Armadillo is designed to maximize privacy and security. If you are forced to unlock it, it may reveal a fake decoy user. It can detect Wi-Fi, cellular and forensic attacks. The operating system avoids vulnerabilities that can be used by hackers. If a SafePhone is compromised, you have many methods to erase it. Cameras or microphones can be removed. Hardware accessories further enhance your security.
Armadillo is decentralized. Use a public server or host your own private server. Multiplexing hides your metadata, to bypass surveillance and firewalls. All connections use pinned certificates, for maximum security. The server is not trusted and cannot access your sensitive data. End-to-end encryption protects your communications.
HARDWARE
Cameras or microphones can be removed. Devices are inspected before shipping. Shipments are made in tamper-proof packaging.
SafePhone comes with accessories to help prevent wireless attacks, physical attacks and theft. Your existing SIM card or Wi-Fi only.
INTERFACE
The "network indicator" appears next to the Wi-Fi and mobile icons. Shows how much data is being transferred, to detect suspicious activity on the network.
All SafePhone programs use the same colors: red is unsafe, orange is dangerous, and green is safe.
Easily switch between three "security modes" depending on what you're doing: low security, medium security or high security.
NETWORK
DECENTRALIZED
Instead of trusting us to host your accounts, you can manage your own SafePhone Server. Your SafePhone Server can host secure communications, new applications to download, and encrypted Internet infrastructure (DNS and NTP). You can run Armadillo Phones on your own network offline.
​
​MULTIPLEXED
Armadillo Phones connect all protocols (HTTP, XMPP, DNS, etc.) to the Armadillo Server on the same port, with the same domain, and encrypt all connections identically. To an attacker intercepting the connection, everything looks like encrypted HTTPS traffic. This prevents the leak of protocol metadata, which could be used to identify users with timing attacks. It also allows connections to bypass some firewalls and mitigates passive metadata monitoring.
OS
HARDENED SYSTEM
SafePhone uses a hardened fork of Graphene OS. The kernel, system and applications have been modified to improve security. File encryption has been strengthened to encrypt each user separately and resist brute force. Unsafe functions have been removed.
DENIABLE ENCRYPTION
If you are forced to unlock your SafePhone phone, you can log in as a fake user instantly. Switch to other users by entering your password on the lock screen.
DESTRUCTION
Enter a "wipe password" to erase your Armadillo phone, erase other Armadillo phones remotely, or have your Armadillo phone erase itself if it is not unlocked after a certain time. "Incognito mode" creates a user that is deleted when you log out.
APPLICATIONS
CELLULAR PROTECTION
Radio Sentinel mitigates cellular network attacks that can track your location, intercept your communications, and hack your phone. Radio Sentinel only allows 4G connections by default. Radio Sentinel detects IMSI receivers, silent SMS and some SS7 attacks. It will automatically disconnect if it detects an attack.
COMMUNICATION
Safe Chat is a secure instant messaging application. It uses OMEMO end-to-end encryption, so your messages are safe even if the server is compromised. You can use several methods to verify your friends' encryption identities. Armadillo Chat automatically warns you about potential impostors in your contact list and other devices connected to your account. Set automatic self-destruct timers, remotely delete messages or entire conversations.
WI-FI PROTECTION
Wi-Fi Sentinel mitigates attacks on the Wi-Fi network. Wi-Fi Sentinel detects KARMA and ARP poisoning attacks. It will automatically disconnect if it detects an attack.
THEFT PROTECTION
Theft Sentinel pairs with your Armadillo Beacon via Bluetooth to prevent theft. If your Armadillo Phone and Beacon become separated, they will both set off an alarm. Unless you reconnect or your phone is unlocked, your Armadillo Phone will eventually turn off.
CONTROL
SafePhone Control is used to remotely manage other Armadillo phones. You can power off, alarm, clear and change settings. Send end-to-end encrypted commands using Armadillo Chat, so if a server is compromised, you can't send malicious commands.
FORENSIC PROTECTION
RAM Sentinel monitors your Armadillo's temperature and prevents cold boot attacks designed to extract your device's password using cold temperatures. It will turn off your Armadillo phone if it detects an attack.
TECHNICAL DETAILS
REINFORCED OPERATING SYSTEM
REINFORCED CORE
Security patches for the latest versions of the Linux Kernel have been updated on the Armadillo Phone. These include FORTIFY-SOURCE-STRING-STRING, HARDEN-BRANCH-PREDICTOR, INIT-ON-FREE-DEFAULT-ON, INIT-ON-ALLOC-DEFAULT-ON, INIT-STACK-ALL, BUG-ON-DATA-CORRUPTION and much more. The userspace entropy of the ASLR kernel has been increased to mitigate memory corruption vulnerabilities.
REINFORCED SYSTEM
The Android build process has been strengthened, including improvements to stack probes, bounds checking, frame pointers, and automatic variable initialization. The compiler and libc toolchain have been strengthened. The malloc implementation has been replaced by hardened_malloc, which is further tuned to improve security and increase quarantine space. Interactions between users have been blocked at the frame level to prevent leaks.
