Aegis Vault Android

Privacy-first Android password manager with local-first storage, hardware-backed protection, and optional end-to-end encrypted sync.

Overview | Core Capabilities | Security Model | Screens | Tech Stack | Getting Started | Documentation

Overview

Aegis Vault Android is a modern Android password manager built for users who want strong local control over their secrets. The project prioritizes secure on-device storage, biometric access, encrypted backup and restore flows, and a zero-knowledge sync architecture for multi-device use cases.

Unlike cloud-first password managers, Aegis Vault is designed around the idea that your vault should remain under your control by default. Sensitive data stays encrypted at rest, encryption keys are protected through Android security primitives, and optional sync transports do not require surrendering plaintext data to a server.

Why This Project

• Local-first by default, with optional encrypted relay sync.
• Security-focused architecture built around device trust, biometric access, and encrypted persistence.
• Open source codebase with test automation, mutation testing, and security-oriented documentation.
• Designed as a product-grade Android app, not just a demo repository.

Quick Facts

Area	Details
Current version	4.2.0
Security Status	Hardened (Mutation Testing >70-97%)
Runtime	React Native 0.84.0, React 19.2.3, Hermes
Minimum Node.js	18+
Android support	Android 7.0+
Local storage	SQLCipher via @op-engineering/op-sqlite
Crypto stack	AES-256-GCM, Argon2, Android Keystore
Test stack	Jest + Stryker mutation testing

Core Capabilities

Vault and authentication

• Encrypted local vault storage with SQLCipher-backed persistence
• Biometric unlock support through react-native-biometrics
• Auto-lock controls and secure access policies
• Device trust and degraded-device policy handling

Password and security workflows

• Password record management and local search
• Security Center analysis and vault health scoring
• Password history and brute-force protection flows
• Passkey and WebAuthn-oriented backend preparation

Backup, recovery, and sync

• Encrypted export and import flows
• Structured backup and restore support
• Delta sync and relay-based synchronization (Hardened)
• Emergency access and recovery approval workflows (Hardened)

Security Model

The application follows a pragmatic zero-knowledge direction:

• Vault data is encrypted before persistence.
• Sensitive material is protected with Android security primitives wherever possible.
• Backup flows use strong modern cryptography, including Argon2-based derivation paths.
• Sync is built around encrypted envelopes so the relay layer does not need plaintext access.

graph TD
    A["Biometric / Device Authentication"] --> B["Android Keystore"]
    B --> C["Derived Session Keys"]
    C --> D["AES-256-GCM Vault Encryption"]
    D --> E["SQLCipher Local Storage"]
    D --> F["Encrypted Backup / Sync Payloads"]
    E --> G["Security Center and Policy Enforcement"]

Loading

Security quality gates

We utilize Mutation Testing (Stryker) to ensure our security logic is resilient against logical regressions.

Module	Mutation Score	Status
SecurityModule.ts	>70.00%	✅ Pass
DeltaSyncModule.ts	>70.00%	✅ Pass
EmergencyAccessModule.ts	>70.00%	✅ Pass
SyncEnvelope.ts	97.22%	✅ Pass
WearOSModule.ts	97.44%	✅ Pass
Overall Project	97.37%	✅ Pass

Screens

Tech Stack

• React Native 0.84.0
• React 19.2.3
• TypeScript
• Hermes JavaScript engine
• @op-engineering/op-sqlite with SQLCipher enabled
• react-native-quick-crypto
• react-native-argon2
• react-native-biometrics
• Jest for automated tests
• Stryker for mutation testing

Getting Started

Prerequisites

• Node.js 18+
• JDK 17
• Android Studio with Android SDK tooling
• An Android emulator or a physical Android device

Install and run

git clone https://github.com/hafgit99/AegisVaultAndroid_V.4.0.0.git
cd AegisVaultAndroid_V.4.0.0
npm install
npx react-native start

In a second terminal:

npx react-native run-android

Useful scripts

npm test
npm run test:mutation
npm run android
npm run relay

Quality and Testing

The repository includes both conventional automated tests and mutation testing to measure the strength of the test suite.

• High-Fidelity Assertions: Tests are designed to fail if core logic is altered.
• Mutation Resilience: Achieved >70% coverage on critical security paths.
• Security Audit: Regular npm audit checks (0 vulnerabilities).
• Hardening: Ongoing work on passkey, backup, and sync services.

Documentation

English

• API Reference
• Security Architecture
• Threat Model
• User Guide
• Release Notes 4.2.0
• Release Readiness

Turkish

• Kullanıcı Kılavuzu
• Test & Mutation Değerlendirme
• Cihaz Matrisi ve Saha Doğrulama
• Kapsamlı Analiz Raporu
• Öncelikli Güvenlik İyileştirme Planı
• Android Güvenlik Doğrulama Planı
• Passkey WebAuthn ADR

Roadmap Direction

• Improve import and export interoperability
• Expand sync reliability and conflict handling
• Continue Security Center hardening
• Extend passkey and device-trust workflows
• Strengthen release engineering and field validation

Contributing

Contributions are welcome, especially around:

• Android security hardening
• Test quality and mutation coverage
• UX polish and accessibility
• Documentation improvements
• Interoperability and migration flows

Before opening a pull request, review the relevant docs in docs, especially the security and release-readiness material.

License

This project is distributed under the MIT License.

Your data. Your device. Your control.
Maintained by hafgit99