Write privately. Send anywhere.
An offline encrypted Android keyboard for physically QR-paired messaging.
Download | How it works | Security | GrapheneOS guide | Documentation
CipherBoard turns the keyboard into a protected compose-and-read surface. Two people pair in person, verify the same Safety Number, and exchange encrypted text through any app that can carry text. There are no CipherBoard accounts, servers, phone numbers, or network requests.
Warning
CipherBoard is pre-1.0 security-sensitive software. It uses reviewed cryptographic primitives and extensive automated checks, but the complete product has not received an independent applied-cryptography and Android security audit. Do not treat it as audited or risk-free.
| Offline by design | No Internet permission, analytics, ads, cloud backup, account system, or CipherBoard server. |
| Physical trust setup | Two-way QR pairing and an in-person Safety Number comparison establish each contact. |
| Protected writing | Private drafts stay in CipherBoard's IME panel; the host app receives only persisted ciphertext. |
| Protected reading | Plaintext is drawn read-only in a FLAG_SECURE panel without selection, clipboard export, autofill, or Accessibility text. |
| Modern sessions | Pinned vodozemac Olm sessions provide per-message keys, forward secrecy, replay handling, and out-of-order delivery support. |
| Use any transport | Send the resulting text through SMS, email, Telegram, Signal, or another text-capable app. CipherBoard never sends it itself. |
The current production build is CipherBoard 0.4.2 for arm64-v8a devices.
Open the latest release
for release notes and verification evidence.
| Release file | Purpose |
|---|---|
CipherBoard-0.4.2-release.apk |
Install this file. It is the only application package. |
CipherBoard-0.4.2-release.apk.sha256 |
Optional checksum for verifying the APK download. |
| Other attachments | Build, source, SBOM, license, and vulnerability-scan evidence for auditors. Do not install them. |
GitHub's Source code archives |
Automatic source snapshots, not Android applications. |
Important
Update in place. Do not uninstall CipherBoard or clear its app data before an update: that destroys the Vault, local identity, contacts, and ratchet state. Stop if Android reports a signing-certificate mismatch.
Verify the APK checksum before installation:
sha256sum --check CipherBoard-0.4.2-release.apk.sha256
adb install -r CipherBoard-0.4.2-release.apkOn Windows PowerShell:
(Get-FileHash .\CipherBoard-0.4.2-release.apk -Algorithm SHA256).Hash.ToLowerInvariant()
Get-Content .\CipherBoard-0.4.2-release.apk.sha256
adb install -r .\CipherBoard-0.4.2-release.apkIf Android Build Tools are installed, verify the signature and compare the
certificate SHA-256 with SIGNING_CERTIFICATE_SHA256
through a separately trusted channel:
apksigner verify --verbose --print-certs CipherBoard-0.4.2-release.apkFor stable update notifications without giving CipherBoard network access, add
https://github.com/bglglzd/CipherBoard to Obtainium, leave pre-releases
disabled, and use this release-asset filter:
^CipherBoard-[0-9]+\.[0-9]+\.[0-9]+-release\.apk$Obtainium is an optional external installer and a separate networked trust boundary. CipherBoard itself neither checks for nor installs updates. See the complete GrapheneOS installation and update guide.
- Each device creates a local cryptographic identity inside an authenticated Android Keystore-backed Vault.
- The devices pair in person by scanning an offer QR and a response QR.
- Both people compare the complete Safety Number before verifying the contact.
- The sender opens CipherBoard, taps the shield, chooses a verified contact, and writes with the on-screen keys in Encrypt mode.
- CipherBoard commits the advanced Olm ratchet before inserting only encrypted text into the host application.
- The recipient copies the complete message, opens Decrypt, and taps Paste and decrypt. Compact, Russian-word, and English-word presentations are detected automatically.
- Plaintext is displayed only in CipherBoard's protected read-only panel. Reply securely clears it and returns to the selected contact in Encrypt mode.
Compact CB1: is shortest and remains compatible with older CipherBoard
versions. Word presentation is optional camouflage from a casual glance, not
natural language, steganography, plausible deniability, or extra encryption.
Both peers need CipherBoard 0.4 or newer for word-form messages.
