XOPOZ

Privacy-First GPS Encryption Architecture

A Technical Whitepaper for Security-Conscious Organizations

Version 1.0 | February 2026 | By Thierry Bremard

Abstract: This whitepaper presents the cryptographic architecture of XOPOZ, a professional GPS team tracking application that implements end-to-end location encryption with a zero-knowledge server model. We describe the two-tier key hierarchy, the hardware-accelerated GPS coordinate encryption scheme, the team-based key isolation model, and the threat scenarios this architecture addresses. XOPOZ demonstrates that strong cryptographic protection for location data can coexist with real-time performance requirements and battery efficiency on mobile devices.

1. The Problem: Location Data Exposure

Location data is among the most sensitive categories of personal information. A continuous record of GPS coordinates reveals home and work addresses, daily routines, medical visits, political activities, religious affiliations, and social relationships. Despite this sensitivity, the vast majority of GPS tracking applications transmit and store location coordinates in plaintext on their servers.

This creates multiple attack surfaces: server-side data breaches, insider threats, government subpoenas, and commercial data harvesting. In 2023, it was publicly documented that Life360, one of the world's most popular family tracking apps, sold precise location data from its users to approximately a dozen data brokers. The data included coordinates accurate to within a few meters.

For professional teams operating in sensitive environments — humanitarian organizations in conflict zones, journalists in hostile territories, search-and-rescue operations, or enterprise field crews handling proprietary information — this exposure is unacceptable.

XOPOZ addresses this by ensuring that GPS coordinates are encrypted on the device before any transmission occurs, using team-specific keys that the server never possesses.

2. Architecture Overview

The XOPOZ security architecture operates on three layers, each providing defense-in-depth against different threat vectors.

Layer 1: HARDWARE SECURITY (Android Keystore HSM) | | AES-256/GCM master key (xopoz_master_key) | Hardware-bound, app-signature isolated | Cannot be extracted by OS or root access | v Layer 2: SECONDARY KEY STORAGE (Encrypted SharedPreferences) | | key_local_device = AES-256-GCM(master, device_key_16bytes) | key_team_[teamId] = AES-256-GCM(master, team_key_16bytes) | Stored as Base64 encrypted blobs | v Layer 3: GPS DATA ENCRYPTION (AES-128-ECB, Hardware Accelerated) | | Input: [IV_HIGH(4) | LAT(4) | IV_LOW(4) | LON(4)] = 16 bytes | Output: Base64(AES-128-ECB(input, team_key)) = CryptoCoordBlob | Performance: ~30,000 ops/sec on Pixel 7 | v TRANSPORT: CryptoCoordBlob sent to server via HTTPS SERVER: Stores only encrypted blobs. Cannot decrypt.

2.1 Layer 1: Hardware Root of Trust

The foundation of the key hierarchy is a single AES-256 master key generated inside the Android Keystore Hardware Security Module (HSM). This key is identified by the alias xopoz_master_key and is configured with the following properties:

Hardware-bound: The key material exists only within the HSM and cannot be extracted, even by the operating system kernel or applications with root privileges.
Application-isolated: The key is bound to the XOPOZ application's signing certificate and UID. No other application, regardless of its permissions, can access or use this key.
Persistent: The key survives application updates, reinstallations, and device reboots.
Algorithm: AES-256 with GCM mode and no padding, providing both confidentiality and integrity for encrypted key material.

2.2 Layer 2: Secondary Key Management

Two categories of secondary keys are protected by the hardware master key:

Key Type	Size	Storage Alias	Purpose
Local Device Key	16 bytes	`key_local_device`	Encrypts GPS positions stored locally on the device
Team Key (per team)	16 bytes	`key_team_[teamId]`	Encrypts GPS positions shared with team members

Each secondary key is generated using a cryptographic random number generator, encrypted using the hardware master key with AES-256/GCM, encoded as Base64, and stored in the application's private SharedPreferences. The number of team keys scales linearly with team memberships.

2.3 Layer 3: GPS Coordinate Encryption

The GPS encryption operates on a carefully designed 16-byte structure that embeds a 64-bit initialization vector alongside the coordinate data:

Byte Layout: [ IV_HIGH (4 bytes) | LATITUDE (4 bytes) | IV_LOW (4 bytes) | LONGITUDE (4 bytes) ] Byte Index: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Coordinate Encoding: Latitude = (lat + 90.0) * 1,000,000 -> unsigned 32-bit integer (microdegrees) Longitude = (lon + 180.0) * 1,000,000 -> unsigned 32-bit integer (microdegrees) IV Generation (64-bit, split into IV_HIGH and IV_LOW): Source 1: deviceId XOR timestamp.rotateLeft(32) Source 2: System.nanoTime().rotateLeft(32) XOR Random.nextLong() Source 3: timestamp.hashCode().toLong().rotateLeft(19) Source 4: Random.nextInt().toLong() XOR (deviceId >> 16) Final: XOR combination of all sources Encryption: AES-128-ECB(plainBlock[0..15], teamKey[0..15]) Output: Base64(cipherBlock[0..15]) -> CryptoCoordBlob

This single-block AES encryption leverages hardware acceleration on modern Android devices, achieving approximately 30,000 operations per second on a Pixel 7 and 17,000 on a mid-range Honor 9X. Since GPS positions are typically acquired once per minute, the cryptographic overhead is negligible.

3. Team Key Distribution: Zero-Knowledge Model

The team key distribution protocol ensures that the XOPOZ server never possesses team encryption keys, achieving true zero-knowledge architecture.

