Security Practices

Technical measures we implement to protect your data and privacy.

Data Encryption

At Rest (On Device)

Data Type Encryption Method Key Storage
API Keys AES-256-GCM via Android EncryptedSharedPreferences Android Keystore (hardware-backed)
Clipboard History SQLite with SQLCipher encryption App-generated key stored in EncryptedSharedPreferences
Settings & Preferences Standard Android SharedPreferences (OS-level encryption on Android 7+) Managed by Android OS

In Transit

  • HTTPS/TLS 1.3: All API communications use TLS encryption
  • Certificate Pinning: Considered for future updates (currently relying on OS trust store)
  • No Plain HTTP: The app does not allow insecure HTTP connections

API Key Protection

How We Protect Your API Keys

  • Stored in Android's EncryptedSharedPreferences with AES-256 encryption
  • Encryption keys are stored in Android Keystore (hardware-backed on most devices)
  • Keys are NEVER logged, sent to our servers, or accessible to other apps
  • Cleared immediately upon app uninstallation

Network Security

Connections

  • AI Provider APIs: Direct HTTPS connections to Google, OpenAI, Groq
  • No Intermediary Servers: Your prompts go directly from your device to the AI provider
  • Network Security Config: Enforces HTTPS and blocks legacy TLS versions

DNS & VPN Compatibility

  • Aido works with private DNS (DNS-over-HTTPS/TLS)
  • Compatible with VPNs for additional privacy
  • No hard-coded DNS servers or proxy configurations

Verify It Yourself (Network Evidence)

We believe in "Show, Don't Just Tell". Watch this network analysis video demonstrating Aido's silence when typing passwords.

Recorded using Charles Proxy/MITMProxy. Verifies: 1) API calls only happen on explicit commands. 2) No data sent on password fields.

Vulnerability Management

Dependency Updates

We regularly update third-party libraries to patch known vulnerabilities:

  • AndroidX Libraries: Updated monthly
  • Kotlin & Coroutines: Updated with major Kotlin releases
  • Networking Libraries: OkHttp/Ktor updated for security patches

Responsible Disclosure

Found a security issue?

Email: aiqknow@gmail.com with "SECURITY" in the subject

We commit to:

  • Acknowledge within 48 hours
  • Investigate and provide updates within 7 days
  • Issue a patch within 30 days for critical vulnerabilities
  • Credit researchers (if desired) in release notes

Secure Coding Practices

Input Validation

  • All user inputs are sanitized before processing
  • Accessibility events are filtered to prevent injection attacks
  • API responses are validated before display

Code Obfuscation

  • ProGuard/R8 minification enabled for release builds
  • Sensitive string literals are not hardcoded (except for non-sensitive defaults)
  • Debug logging is disabled in production builds

Device Security

Root/Jailbreak Detection

Current Policy: Aido does NOT block rooted devices. However, we display a warning that:

  • Encryption may be compromised on rooted devices
  • Other apps with root access could potentially access Aido's data
  • Users proceed at their own risk

Android Version Support

Minimum SDK: Android 7.0 (API 24)

  • Ensures access to modern encryption APIs
  • Benefits from Android 7+ system-level encryption
  • Security support from Google-maintained libraries

Logging & Monitoring

What We Log

  • Locally (Debug Mode Only): App state, error messages (no user data)
  • Production Builds: No logging enabled

What We Do NOT Log

  • User prompts or AI responses
  • Clipboard content
  • API keys or authentication tokens
  • Text from accessibility events

Security is a Journey

We continuously improve our security practices. If you notice a potential issue or have suggestions, please contact us at aiqknow@gmail.com.

Audit Menu