v1.1.0

1Key v1.1.0 - Android Autofill, sync on unlock, and a top-to-bottom UI refresh

Same posture as v1.0.0: no account, no server, no INTERNET permission, no telemetry. 1Key v1.1.0 turns the app into a
system-integrated autofill provider, adds opt-in encrypted sync to a folder you pick, and refreshes the entire UI on a neutral
palette tuned for both light and dark modes.

In-place upgrade from v1.0.0. Your vault, biometric setup, PIN, saved 2FA codes, and backups are preserved.

Highlights

• Android Autofill - 1Key registers as an AutofillService. Fields in other apps and websites can be filled directly from the
  OS picker. Search the vault in place, unlock with biometric or PIN from inside the picker, and cross-host confirm before
  filling. AutofillCaptureBuffer is atomic so a capture-then-fill flow never loses an update. (Listed as "parked" in v1.0.0 -
  shipping in v1.1.0.)
• Sync on Master-Password Unlock (opt-in) - on every successful master-password unlock, 1Key writes a fresh encrypted backup
  to a SAF folder you pick. No key persistence, no background daemon, no master-password-derived material kept. Biometric and
  PIN unlocks deliberately skip sync because they do not give the app the master password (PRIVACY.md:49).
• Theme picker - Follow system / Light / Dark. New installs default to Follow system. The app reacts to live OS dark-mode
  flips without a restart.
• Visual refresh - neutral palette in both themes, flat credential rows with category-derived icons, 56dp
  top app bars pinned to the same chrome tier as the bottom nav, 2FA rows wrapped in Recycle-Bin-style cards, favourite heart
  badge on the credential icon.
• High-refresh-rate scrolling - upgraded to Compose 1.9 and Compose BOM 2025.08.00 so lists run at the device's native refresh
  rate.
• Faster cold start - root detection moved off the main thread, Application.onCreate slimmed, splash background pinned to the
  body color so there is no white flash on rotation or warm restart.

Security and privacy posture

Unchanged from v1.0.0: Argon2id master-key derivation (m=64 MiB, t=3, p=1), AES-256-GCM with HKDF-SHA256 subkey separation and
per-field AAD bound to row + column, vault key wrapped by Android Keystore, verifier and PIN hash in
EncryptedSharedPreferences, no INTERNET permission, FLAG_SECURE by default. Threat model:
https://roufsyed.github.io/1Key/whitepaper.html

Reinforced in v1.1.0:

• VaultLockHook installed by the shared in-memory snapshot. On every VaultKeyHolder.lock() the hook fires synchronously, drops
  the decrypted list reference, cancels the in-flight decryption job, and runs all of this before key bytes are zeroed.
• Lock-aware composables (dialogs, sheets, dropdowns, text fields) ping the inactivity timer. Raw Dialog usage outside the
  lock-aware wrappers is blocked by the UnsafeUnlockableSurface lint rule.
• Lock screen pinned to portrait while mounted.
• Clipboard routed through SecureClipboardManager with 30s auto-clear; OS-menu copy of revealed passwords blocked.

What else changed

Features

• Categories with per-credential cleanup on delete; chip-based category picker in credential edit
• Multi-select delete in credential lists and Favourites; multi-select favourite toggle from the selection action bar
• Recently Accessed sort option across all credential lists
• Per-credential previous-access time bumped on view and copy; foreign last-used timestamps round-trip through accessed_at
• Settings search with deep-link routing and matched-row highlighting
• Auto-fill missing import titles from URL behind a preview toggle
• Foreign-tool JSON keys translated and custom-field labels prettified on import
• Foreign timestamps normalised to Unix milliseconds across CSV/JSON imports

UI / UX

• Neutral palette in both themes; light surfaceContainer family pinned to cool greys (no purple baseline
  tint)
• Flat divider-separated credential lists; row icon derived from the first tag
• Favourite heart badge at the bottom-right of the credential row icon
• 2FA list rows as card-style Surfaces matching the Recycle Bin layout
• 56dp top app bars pinned to surfaceContainer; top bar collapses on scroll (toggleable)
• Settings split into category sub-screens (General / Security / Autofill / Backup / Sync / FAQ / Privacy Policy)
• Lock screen revamp with unlock success animation; friendly "Wrong password" error replaces raw OpenSSL strings
• Confirm dialogs before destructive actions (delete category, disable recycle bin, delete vault, discard unsaved 2FA/OCR
  state)
• IME-aware layouts on every input screen so the submit button stays above the keyboard
• Themed Add-credential bottom sheet with category picker; per-credential-type form layouts
• In-app FAQ and Privacy Policy synced with the current security model and Sync addendum

