Open-Sourcing darkVault – Zero-Knowledge Encrypted Storage for Android (Seeking Security Review)
darkVault is an open-source Android application that provides zero-knowledge encrypted storage by encrypting files client-side before uploading them to Google Drive. It uses AES-256-GCM encryption and integrates with Android Keystore and biometric authentication to protect user data. The project is seeking security review and feedback from the security community to validate its design, cryptography, and implementation. There are no known exploits or vulnerabilities reported at this time.
AI Analysis
Technical Summary
darkVault is an Android app that implements zero-knowledge encryption to secure user files stored on Google Drive. It encrypts files locally using AES-256-GCM before upload, ensuring that Google only sees encrypted data. The encryption keys are derived from the user's password using PBKDF2 with 100,000 SHA-256 rounds, and the Data Encryption Key (DEK) is wrapped by the password-derived Key Encryption Key (KEK) and stored encrypted on Google Drive. The DEK exists only in RAM during app unlock and is zeroed out when locked. The app uses Android's native javax.crypto library without external crypto dependencies and supports biometric authentication and Android Keystore integration. The developer has published the source code and security policy publicly and is actively seeking expert review and responsible disclosure feedback. No vulnerabilities or exploits are currently known.
Potential Impact
No known vulnerabilities or exploits have been reported. The app aims to protect user data confidentiality by ensuring that encryption keys never leave the device and that files stored on Google Drive remain encrypted and inaccessible to Google or other third parties. If implemented correctly, this architecture minimizes the risk of data exposure from cloud storage compromise.
Mitigation Recommendations
No immediate mitigation actions are required as no vulnerabilities have been identified. Users and security researchers are encouraged to review the open-source code and provide feedback or report any security issues through the project's responsible disclosure process. The developer maintains a SECURITY.md and supports GitHub Security Advisories and CVE assignments for confirmed vulnerabilities.
Open-Sourcing darkVault – Zero-Knowledge Encrypted Storage for Android (Seeking Security Review)
Description
darkVault is an open-source Android application that provides zero-knowledge encrypted storage by encrypting files client-side before uploading them to Google Drive. It uses AES-256-GCM encryption and integrates with Android Keystore and biometric authentication to protect user data. The project is seeking security review and feedback from the security community to validate its design, cryptography, and implementation. There are no known exploits or vulnerabilities reported at this time.
Reddit Discussion
Hi everyone,
I'm open-sourcing a project I've been building called darkVault.
darkVault is an Android application that uses a zero-knowledge architecture and client-side encryption to transform Google Drive into an encrypted vault where users retain control of their encryption keys.
Project Website:
https://scap3sh4rk.github.io/darkVault/
GitHub:
https://github.com/scap3sh4rk/darkVault
Current features include:
- AES-256-GCM encryption
- Encrypted file and folder management
- Secure media previews
- Android Keystore integration
- Biometric authentication
- Zero-knowledge design
I am specifically looking for feedback from:
- Application Security Researchers
- Android Security Researchers
- Mobile Pentesters
- Cryptographers
- Open Source Contributors
The project includes a public SECURITY.md and responsible disclosure process.
If you discover a legitimate security vulnerability and follow the disclosure process, reports may be eligible for GitHub Security Advisories and, where appropriate, CVE assignment processes subject to CNA requirements.
My primary goal is to have the design, implementation, and threat model reviewed by people with stronger security expertise than myself.
Security Policy:
https://github.com/scap3sh4rk/darkVault/blob/main/SECURITY.md
Discussions:
https://github.com/scap3sh4rk/darkVault/discussions
I would appreciate any feedback on architecture, cryptography choices, Android security posture, threat modeling, or implementation flaws.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
darkVault is an Android app that implements zero-knowledge encryption to secure user files stored on Google Drive. It encrypts files locally using AES-256-GCM before upload, ensuring that Google only sees encrypted data. The encryption keys are derived from the user's password using PBKDF2 with 100,000 SHA-256 rounds, and the Data Encryption Key (DEK) is wrapped by the password-derived Key Encryption Key (KEK) and stored encrypted on Google Drive. The DEK exists only in RAM during app unlock and is zeroed out when locked. The app uses Android's native javax.crypto library without external crypto dependencies and supports biometric authentication and Android Keystore integration. The developer has published the source code and security policy publicly and is actively seeking expert review and responsible disclosure feedback. No vulnerabilities or exploits are currently known.
Potential Impact
No known vulnerabilities or exploits have been reported. The app aims to protect user data confidentiality by ensuring that encryption keys never leave the device and that files stored on Google Drive remain encrypted and inaccessible to Google or other third parties. If implemented correctly, this architecture minimizes the risk of data exposure from cloud storage compromise.
Mitigation Recommendations
No immediate mitigation actions are required as no vulnerabilities have been identified. Users and security researchers are encouraged to review the open-source code and provide feedback or report any security issues through the project's responsible disclosure process. The developer maintains a SECURITY.md and supports GitHub Security Advisories and CVE assignments for confirmed vulnerabilities.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":27,"reasons":["external_link","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a3b7b89eed863c81e6504dc
Added to database: 06/24/2026, 06:39:05 UTC
Last enriched: 06/24/2026, 06:39:18 UTC
Last updated: 06/24/2026, 12:09:13 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.