Technology

Advanced Threat Detection

Advanced threat detection is a core component of Renati's security architecture, providing continuous, automated monitoring of sophisticated attack vectors across both system and hardware layers. It is structured in two tiers: a built-in automated monitoring engine and an optional enhanced telemetry mode for forensic visibility.

It operates within system_server, the first process forked by Zygote at boot under UID 1000. This places it above all application-layer processes, including system-signed and privileged applications. As a result, application-layer code cannot directly access or interfere with the execution environment in which security checks run. By executing at this level of the Android privilege stack, security attestation occurs before any application code is launched, eliminating any opportunity for user or system applications to suppress or tamper with detection logic.

Understanding the Privilege Hierarchy

At the base of the Android stack sits the Linux kernel. It is responsible for process scheduling, memory management, hardware drivers, and SELinux enforcement. Above the kernel, the Hardware Abstraction Layer operates in isolated processes under Android's Treble architecture. It forwards hardware events into the system services layer through the Android Runtime.

Zygote and system_server exist as core system processes. Zygote handles the task of forking application processes. Meanwhile, system_server is instantiated once at boot and persists as the central system services process. All application environments are forked from Zygote and execute above system_server in the privilege hierarchy. This includes system applications, privileged applications, and user-installed applications.

Platform-signed applications do not inherently run under android.uid.system. Instead, they operate under distinct UIDs unless they are explicitly assigned system-level privileges. This separation reinforces the fact that signing alone does not equate to system-level authority. It also highlights the importance of executing security logic within the protected system_server environment.

Standard Security Monitoring

While operating within system_server, Renati performs continuous automated security assessments with a vantage point that no application-layer tool can match. It maintains full visibility into the system state as events propagate upward from the kernel through the HAL and ART. Security monitoring includes several key functions.

• Detection of unauthorised or tampered packages
• Identification of cloaking applications and concealment techniques
• Monitoring for unauthorised root access and privilege escalation
• Verification of critical system binary integrity
• Assessment of device state including unlock status, developer mode, and ADB access
• Continuous verification of SELinux policy enforcement

Because these checks execute before application layer processes are fully engaged, they cannot be bypassed, disabled, or manipulated by anything operating at the application layer, including sophisticated exploits targeting privileged or system-signed processes.

Enhanced Telemetry and Remote Logging

Optional

For use cases demanding deeper forensic visibility, Renati offers an optional enhanced logging mode. When a user explicitly opts into this tier, the system provides high-level telemetry by providing data typically restricted to low-level debugging interfaces like ADB. This telemetry includes.

• Network activity and anomalous connection behaviour
• System call monitoring and process-level telemetry
• Security event logs and policy violation records
• Radio and baseband layer logs

The inclusion of baseband telemetry is particularly important. Certain attack vectors operate below the operating system layer within radio firmware components. These activities are entirely invisible to conventional endpoint and security monitoring tools.

Enterprise, Government and Defence Origins

Enhanced telemetry and remote logging was originally architected for enterprise, government, and defence deployments, where integration with existing Security Information and Event Management (SIEM) infrastructure is a baseline operational requirement. In those environments, the telemetry produced by this module feeds directly into SOC workflows, enabling real-time correlation, triage, and incident response by trained security analysts. By providing access to radio logs and security event data, Renati enables analysis that goes far beyond typical compliance-focused monitoring.

Experimental Feature and Opt-In Availability

The enhanced telemetry and remote logging features are available as an experimental, opt-in feature. This design is intentional because enabling it exposes detailed system information. When enabled, data is transmitted securely for centralized analysis. Automated redaction is applied on the device side to reduce the risk of exposing sensitive information such as API keys or authentication tokens.

It is important to note that these enhanced capabilities are under active development, and this feature should be considered a supplement to broader security practices. The core threat detection capabilities of Renati operate independently and continue to provide robust security monitoring even without it. The optional feature is designed to enhance visibility where a higher level of threat analysis is required.

USB Data Isolation

Unlike most smartphone operating systems, Renati is engineered to support charging-only USB connections. When connected to a computer, charging station, or other USB host, the device receives power but does not establish a USB data connection. As a result, files, photos, messages, contacts, and application data cannot be accessed through the USB port, significantly reducing the risk of unauthorized data transfer or device interaction.

Most Android devices expose one or more USB functions such as Media Transfer Protocol (MTP), Android Debug Bridge (ADB), tethering, or other communication interfaces. These functions require the device to identify itself to the connected host and exchange information during USB initialization. On standard Android devices, this enumeration begins during early boot, before security controls are fully active, momentarily exposing the device name, manufacturer, and interface descriptors to any connected host. Renati takes a fundamentally different approach by modifying Android's USB Gadget framework, AIDL-based USB service layer, and the native USB Hardware Abstraction Layer to prevent USB data functions from being enabled at any point in the boot process. Rather than relying on end-user settings, USB communication capabilities are restricted at the platform level from the earliest stages of initialization, ensuring that external systems cannot establish a data session with the device at any time.