Fixes

• White flash on rotation and warm restart removed (themed windowBackground, splash background, TaskDescription)
• Toggle-flash on Settings cold launch fixed across every user-configured state
• All crypto-heavy work and Argon2id KDF moved off the main thread; credential decryption off the main thread (list scroll
  jitter gone)
• RootDetector.check() moved off the main thread (no more getprop subprocess spawns blocking the first frame)
• TagRepository deferred from Application.onCreate
• Decrypted-list StateFlows cooled when no screen is subscribed
• PIN unlock accepting any 6-digit input fixed (security)
• Lock-vs-decrypt race that left credential lists empty fixed
• 2FA delete now unlinks the code from its credential instead of deleting the entry
• BiometricPrompt automatically dismissed when too-many-failures lockout fires; auto-biometric trigger gated on window focus
• Idle-lock timer suppressed during SAF picker and camera/OCR flows
• QR scanner crash fixed (Firelog classes kept in APK, INTERNET stripped via manifest override)
• TopAppBar system-bar icons now respond to the in-app theme toggle
• Double status-bar inset causing excess top space fixed across all screens
• Backup magic-header read fixed when InputStream returns short
• Tag LIKE filters anchored on JSON quote boundaries (no more substring matches)
• Onboarding form state persisted across rotation; stale errors and missing-file handling fixed
• runCatchingResult no longer swallows CancellationException

Release 1.0.0

1Key 1.0.0 — a free, local-only Android password manager that doesn't ask for an account, an email, or the INTERNET

permission.

1Key is a password manager for Android that keeps your vault on your device and nowhere else. No sync server, no account, no
telemetry, no subscription tier hiding TOTP behind a paywall.

Highlights

• No account, no server, no INTERNET permission. The manifest doesn't request INTERNET at all. The app physically cannot
  phone home.
• Built-in TOTP alongside the password it protects, with a live 30-second countdown and one-tap copy. No second
  authenticator app, no premium tier.
• OCR credential capture via on-device ML Kit. Point the camera at a printed password and it pre-fills the form. Image
  never leaves the device.
• Importer for seven password managers (Google Passwords, LastPass, KeePass, Safari/iCloud, 1Password, Dashlane,
  NordPass). Auto-detects format and column headers.
• Encrypted V4 backups — Argon2id-derived key, AES-256-GCM, with the export timestamp and vault version counter bound into
  the auth tag so old backups can't be replayed against a newer vault.
• Tiered persistent lockouts that survive a process kill (3 / 5 / 10 wrong attempts trigger 30s / 5min / 1hr cooldowns).

Security and privacy posture

• Argon2id master-key derivation (m = 64 MiB, t = 3, p = 1)
• AES-256-GCM with HKDF-SHA256 subkey separation and per-field AAD bound to row + column
• Vault key wrapped by an Android Keystore key; verifier and PIN hash live in EncryptedSharedPreferences, so a stolen DB
  file alone is not offline-brute-forceable
• No INTERNET permission, no analytics, no crash reporting, no usage data
• FLAG_SECURE blocks screenshots and Recent Apps previews by default
• Encrypted V4 .1key backup envelope

Full architecture and threat model: https://roufsyed.github.io/1Key/whitepaper.html

Features

• Credentials with title, username, password, URL, notes, and custom fields
• Tag-based categories, favourites, full-text search across all fields
• TOTP / 2FA codes scanned from a QR
• OCR credential capture from camera
• Recycle bin (soft delete) with restore
• Biometric unlock backed by hardware-secure key, gated by master-password confirmation to enable
• 6-digit PIN unlock with 3-strike fallback to master password
• Background and inactivity auto-lock with configurable timers
• Optional periodic master-password recheck (48h / 3d / 1w / 3w)
• Encrypted .1key backup, plain CSV/JSON export

Install

Download 1Key_1_1.0.0_release.apk from the Assets below. Minimum Android 8.0 (API 26), target SDK 36.

Sideload:

1. Download the APK to your phone.
2. Open it from your file manager or browser downloads.
3. Allow "Install unknown apps" for the source when prompted.

Verify the download:

shasum -a 256 1Key_1_1.0.0_release.apk

Expected SHA-256: [VERIFY: compute after signing]

Build from source

No API keys, no .env, no setup.

git clone https://github.com/roufsyed/1Key.git
cd 1Key
./gradlew assembleDebug

Requires Android Studio Hedgehog or later and JDK 17.

Known limits

• Single device only. No sync, by design.
• No account recovery. Lose the master password and the vault is unrecoverable — that's the trade-off for having no server.
• No third-party security audit yet. The crypto choices are documented; they have not been independently reviewed.
• Single-developer project. Response times on issues will reflect that.

Documentation

• White paper: https://roufsyed.github.io/1Key/whitepaper.html
• FAQ: https://roufsyed.github.io/1Key/FAQ.html
• Privacy policy: https://roufsyed.github.io/1Key/PRIVACY_POLICY.html
• Project site: https://roufsyed.github.io/1Key/

Licence and trademark

1Key is released under GPL-3.0. You can use, study, modify, and redistribute it under those terms.

The name "1Key", the wordmark, and the app icon are not under the GPL — see
TRADEMARKS.md. Forks must rebrand before redistributing.

What's next

• F-Droid distribution (planned)
• LAN sync over same-WiFi, master-password gated with a 4-digit short authentication string (designed, parked)
• Android Autofill integration (parked)