Open protocol · verifiable encryption

Don't trust us — verify.

BanditKin's privacy is a matter of architecture, not promises. The complete protocol our app speaks — and the exact format we use to encrypt your data before it leaves your phone — is published in the open. You can read the spec, run the proof, and watch the wire yourself. Here's how to check our claims without taking our word for anything.

Read the protocol on GitHub →

Open protocol · Verifiable encryption · Publicly documented · MIT licensed

Three ways to check

Proof, not promises.

Three independent ways to confirm BanditKin does what it says — none of which require trusting us.

The protocol is public

Our complete relay API and the byte-level encryption envelope — AES-256-GCM via Google Tink — are documented in the open. It's a real specification, detailed enough that an independent developer could build a working client from it without ever seeing our code. It's in API_CONTRACT.md, and it includes an honest table of exactly what the relay can and cannot see.

The proof is runnable

Don't take the format on faith. Our published reference implementations — in Python and in JavaScript (WebCrypto) — ship with a runnable proof. Run prove_interop.py and it round-trips them against the exact crypto engine inside the Android app, Google Tink, in every direction. If our encryption weren't what we say, the proof would fail.

The wire is auditable

Capture BanditKin's own network traffic from your phone and see for yourself: it talks only to documented hosts, and the content on the wire is ciphertext, not readable locations or messages. Our guide, VERIFY_THE_WIRE.md, walks you through it with a standard tool (PCAPdroid) — no trust required.

Full candor

What our servers see — and what they can't.

We state what the relay can see as plainly as what it can't — and the published spec backs every line of it. That's the whole point of documenting it.

What the relay can see

Operational metadata, and we say so: that a device is online, its battery level, and that an alert fired. For map and area downloads, the host sees your IP address and the coarse region you requested. Encrypted traffic still has a size and a time. We don't pretend otherwise — the spec spells it out.

What it can never see

Where anyone in your circle is. What any message says. Your destination or searches in the offline navigation modes. The relay only ever holds ciphertext it has no key to open — the key lives on your paired devices and is shared in person by QR code. That's privacy by construction, not by policy.

Straight talk

What's not open — and why.

BanditKin is not open source, and we won't call it that. The app and the relay's own source code are not public today. What is public is the layer where “trust us” isn't good enough: the encryption envelope and the wire protocol — fully specified, and independently verifiable. That is the part that proves your data is sealed on your device before it ever leaves it. If that balance ever changes, it changes in the open direction — never the other way.

See it for yourself.

It's all on GitHub, MIT licensed — read the spec, run the proof, audit the wire. And if you want to know exactly what we collect and how, our privacy policy spells it out in plain language.

View banditkin-protocol on GitHub →

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.Read our Privacy Policy →