This protection extends beyond normal device operation. USB data functionality remains disabled during startup, reboot, and early system initialization, preventing the device from exposing identifying information or communication interfaces before security controls are fully active. Because Renati never presents USB data functions to a connected host, external systems cannot enumerate the device, retrieve metadata such as the device name, interact with debugging interfaces, or attempt USB-based attacks through standard Android USB services. The result is a substantially reduced physical attack surface and stronger protection against malicious charging stations, unauthorized forensic tools, USB-borne malware, and other attacks that depend on USB data connectivity.

Accessibility Overlay Permission Restrictions

Android's accessibility and overlay permission system allows applications to draw content over other apps and monitor or intercept user input. While these capabilities serve legitimate purposes for assistive technologies, they are frequently exploited by malicious applications to conduct overlay attacks, credential theft, clickjacking, and UI redirection.

On standard Android devices, installed packages can request the SYSTEM_ALERT_WINDOW permission and accessibility service access, allowing them to render content above any application including banking apps, authentication screens, and system dialogs. This creates an opportunity for malicious or compromised applications to display fake UI elements over legitimate ones, silently capturing credentials or redirecting user actions.

Renati restricts these permissions for installed packages at the platform level. Applications cannot draw overlays over other apps or register accessibility services that monitor or interact with other applications without explicit authorization. This restriction applies to all installed packages regardless of their declared permissions, preventing both malicious applications and compromised legitimate applications from leveraging these capabilities.

The result is stronger protection against overlay-based attacks, credential harvesting through fake UI elements, and accessibility-based spyware that depends on the ability to monitor or interact with other running applications.

Renati Socket Service

The Renati Socket Service

, also known as our Secure Socket Tunnel, provides real-time, low-latency, high-performance bi-directional communication with our infrastructure. Initially developed to optimize battery life and streamline device management through our built-in mobile device management service. RSS facilitates secure authentication between the client and server, offering protection on both public and untrusted networks. This ensures secure provisioning and safeguards against data leaks, making RSS essential for communication security. We are currently working to extend the API, enabling our applications to integrate with RSS for Single Sign-On with ChatMail, consolidating all communications through a single, secure tunnel.

Renati Package Service

The Renati Package Service

, securely delivers applications to our device, ensuring the integrity and safety of every installation. By leveraging advanced techniques such as hashing, signature checks, and Brotli compression, the service guarantees that only authentic, unaltered applications are installed. Hashing and signature checks verify the authenticity of the package, preventing tampering or malicious modifications. Meanwhile, Brotli compression optimizes the delivery of applications, reducing file sizes and enhancing download efficiency without compromising security. This robust approach ensures that every app installed on the device is both secure and reliable

Renati Mobile Device Management

The Renati Device Management Service

, is a dedicated service integrated directly into System Server, the first process forked by Zygote and the core of Android’s operation. Unlike traditional Mobile Device Management (MDM) solutions, which run as a standalone application and can be disabled or manipulated by advanced exploits.

As a security-focused operating system, device management must also be deeply embedded within its core. Some of the exploits available work by blocking communication between MDM agents and system processes, our system-level integration eliminates vulnerabilities that often compromise traditional MDM agents, ensuring tamper-resistant administration. Renati allows administrators to securely perform critical functions like factory resets, application management and policy enforcement. With a security-first architecture, embedding device management within System Server ensures that security remains a fundamental part of the operating system at every level.

Privacy-Focused Device Management

Many traditional MDM solutions overstep their intended purpose, collecting excessive data such as IMEI numbers, real-time tracking information and the ability to reset a devices password to gain access. RDM ensures that only essential management functions are accessible to administrators.

• UUID-Based Identification: Unlike standard MDMs that rely on IMEI tracking, Renati assigns each device a unique, randomly generated UUID for identification and management.
• Minimal Data Collection: The management system only provides necessary administrative functions without unnecessary tracking or interference.

Administrator Capabilities

Renati’s management system allows organization administrators to perform only the essential functions required for device administration, ensuring both security and privacy.

These include:

• Factory Reset – Securely wipes the device, with the option to delete eSIMS.
• Check Installed Applications – Retrieves a list of installed apps to verify compliance.
• Refresh and Apply Device Policies – Update the device with predefined organizational policies.
• Assign Groups & Access Mask Applications – Manages device applications based on group membership and update channel.
• Change Update Channels – Configures the device’s OTA update settings to allow for alternative update channels.
• Enable/Disable Roaming – Grants administrators control over cellular roaming functionality.

Renati’s system-integrated device management approach provides a secure alternative to traditional MDM solutions. By embedding management within System Server, it prevents common exploits that compromise administrative control, ensuring devices remain secure, manageable, and resistant to unauthorized tampering. With a focus on minimal data collection, UUID- based identification, and core security integration, Renati redefines how device management should function in a security-first operating system.