Skip to content

bglglzd/CipherBoard

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2,502 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

CipherBoard application icon

CipherBoard

Write privately. Send anywhere.
An offline encrypted Android keyboard for physically QR-paired messaging.

Latest release Total downloads Android 11 or newer for secure messaging No network permission arm64-v8a release ABI

CI status Security checks status CodeQL status Android instrumentation status GPL-3.0-only license

Download  |  How it works  |  Security  |  GrapheneOS guide  |  Documentation

CipherBoard turns the keyboard into a protected compose-and-read surface. Two people pair in person, verify the same Safety Number, and exchange encrypted text through any app that can carry text. There are no CipherBoard accounts, servers, phone numbers, or network requests.

Warning

CipherBoard is pre-1.0 security-sensitive software. It uses reviewed cryptographic primitives and extensive automated checks, but the complete product has not received an independent applied-cryptography and Android security audit. Do not treat it as audited or risk-free.

Why CipherBoard

Offline by design No Internet permission, analytics, ads, cloud backup, account system, or CipherBoard server.
Physical trust setup Two-way QR pairing and an in-person Safety Number comparison establish each contact.
Protected writing Private drafts stay in CipherBoard's IME panel; the host app receives only persisted ciphertext.
Protected reading Plaintext is drawn read-only in a FLAG_SECURE panel without selection, clipboard export, autofill, or Accessibility text.
Modern sessions Pinned vodozemac Olm sessions provide per-message keys, forward secrecy, replay handling, and out-of-order delivery support.
Use any transport Send the resulting text through SMS, email, Telegram, Signal, or another text-capable app. CipherBoard never sends it itself.

Download

Download CipherBoard 0.4.2 APK

The current production build is CipherBoard 0.4.2 for arm64-v8a devices. Open the latest release for release notes and verification evidence.

Release file Purpose
CipherBoard-0.4.2-release.apk Install this file. It is the only application package.
CipherBoard-0.4.2-release.apk.sha256 Optional checksum for verifying the APK download.
Other attachments Build, source, SBOM, license, and vulnerability-scan evidence for auditors. Do not install them.
GitHub's Source code archives Automatic source snapshots, not Android applications.

Important

Update in place. Do not uninstall CipherBoard or clear its app data before an update: that destroys the Vault, local identity, contacts, and ratchet state. Stop if Android reports a signing-certificate mismatch.

Verify the APK checksum before installation:

sha256sum --check CipherBoard-0.4.2-release.apk.sha256
adb install -r CipherBoard-0.4.2-release.apk

On Windows PowerShell:

(Get-FileHash .\CipherBoard-0.4.2-release.apk -Algorithm SHA256).Hash.ToLowerInvariant()
Get-Content .\CipherBoard-0.4.2-release.apk.sha256
adb install -r .\CipherBoard-0.4.2-release.apk

If Android Build Tools are installed, verify the signature and compare the certificate SHA-256 with SIGNING_CERTIFICATE_SHA256 through a separately trusted channel:

apksigner verify --verbose --print-certs CipherBoard-0.4.2-release.apk

For stable update notifications without giving CipherBoard network access, add https://github.com/bglglzd/CipherBoard to Obtainium, leave pre-releases disabled, and use this release-asset filter:

^CipherBoard-[0-9]+\.[0-9]+\.[0-9]+-release\.apk$

Obtainium is an optional external installer and a separate networked trust boundary. CipherBoard itself neither checks for nor installs updates. See the complete GrapheneOS installation and update guide.

How It Works

  1. Each device creates a local cryptographic identity inside an authenticated Android Keystore-backed Vault.
  2. The devices pair in person by scanning an offer QR and a response QR.
  3. Both people compare the complete Safety Number before verifying the contact.
  4. The sender opens CipherBoard, taps the shield, chooses a verified contact, and writes with the on-screen keys in Encrypt mode.
  5. CipherBoard commits the advanced Olm ratchet before inserting only encrypted text into the host application.
  6. The recipient copies the complete message, opens Decrypt, and taps Paste and decrypt. Compact, Russian-word, and English-word presentations are detected automatically.
  7. Plaintext is displayed only in CipherBoard's protected read-only panel. Reply securely clears it and returns to the selected contact in Encrypt mode.