REINFORCED MEANS
It has long been known that Android's media stack has been very vulnerable, so Armadillo has hardened it to withstand attacks. Older, less used, and riskier codecs (such as software and H263 codecs) have been removed. "Scudo", which is the strengthened memory allocator for Android codecs, has been extended with greater scope and has been reinforced. mediadrmserver and drmserver have been removed. MMS automatic recovery is permanently disabled to mitigate remote attacks.
REDUCED ATTACK SPACE
Insecure software components have been removed to prevent vulnerabilities. This includes tracking software used by Google and third parties. Dangerous permissions (such as Internet access or location) granted to the Camera and Contacts apps have been removed. Secure default settings have been set, such as requiring strong passwords, hiding notification content, and disabling biometrics. If your Armadillo Phone is erased remotely, it will not indicate that it is erasing its data. Enabling developer options has been disabled. The ability to switch between Wi-Fi, Bluetooth, or airplane mode from a locked phone has been disabled.
REINFORCED NETWORKS
TLS multiplexing prevents leakage of protocol metadata and prevents firewalls. Time synchronization over the network is done using TLS, instead of NTP. Name resolution is done using DoT (DNS over TLS), rather than plain text DNS. TLS session tickets have been disabled to prevent tracking between connections. The browser is only enabled in low security mode. Through the software's security policies, they can disable networks such as Wi-Fi, cellular or Bluetooth.
You can share your VPN connection with devices connected to the Armadillo Phone's wireless access point, turning the Armadillo Phone into a hardware VPN.
REINFORCED STORAGE
Armadillo OS has improved Graphene storage encryption by encrypting each user's metadata separately. Now even if the hardware security of the Armadillo Phone is compromised, revealing a user's password will not affect the security of other users' metadata.
Upon first boot, a random number of "fake users" are generated with a random amount of data, preventing attackers from detecting real users.
Scrypt KDF duty factors have been strengthened (from 15:3:1 to 19:4:1) to resist brute force attacks.
ENCRYPTION
SafePhone uses multiple layers of redundant encryption to protect your data. TLS certificates are pinned to prevent MitM attacks. TLS session tickets are disabled to prevent connection tracking. TLS multiplexing prevents leakage of protocol metadata and bypasses firewalls.
STORAGE ENCRYPTION
Protocol: Deniable multi-user FBE
Purpose: Protect the data stored on an Armadillo Phone.
Content encryption: AES-256-XTS
Metadata encryption: AES-256-XTS
KDF:Scrypt 19:4:1
SAFE START
Protocol: Android Verified Boot 2.0
Purpose: Protect the integrity of the operating system.
Key: RSA-2048
Checksum: SHA-256
NOTEPAD ENCRYPTION
Protocol: SQLCipher
Purpose: Protect notes used by the Notepad application.
Content encryption: AES-256-CBC
KDF:Scrypt 13:8:1
HMAC: SHA-512
CELLULAR ENCRYPTION
Protocol: 4G LTE
Purpose: Protect the connection between an Armadillo Phone and the cell tower.
Key: SNOW-128
Content encryption: SNOW
RETURN ENCRYPTION
Protocol: OpenVPN
Purpose: Protect the connection between the cellular network and an Armadillo Server.
Handshake: ECDHE
Key: RSA-4096
Content encryption: AES-128-CBC
HMAC: SHA-256
CONNECTION ENCRYPTION
Protocol: TLS 1.3
Purpose: Protect the connection between an Armadillo Phone and an Armadillo Server.
Exchange protocol: ECDHE
Key: RSA-4096
Content encryption: AES-256-GCM
HMAC: SHA-512
END-TO-END ENCRYPTION
Protocol: OMEMO
Purpose: Protect messages between Armadillo phones.
Exchange protocol: X3DH (Curve25519)
Authentication: ECC-256
Key: ECC-256
Content encryption: AES-256-CBC
HMAC: SHA-256
AUTHENTICATION
Protocol: zero-knowledge password proof
Objective: Authenticate your Armadillo Phone on an Armadillo server.
Token: JWT
KDF:Scrypt 15:10:1
Compilation: SHA-256
NETWORK SECURITY
DECENTRALIZED
​
Instead of relying on us to host your accounts, you can run your own Armadillo server. Your Armadillo server can host secure communications, new applications to download, and encrypted Internet infrastructure (such as DNS and NTP). You can run Armadillo Phones on your own network offline.
MULTIPLEXED
Armadillo phones connect all protocols (HTTP, XMPP, DNS, etc.) to the Armadillo server on the same port, with the same domain, and encrypt all connections identically. To an attacker intercepting the connection, everything looks like encrypted HTTPS traffic. This prevents the leak of protocol metadata, which could be used to identify users with timing attacks. It also allows connections to bypass firewalls and mitigate mass surveillance.