3.1 Team Creation

The creator's device registers the team name with the server, receiving a unique teamId.
The device generates a random 16-byte team encryption key using SecureRandom.
A SHA-256 challenge hash is computed: SHA-256("XOPOZ" + teamKey) (21-byte input).
Only the challenge hash is transmitted to the server. The key remains on the device.
The key is encrypted with the hardware master key and stored locally.

3.2 Team Joining

The team creator shares a group ticket out-of-band: [XPZ-teamId-base64Key].
The joining device parses the ticket, extracts the team key, and stores it in the local Keystore.
The joining device computes the same SHA-256 challenge: SHA-256("XOPOZ" + teamKey).
The challenge hash is sent to the server for verification against the stored challenge.
On match, membership is granted. The server has verified key possession without seeing the key.

Security Guarantee: The server stores only SHA-256 challenge hashes. Even a complete server database breach reveals no usable key material. SHA-256 is a one-way function; the 16-byte team key cannot be recovered from the 32-byte hash.

4. Message Encryption: AES-128-CBC Protocol

While GPS coordinates use single-block ECB encryption for performance, variable-length messages (geofence alerts, SOS messages, team communications) use the more robust AES-128-CBC mode with a structured protocol wrapper:

Message Protocol Structure: [ Version (1 byte) | Length (2 bytes) | IV (4 bytes) | Encrypted Payload | CRC32 (4 bytes) ] Encryption: AES-128-CBC with PKCS7 padding, random 16-byte IV Integrity: CRC32 checksum over entire message for corruption detection Key: Same team-specific 16-byte key used for GPS encryption

The dual encryption strategy reflects a deliberate engineering tradeoff: lightweight single-block encryption for high-frequency GPS updates (every 5-30 seconds) and robust multi-block encryption with full IV and integrity checking for infrequent messaging operations.

5. Privacy Control Architecture

XOPOZ implements a comprehensive privacy framework with multiple independent control layers:

Control	Effect	Enforcement Point
Local Save Permission	Controls local GPS history storage	GpsLocationEngine (before write)
Push Location Permission	Controls team position sharing	GpsLocationEngine (before transmit)
Intraday Tracking Window	Blocks GPS outside working hours	GpsLocationEngine (request gate)
Data Retention Period	Auto-deletes data older than N days	Storage layer (periodic cleanup)
Secure Deletion	0xFF byte overwrite before unlink	All file deletion operations
Android Backup Disabled	Prevents system/cloud backup of all data	AndroidManifest.xml + backup rules

6. Battery-Aware Encryption Performance

A critical design constraint for mobile GPS encryption is battery impact. XOPOZ addresses this through hardware-accelerated AES and an intelligent power management system.

Device	AES-128 Ops/sec	30-Day Decrypt	Impact Assessment
Pixel 7 (2022)	~30,000	~1.4 seconds	Imperceptible
Honor 9X (2019)	~17,000	~2.5 seconds	Minimal

At one position per minute over 30 days (43,200 points), the total decryption time remains under 3 seconds even on older hardware. The encryption overhead for real-time position updates is measured in microseconds, making it effectively invisible to the user and to the battery consumption profile.

7. Threat Model and Security Scope

7.1 Threats Addressed

Threat Scenario	Protection	Outcome
Network interception (MITM)	HTTPS + payload encryption	GPS coordinates confidential
Server database breach	Zero-knowledge encryption	Only encrypted blobs exposed
Unauthorized team access	SHA-256 challenge system	Access denied without key
Cross-team data leakage	Independent keys per team	Cryptographic isolation
Device file system analysis	Hardware Keystore + encrypted keys	Key extraction prevented
Forensic data recovery	0xFF byte overwrite deletion	Data unrecoverable after delete
Google infrastructure surveillance	Zero Google dependencies	No data to Google servers

7.2 Explicitly Out of Scope

    Transparent Threat Model: XOPOZ is explicit about what it does and does not protect against. The following scenarios are accepted by design:
    Compromised authenticated device: If an attacker has full access to an unlocked, authenticated device, they can access decrypted data through the running application.
Malicious team member: A legitimate team member who holds the team key can decrypt all positions shared with that team.
Replay attacks by authenticated actors: Encrypted payloads do not include cryptographic authentication or replay protection. This is accepted because replay is only possible by already-authenticated actors and does not grant additional privileges.
Key compromise without rotation: There is no automatic key rotation. If a team key is compromised, the team must be recreated with a new key.

8. Comparison with Industry Approaches

Aspect	XOPOZ	Typical GPS Tracker
Server data model	Encrypted blobs only	Plaintext coordinates
Key management	Client-side, hardware-protected	Server-side or none
Encryption algorithm	AES-128 (GPS) + AES-128-CBC (messages)	HTTPS only (transport, not storage)
Google dependency	None	Play Services mandatory
Data monetization	Architecturally impossible	Common revenue stream
Breach impact	Zero usable location data	Full location history exposed

9. Conclusion

XOPOZ demonstrates that end-to-end GPS encryption is technically feasible, performant, and compatible with real-time team tracking requirements. The three-layer architecture provides defense-in-depth from hardware key protection through encrypted secondary keys to hardware-accelerated coordinate encryption. The zero-knowledge team key distribution protocol ensures that even the application's own infrastructure cannot access user location data.

For organizations operating in privacy-sensitive, security-critical, or regulatory-compliant environments, XOPOZ provides a GPS tracking solution where cryptographic guarantees replace trust assumptions. The server stores data it cannot read. The encryption performs at speeds invisible to the user. And the privacy controls give individuals granular authority over their own location information.

The architecture is designed to be auditable and transparent. We welcome independent security reviews from qualified cryptographers and security researchers.