Compact CB1: is shortest and remains compatible with older CipherBoard versions. Word presentation is optional camouflage from a casual glance, not natural language, steganography, plausible deniability, or extra encryption. Both peers need CipherBoard 0.4 or newer for word-form messages.

Security Model

Enforced controls

  • No android.permission.INTERNET, network-state permission, Firebase, Google Play Services, telemetry, advertising, or crash-reporting SDK is in the runtime design.
  • Pairing is serverless and requires a physical two-way QR exchange.
  • Vault records use a random data-encryption key wrapped by a non-exportable, hardware-backed Android Keystore key. StrongBox is attempted first; verified TEE is the fallback. Software-only keys are rejected.
  • Ratchet, replay, and pending-operation state is committed transactionally before ciphertext leaves the IME or plaintext is displayed.
  • Private mode disables personalized learning, suggestions, clipboard history, copy/cut/paste, saved view state, and content capture. Only the on-screen keyboard is supported for private drafts.
  • Backup and device-transfer extraction are disabled for application data.
  • Transport, word-presentation, and QR parsers use strict canonical encoding, explicit limits, and malformed-input rejection.
  • Published releases pin the signing certificate and independently verify the APK, native hardening, exact source, SBOM, offline vulnerability report, and release hashes.

Explicit limitations

CipherBoard cannot protect an unlocked device with a compromised OS, malicious Accessibility service, modified APK, or privileged attacker. It cannot prevent a camera or nearby person from seeing the screen, hide transport metadata, resist physical coercion, or guarantee complete JVM/Android memory erasure. FLAG_SECURE and best-effort clearing are useful controls, not absolute guarantees.

The normal keyboard retains HeliBoard behavior and may use learning or clipboard features according to its settings. The stricter boundary applies to Private mode and the protected viewer. Android can route a hardware keyboard directly to the host app, so private drafts must use CipherBoard's on-screen keys.

Read the complete threat model, protocol specification, and security review before evaluating CipherBoard for sensitive use.

Project Status

Project fact Current value
Maturity Pre-1.0; current version 0.4.2
Application ID org.cipherboard.securekeyboard
Android baseline minSdk 23, targetSdk 36; acceptance target is current GrapheneOS
Release ABI arm64-v8a; debug builds also include x86_64 for emulators
Runtime network No Internet or network-state permission; no runtime network feature
Interface languages English and Russian
Latest notes CipherBoard 0.4.2

CipherBoard is an unofficial modified fork of HeliBoard. It is not an official HeliBoard release and is not endorsed or supported by the HeliBoard project.

Build From Source

The pinned environment and complete release procedure are documented in BUILD.md and RELEASE.md. The short debug path is:

./scripts/build-debug.sh
.\scripts\build-debug.ps1

The scripts run source-policy checks, Android lint, module unit tests, build the APK, and verify its manifest policy. A production release additionally requires a clean worktree, external signing material, Rust checks, Android device tests, an offline vulnerability database, and exact artifact verification.

Documentation

Document Scope
PROJECT_CONTEXT.md Product scope and invariants
ARCHITECTURE.md Components and trust boundaries
CRYPTO_PROTOCOL.md Wire format and protocol state
THREAT_MODEL.md Threats, assumptions, and limitations
SECURITY_CHECKLIST.md Security requirement traceability
TEST_PLAN.md Test matrix and acceptance evidence
docs/GRAPHENEOS.md Installation and external updates
UPSTREAM.md Exact HeliBoard provenance
LICENSES.md Component licensing and attribution

Contributing And Support

Read CONTRIBUTING.md before opening a pull request. Use synthetic content in reports and never publish real plaintext, complete ciphertext, contact names, fingerprints, Safety Numbers, QR payloads, private keys, Vault files, or session state.

Report unpatched vulnerabilities privately through GitHub Security Advisories.

License And Attribution

CipherBoard is distributed under the GNU General Public License version 3.0. See LICENSE and LICENSES.md for complete terms and component notices.

CipherBoard is based on HeliBoard v4.0, pinned to commit bd48798b99cccc99704eebf2a9259c02dbd684d5. Credits and notices for HeliBoard, OpenBoard, AOSP Keyboard, LineageOS, and other upstream contributors are preserved in the source and notice files.