Standalone managed Android app

SP-VAULT · SELF-HOSTED

Capture sensitive media.
Keep it out of the camera roll.

SecurePhone Vault is a separate first-party app for encrypted photos, video, audio, document scans, and imported files. Content and its library index stay encrypted on the device under an Android Keystore key.

Device-bound encryptionNo Internet permissionManaged by policy
SP-VAULT Ready to deploy
Vault policyLIVE
01

co.securephone.vaultRequired managed application

assigned
02

photo-videoPrivate capture workflow

allowed
03

audioEncrypted voice recordings

allowed
04

documentsScans and file imports

allowed
LICENSE VALIDMODE PRIVATE
01AES-256GCM authenticated encryption
020cloud or Internet dependencies
035capture and import workflows
041 APKseparate from Wallet and Global Chat
Protected media boundary

A dedicated encrypted library for field evidence and private files.

Vault minimizes the time plaintext exists, avoids shared media storage, and gives administrators explicit control over which capture paths are available. It complements device policy rather than replacing endpoint security.

01

Encrypted photos and document scans

Capture into app-private storage and encrypt the result before it enters the protected library.

02

Protected video

Store video as authenticated ciphertext instead of leaving an ordinary gallery item behind.

03

Encrypted audio recording

Record voice notes locally, encrypt them immediately, and preview them only inside the Vault.

04

Document import

Copy a selected document directly into the encrypted library without granting a cloud service access.

05

Private previews

Screenshots and recents are blocked. Temporary previews stay in no-backup app storage and are wiped when the preview closes or the app backgrounds.

06

Managed restrictions

Enable or disable Vault, photo, video, audio, scanning, and import paths through Android managed configuration.

Appliance delivery

Provision Vault like every other required SecurePhone app.

Vault has its own package identity and release artifact. The appliance catalog, policy, launcher layout, signing identity, and managed-device wipe plan are prepared together.

01

Select Vault in policy

Assign co.securephone.vault as a required app for the intended users or devices.

02

Choose capture permissions

Permit only the photo, video, audio, scan, and import workflows the deployment needs.

03

Place the launcher icon

Make Vault the intentional protected-media entry point on the managed home screen.

04

Validate wipe and recovery

Confirm application-data and whole-device wipe behavior before phones enter the field.

Release boundary

Working sandbox beta, not an unaudited production promise.

The SecurePhone sandbox build is available for appliance and device testing. Production distribution remains blocked until the APK is release-signed with the SecurePhone identity and independently reviewed.

Review security architecture
01

Separate application identity

Vault uses co.securephone.vault; it is not the crypto wallet and is not hidden inside Global Chat.

02

External production signing

Private release keys never enter the source repository or customer appliance.

03

No cloud account

The app has no Internet permission and no SecurePhone, OMEMO, Google, or third-party storage dependency.

04

Endpoint limits remain

An unlocked or compromised device can expose an active preview; screen lock, MDM, and incident response remain essential.

Encrypted Vault

Test the real customer Vault workflow in the SecurePhone sandbox.

Validate capture, import, managed policy, launcher placement, previews, deletion, and wipe before the production signing gate is opened.

Configure yours