Hardware-level Android security for high-risk individuals.
SentinelPrivacy is an open-source, rooted Android application that hardens a device against physical seizure, forensic extraction, and coerced access. Every control is implemented at the lowest accessible layer — root shell, Device Policy Manager, or system broadcast — with no middleware, no cloud dependency, and no telemetry.
Security software that you cannot inspect is not security software — it is a promise. Publishing this code means you can verify every claim made about it. You can confirm what data is collected (none), what network calls are made (none), and exactly what happens when you press each button. If you find something wrong, you can say so publicly.
| Feature | How |
|---|---|
| Dual-Stage Red Button | Single tap: biometric killswitch + full sensor blackout. Long press: activates lockdown then BFU reboot |
| Volume Button Duress | Hold both volume buttons simultaneously for 3 seconds — triggers lockdown silently from any screen |
| Quick Settings Tile | "Privacy" tile in the notification shade; accessible from the lock screen; one tap switches to decoy user |
| Duress PIN | A separate PIN at the app unlock screen that appears to work normally but silently switches Android to the decoy user profile |
| Feature | How |
|---|---|
| Zero-Trust USB Kill | Three-layer block on cable connect: setprop sys.usb.config none (volatile) + persistent + svc usb setFunctions none |
| Dead-Man Faraday Defense | AlarmManager.setExactAndAllowWhileIdle watchdog triggers full lockdown if network goes dark for 5 minutes |
| Airplane Snap-Back | Reverses airplane mode in real time via root shell + DevicePolicyManager.DISALLOW_AIRPLANE_MODE during lockdown |
| Shutdown Vault Seal | On unexpected shutdown (ACTION_SHUTDOWN), destroys Keystore keys via goAsync() so encrypted storage has no accessible keys |
| Feature | How |
|---|---|
| Decoy User Profile | Isolated Android user seeded with lived-in content; UserSwitcherHardener prevents switching back without real PIN |
| Sensor Lockdown | DevicePolicyManager restrictions disable microphone, camera, and motion sensors independently |
| Feature | How |
|---|---|
| Encrypted Vault | AES-256-GCM with StrongBox/TEE-backed keys; biometric-protected Class A file encryption |
| Encrypted Notes | AES-256-GCM notes stored in getFilesDir(); never written in plaintext |
| Clipboard Guard | Monitors clipboard changes; auto-clears after 60 seconds; logs all clipboard events to audit log |
| Metadata Scrubber | Strips GPS, timestamp, device model, and 14 other EXIF fields from photos before sharing |
| Location Kill Switch | Revokes location access for all apps in a single root operation; toggle from the main screen |
| Feature | How |
|---|---|
| App Immortality | setUninstallBlocked always on; DISALLOW_SAFE_BOOT + DISALLOW_FACTORY_RESET during lockdown |
| Forensic Hardening | allowBackup=false, BROADCAST_SMS permission guard on SMS receiver, minimal manifest permissions |
| APK Tamper Detection | SHA-256 hashes the live APK and Magisk module, verifies signing certificate; alerts on mismatch |
| Developer Options Hardening | Disables ADB, revokes ADB keys, locks developer options via root on demand |
| Auto-Wipe Self-Destruct | DevicePolicyManager.setMaximumFailedPasswordsForWipe(5) — system-enforced wipe, not app-enforced |
| Unexpected Reboot Alert | Detects reboots not initiated by the app; high-priority notification with reboot count on next unlock |
| Direct Boot SMS Trigger | PBKDF2-SHA256 keyword in Device Protected Storage; receives GPS + audit log via SMS before first unlock |
| Feature | How |
|---|---|
| Signed Device Baseline | Cryptographically signs a full device snapshot (USB state, ADB, packages, signing cert); detects tampering on compare |
| Privacy Posture Score | 0–100 score across 15+ factors: bootloader state, key security level, ADB, accounts, BFU state, sensors |
| Custody Report | Signed export of posture score + baseline diff + tamper report; written to getFilesDir() |
| Surveillance Scan | Detects network taps, rogue WiFi, physical access indicators, and known spyware package signatures |
| Travel Profile | Suspends selected apps, disables ADB, kills USB data, and hardens notifications in one operation |
| Continuous Audit Log | Rotating on-device log of every security action; readable from the main screen; never leaves the device |
| Feature | How |
|---|---|
| Secure Decommission | Clears all DPM restrictions → releases uninstall block → relinquishes Device Owner → root pm uninstall; requires typing DECOMMISSION to confirm |
- Android 9+ (API 28+)
- Rooted device (Magisk recommended)
- Device Owner status (set via ADB):
adb shell dpm set-device-owner com.borderprivacy.security/.BorderDeviceAdminReceiveradb install SentinelPrivacy-v1.0.8.apk
adb shell dpm set-device-owner com.borderprivacy.security/.BorderDeviceAdminReceiverFlash the Magisk zip from the magisk_module/ directory. Installs SentinelPrivacy as a privileged system app, which survives factory reset on some devices.
Every permission in the manifest is required for a specific feature. There are no analytics, advertising, or data-collection permissions.
| Permission | Required for |
|---|---|
RECEIVE_SMS / SEND_SMS / READ_SMS |
Remote SMS command trigger |
ACCESS_FINE_LOCATION / ACCESS_BACKGROUND_LOCATION |
GPS coordinates in SMS response |
WAKE_LOCK |
Keeps SMS receiver alive during Doze |
FOREGROUND_SERVICE |
Audit monitor persistent service |
RECEIVE_BOOT_COMPLETED |
Restore lockdown state after reboot |
SCHEDULE_EXACT_ALARM |
Doze-resistant dead-man switch watchdog |
No server. All state lives in SharedPreferences and getFilesDir() on-device. The app never opens a socket.
No backup surface. allowBackup=false means adb backup, Google cloud backup, and third-party backup tools cannot extract app data.
No spoofing vector. SmsCommandReceiver requires android.permission.BROADCAST_SMS, held exclusively by the system telephony stack. No third-party app can fake an SMS trigger.
Reversible. The decommission flow (Settings → Decommission Sentinel) restores all default state — USB re-enabled, restrictions cleared, Device Owner relinquished, app removed — in a single authenticated sequence.
Auditable. Every security action is written to an on-device rotating audit log accessible from the main screen.
# Check package name and version
adb shell dumpsys package com.borderprivacy.security | grep -E "versionName|versionCode"
# Verify APK signature
apksigner verify --print-certs SentinelPrivacy-v1.0.8.apkgit clone https://github.com/SentinelPrivacy/sentinel-android
cd sentinel-android
./gradlew assembleReleaseA release-signing.properties file pointing to your own keystore is required for a signed build.
MIT — see LICENSE.
Open a GitHub issue. For security disclosures, use the private security advisory channel on GitHub.
- Hardware keys: Android Keystore requests StrongBox-backed keys first and falls back to TEE-backed keys when StrongBox is unavailable.
- Class A protected files: signed baselines and custody reports are encrypted with a per-use-authentication Android Keystore key.
- Instant USB lock: when the audit monitor is running, screen-off immediately disables USB data functions and ADB when enabled.
- BFU/AFU awareness: posture reports show whether the device has been unlocked since boot and recommend rebooting for maximum file-encryption protection.
- Screen privacy