- No
android.permission.INTERNET, network-state permission, Firebase, Google Play Services, telemetry, advertising, or crash-reporting SDK is in the runtime design. - Pairing is serverless and requires a physical two-way QR exchange.
- Vault records use a random data-encryption key wrapped by a non-exportable, hardware-backed Android Keystore key. StrongBox is attempted first; verified TEE is the fallback. Software-only keys are rejected.
- Ratchet, replay, and pending-operation state is committed transactionally before ciphertext leaves the IME or plaintext is displayed.
- Private mode disables personalized learning, suggestions, clipboard history, copy/cut/paste, saved view state, and content capture. Only the on-screen keyboard is supported for private drafts.
- Backup and device-transfer extraction are disabled for application data.
- Transport, word-presentation, and QR parsers use strict canonical encoding, explicit limits, and malformed-input rejection.
- Published releases pin the signing certificate and independently verify the APK, native hardening, exact source, SBOM, offline vulnerability report, and release hashes.
CipherBoard cannot protect an unlocked device with a compromised OS, malicious
Accessibility service, modified APK, or privileged attacker. It cannot prevent
a camera or nearby person from seeing the screen, hide transport metadata,
resist physical coercion, or guarantee complete JVM/Android memory erasure.
FLAG_SECURE and best-effort clearing are useful controls, not absolute
guarantees.
The normal keyboard retains HeliBoard behavior and may use learning or clipboard features according to its settings. The stricter boundary applies to Private mode and the protected viewer. Android can route a hardware keyboard directly to the host app, so private drafts must use CipherBoard's on-screen keys.
Read the complete threat model, protocol specification, and security review before evaluating CipherBoard for sensitive use.
| Project fact | Current value |
|---|---|
| Maturity | Pre-1.0; current version 0.4.2 |
| Application ID | org.cipherboard.securekeyboard |
| Android baseline | minSdk 23, targetSdk 36; acceptance target is current GrapheneOS |
| Release ABI | arm64-v8a; debug builds also include x86_64 for emulators |
| Runtime network | No Internet or network-state permission; no runtime network feature |
| Interface languages | English and Russian |
| Latest notes | CipherBoard 0.4.2 |
CipherBoard is an unofficial modified fork of HeliBoard. It is not an official HeliBoard release and is not endorsed or supported by the HeliBoard project.
The pinned environment and complete release procedure are documented in
BUILD.md and RELEASE.md. The short debug path is:
./scripts/build-debug.sh.\scripts\build-debug.ps1The scripts run source-policy checks, Android lint, module unit tests, build the APK, and verify its manifest policy. A production release additionally requires a clean worktree, external signing material, Rust checks, Android device tests, an offline vulnerability database, and exact artifact verification.
| Document | Scope |
|---|---|
PROJECT_CONTEXT.md |
Product scope and invariants |
ARCHITECTURE.md |
Components and trust boundaries |
CRYPTO_PROTOCOL.md |
Wire format and protocol state |
THREAT_MODEL.md |
Threats, assumptions, and limitations |
SECURITY_CHECKLIST.md |
Security requirement traceability |
TEST_PLAN.md |
Test matrix and acceptance evidence |
docs/GRAPHENEOS.md |
Installation and external updates |
UPSTREAM.md |
Exact HeliBoard provenance |
LICENSES.md |
Component licensing and attribution |
Read CONTRIBUTING.md before opening a pull request. Use
synthetic content in reports and never publish real plaintext, complete
ciphertext, contact names, fingerprints, Safety Numbers, QR payloads, private
keys, Vault files, or session state.
- Usage and build help:
SUPPORT.md - Security vulnerabilities:
SECURITY.md - Community expectations:
CODE_OF_CONDUCT.md
Report unpatched vulnerabilities privately through GitHub Security Advisories.
CipherBoard is distributed under the GNU General Public License version 3.0.
See LICENSE and LICENSES.md for complete terms and
component notices.
CipherBoard is based on HeliBoard v4.0, pinned to commit
bd48798b99cccc99704eebf2a9259c02dbd684d5. Credits and notices for HeliBoard,
OpenBoard, AOSP Keyboard, LineageOS, and other upstream contributors are
preserved in the source and notice files.
