- The signature fingerprint of every downloaded APK file is validated against an internal allowlist. This prevents the installation of malicious apps that do not originate from the original developers.
- Only HTTPS connections are used because unencrypted HTTP traffic can be manipulated.
- Only system certificate authorities are trusted. But this can be disabled in the settings to allow other apps to inspect the application's network traffic.
- Prevent command injection in the RootInstaller.kt by validating and sanitizing commands.
Git commits will be signed with the GPG key CE72BFF6A293A85762D4901E426C5FB1C7840C5F public key- Git commits will be signed with the ssh-ed25519 key: AAAAC3NzaC1lZDI1NTE5AAAAIJE17LRw9gdAka03KYwdFj88b3sDEODRBlIY1smsvOMx public key
- APK will be signed with the key apk_signature