blue_ghost

All communication runs exclusively over Bluetooth Low Energy — direct, device-to-device, with zero internet or Wi-Fi involvement. The app holds no INTERNET permission and cannot open a network socket under any condition.

Every message is encrypted with a unique key derived from a Double Ratchet state machine. An ephemeral ECDH (P-256) handshake seeds the ratchet via HKDF-SHA256. Message keys are deleted immediately after use — no two messages ever share a key.

Your long-term identity is a P-256 keypair generated inside Android's Trusted Execution Environment via the Keystore API. The private key is non-exportable and never touches the JVM heap — it cannot be extracted even if the OS is compromised.

The symmetric ratchet advances on every message, deleting each key after use. The DH ratchet advances whenever you reply after receiving, re-deriving the root key from a fresh ECDH output. Past messages stay safe even if current state is compromised, and future messages recover automatically after a breach.

Monotonically increasing sequence numbers are authenticated into every GCM tag via AAD. A 1,024-message sliding window bitmap rejects any duplicate or out-of-window sequence. Tampered, replayed, reordered, or injected packets fail authentication before decryption is attempted.

No phone numbers, no usernames, no email, no registration of any kind. A display name is a local label only — it is never used to persistently identify you or cross-reference sessions.

The FLAG_SECURE window flag is always active. Android's OS blocks all screenshots, screen recordings, and recent-app thumbnails at the system level. No third-party detection logic is needed or used.

A SHA-256 fingerprint derived from both peers' identity public keys, displayed as 12 groups of 5 digits. If both sides read matching numbers aloud, the session is cryptographically authentic — no man-in-the-middle is present. Uses the same approach as Signal.

Set an optional PIN that must match during the handshake before a session is established. Peers without the correct PIN are rejected at the protocol layer before any encryption state is created.

Any message can be erased from both devices simultaneously. Erase requests are cryptographically signed with your identity key — the peer verifies the signature before honouring the deletion. Forged erase requests are rejected.

When a session ends, a mutual ritual destroys all cryptographic material: root key, send/receive chain keys, every cached skipped message key, all ratchet state, and the full message history. Nothing survives a session end.

Configurable auto-seal trigger. A slider lets you set anywhere from 1 to 60 minutes of inactivity before the session is automatically torn down, or disable it entirely. On timeout, the full Seal Ceremony runs — keys and history are wiped.

Accelerometer, gyroscope, and other hardware sensors contribute additional entropy during key generation. Sensors are active only during the scan and handshake windows — never during idle or active chat — to keep battery usage minimal.

Runs asynchronously on launch and warns if the host device appears to be rooted. Detection uses file-path checks only and never blocks the UI or adds latency to the startup path.

Three levels selectable from a picker dialog. Secret: hidden entirely on the lock screen with a lock icon only. Private: visible when unlocked, redacted on the lock screen. None: no notifications at all. Message content is never shown in any notification.

Named typing events are broadcast as control signals. In group sessions the indicator shows each specific member's name, not just a generic "someone is typing" message.

Obscures all message content on screen until you hold down on a message. Toggled from the chat menu — useful in environments where someone might look over your shoulder.

Unsent message drafts are saved per-peer using AES-256-GCM encryption backed by Android Keystore. Drafts persist between app launches but are never stored in plaintext and never leave the device.

Three in-chat games with a cryptographic commit-reveal anti-cheat scheme. The initiator commits a SHA-256 hash of their value and a random nonce before the peer accepts — neither side can change their result after seeing the other's move. All game events (sent, accepted, declined, cancelled, result) appear as system messages in the chat log. For coin flip, the initiator picks heads or tails before sending the challenge.

Send a full-screen color wash to your peer — 7 rainbow colors, each fading in and out over roughly one second. Group-aware: in a group session the pulse broadcasts to all connected peers simultaneously.

A live diagnostic overlay showing real-time Double Ratchet state: current sequence numbers, key fingerprints, and DH ratchet step status — visible during an active session for anyone who wants to verify the cryptographic machinery directly.

A per-message animation showing the ratchet derivation chain: rk → ck → mk → 🔒. Plays on every message send, making the cryptographic flow visible rather than invisible.

Strips all color from the UI via a ColorMatrix filter. Zero per-frame cost. Toggled from the chat menu.

A slider to adjust the interface scale, accommodating different device sizes and accessibility needs without requiring system-wide font changes.

Toggle timestamp visibility on all message bubbles. When hidden, the chat log contains no time metadata whatsoever.

Each peer is represented by a unique procedurally generated constellation derived from a seed. Purely local and cosmetic — never used as identity data, never transmitted as anything other than a seed number.

An animated startup sequence runs while the BLE stack initialises. A silent foreground service with VISIBILITY_SECRET keeps active sessions alive when the app is backgrounded, and auto-terminates cleanly when the task is removed.