EncryptedNotesManager encrypts note content via CryptoStore before any write to getFilesDir(). Notes are never written in plaintext.13Clipboard Guard
ClipboardGuard registers a ClipboardManager.OnPrimaryClipChangedListener. On each change, a Handler posts a delayed clear at 60 seconds.14Metadata Scrubber
MetadataScrubber uses ExifInterface to zero out TAG_GPS_LATITUDE, TAG_GPS_LONGITUDE, TAG_GPS_ALTITUDE, TAG_MAKE, TAG_MODEL, TAG_SOFTWARE, TAG_DATETIME, TAG_ARTIST, TAG_COPYRIGHT, and additional fields.15Location Kill Switch
PrivacyLocationManager calls pm revoke <package> android.permission.ACCESS_FINE_LOCATION and ACCESS_COARSE_LOCATION via root for each installed package.Hardening & Anti-Tamper
16App Immortality
LockdownManager.enforceImmortal() calls dpm.setUninstallBlocked(true) on every launch. Lockdown adds DISALLOW_SAFE_BOOT and DISALLOW_FACTORY_RESET via dpm.addUserRestriction(). Enforced by the Android framework, not the app process.17Forensic Hardening
android:allowBackup="false" and android:fullBackupContent="false" remove the app from all backup pipelines. SmsCommandReceiver requires android.permission.BROADCAST_SMS — held only by the system telephony stack.18APK Tamper Detection
TamperDetector reads the live APK path from PackageManager, computes SHA-256 via MessageDigest, and compares against a stored expected hash. Signing certificate extracted via PackageInfo.signatures and compared separately.19Developer Options Hardening
DeveloperOptionsHardener executes: settings put global adb_enabled 0, rm -f /data/misc/adb/adb_keys, and settings put global development_settings_enabled 0 via root.20Auto-Wipe Self-Destruct
DevicePolicyManager.setMaximumFailedPasswordsForWipe(admin, 5) set during Device Owner provisioning. Android enforces this at the system level. wipeData(WIPE_EXTERNAL_STORAGE) includes SD card.21Unexpected Reboot Alert
RebootGuard.markIntentional() is called before any deliberate reboot. BootReceiver checks on BOOT_COMPLETED whether the last reboot was marked intentional. UnexpectedRebootNotification fires a high-priority notification with a reboot counter if not.22Direct Boot SMS Trigger
SmsCommandReceiver is directBootAware=true. On match, abortBroadcast() hides the message, the SMS is deleted from inbox, and a reply with GPS + status is sent.Forensics & Audit
23Signed Device Baseline
DeviceStateManager.createSignedBaseline() takes a full snapshot and signs it with CryptoStore.sign(). compareToBaseline() diffs across 8 scalar fields and 3 array sizes, reporting changes with confidence levels.24Privacy Posture Score
DeviceStateManager.privacyPostureReport() evaluates: APK integrity, ADB state, USB functions, bootloader state, SELinux mode, account count, package count, key security level (StrongBox/TEE/Software), USB lock state, BFU/AFU status, sensor locks, clipboard guard, and location exposure.25Custody Report
DeviceStateManager.exportCustodyReport() assembles all components into a single JSON object, signs it with CryptoStore, and writes to getFilesDir(). Class A biometric protection available for the export.26Surveillance Scan
NetworkTapDetector, WifiThreatDetector, PhysicalAccessDetector, and SpywareDetector each produce severity-rated findings (HIGH/MEDIUM/LOW). Results are persisted and summarized in the posture score.27Travel Profile
DeviceStateManager.applyTravelProfile() executes ADB disable, ADB key revocation, USB kill, then loops over packages calling cmd package suspend per app. ContentResolver.setMasterSyncAutomatically(false) disables background sync.Exit
28Secure Decommission
LockdownManager.decommission() in strict order: restore USB to mtp,adb via root → unlock mic/camera/motion → clear DISALLOW_AIRPLANE_MODE + DISALLOW_CONFIG_MOBILE_NETWORKS + DISALLOW_SAFE_BOOT + DISALLOW_FACTORY_RESET + setKeyguardDisabledFeatures(NONE) → setUninstallBlocked(false) → clearDeviceOwnerApp() → pm uninstall via root. UI requires typing "DECOMMISSION" verbatim.// Summary
| # | Feature | Group | Primary Threat |
|---|---|---|---|
| 1 | Dual-Stage Red Button | Emergency Response | Biometric coercion + RAM forensics |
| 2 | Volume Button Duress | Emergency Response | Coercion under observation |
| 3 | Quick Settings Tile | Emergency Response | Observed duress scenarios |
| 4 | Duress PIN | Emergency Response | Coerced PIN disclosure |
| 5 | Zero-Trust USB Kill | Physical Security | USB extraction tools |
| 6 | Dead-Man Faraday Defense | Physical Security | Faraday cage + delayed seizure |
| 7 | Airplane Snap-Back | Physical Security | Radio isolation before extraction |
| 8 | Shutdown Vault Seal | Physical Security | Post-shutdown key extraction |
| 9 | Decoy User Profile | Coercion & Decoy | Compelled device inspection |
| 10 | Sensor Lockdown | Coercion & Decoy | Passive surveillance |
| 11 | Encrypted Vault | Data Protection | Hardware-extracted data |
| 12 | Encrypted Notes | Data Protection | Plaintext forensic extraction |
| 13 | Clipboard Guard | Data Protection | Clipboard exfiltration |
| 14 | Metadata Scrubber | Data Protection | Location via EXIF |
| 15 | Location Kill Switch | Data Protection | Passive location tracking |
| 16 | App Immortality | Hardening & Anti-Tamper | Trivial removal |
| 17 | Forensic Hardening | Hardening & Anti-Tamper | Backup extraction + broadcast spoofing |
| 18 | APK Tamper Detection | Hardening & Anti-Tamper | Supply chain attack |
| 19 | Developer Options Hardening | Hardening & Anti-Tamper | ADB forensic access |
| 20 | Auto-Wipe Self-Destruct | Hardening & Anti-Tamper | Brute-force PIN attacks |
| 21 | Unexpected Reboot Alert | Hardening & Anti-Tamper | Covert reboot during seizure |
| 22 | Direct Boot SMS Trigger | Hardening & Anti-Tamper | Post-reboot interception window |
| 23 | Signed Device Baseline | Forensics & Audit | Post-custody denial |
| 24 | Privacy Posture Score | Forensics & Audit | Unknown exposure surface |
| 25 | Custody Report | Forensics & Audit | Post-custody documentation |
| 26 | Surveillance Scan | Forensics & Audit | Passive surveillance infrastructure |
| 27 | Travel Profile | Forensics & Audit | Data surface at border |
| 28 | Secure Decommission | Exit | Irremovable DPM artifacts |