If you discover a security vulnerability in TrueShot, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, email: yuri.borges.777@gmail.com (or open a private security advisory on GitHub)

• Description of the vulnerability
• Steps to reproduce
• Impact assessment
• Suggested fix (if any)

• Acknowledgment: within 48 hours
• Initial assessment: within 7 days
• Fix or mitigation: within 30 days for critical issues

• Signing: ECDSA with NIST P-256 curve (SHA256withECDSA)
• Hashing: SHA-256 (computed on JPEG bytes up to EOI marker)
• Key storage: Android Keystore backed by StrongBox (preferred) or TEE (fallback)
• Key properties: non-exportable, generated on-device, hardware-bound

• Image integrity: SHA-256 hash detects any modification to image pixels
• Manifest authenticity: ECDSA signature prevents manifest forgery or tampering
• Key binding: signedPayload in manifest prevents cross-photo manifest swapping
• Device binding: private key never leaves the hardware security module

1. Screen recapture detection is heuristic. The sensor-based approach flags anomalies but cannot definitively prove a photo was taken of a screen. Scores should be interpreted as probabilistic signals.

2. Root detection uses multiple layers. Play Integrity API provides the strongest signal (when available), supplemented by traditional su-path checks. A sophisticated attacker may still bypass both. Root status is flagged in the manifest for transparency.

3. GPS redaction re-signs the manifest. Redacted copies pass full verification, with redactedFields disclosing what was removed. The re-signing uses the same device key.

4. Auto Mode has an inherent delay. Photos sealed in Auto Mode have a small delay (typically 200-500ms) between capture and sealing. This delay is recorded in sealDelayMs for transparency.

See THREAT_MODEL.md for the complete threat analysis.