OpenPhone is an early developer preview project. Do not use current builds as a daily-driver secure phone OS.
Do not file public GitHub issues for vulnerabilities, leaked secrets, bypasses, or exploitable device-control bugs.
Report privately through GitHub private vulnerability reporting when available,
or email support@secondly.com with OpenPhone security in the subject.
- The bootloader on development devices is expected to be unlocked.
- Development builds are not production signed.
- Play Integrity compatibility is not a goal for early releases.
- The assistant and framework service are experimental.
- Background agent jobs are reviewed-conservative: they may observe and summarize, but state-changing background tools are blocked until a foreground reviewed approval flow exists.
- Production key management for model providers is not implemented.
Never commit:
- API keys,
- private SSH keys,
- signing keys,
- vendor credentials,
- personal device data,
- generated Android build outputs.