Technology

Advanced Threat Detection

Advanced threat detection is a core component of Renati's security architecture, providing continuous, automated monitoring of sophisticated attack vectors across both system and hardware layers. It is structured in two tiers: a built-in automated monitoring engine and an optional enhanced telemetry mode for forensic visibility.

It operates within system_server, the first process forked by Zygote at boot under UID 1000. This places it above all application-layer processes, including system-signed and privileged applications. As a result, application-layer code cannot directly access or interfere with the execution environment in which security checks run. By executing at this level of the Android privilege stack, security attestation occurs before any application code is launched, eliminating any opportunity for user or system applications to suppress or tamper with detection logic.

Understanding the Privilege Hierarchy

At the base of the Android stack sits the Linux kernel. It is responsible for process scheduling, memory management, hardware drivers, and SELinux enforcement. Above the kernel, the Hardware Abstraction Layer operates in isolated processes under Android's Treble architecture. It forwards hardware events into the system services layer through the Android Runtime.

Zygote and system_server exist as core system processes. Zygote handles the task of forking application processes. Meanwhile, system_server is instantiated once at boot and persists as the central system services process. All application environments are forked from Zygote and execute above system_server in the privilege hierarchy. This includes system applications, privileged applications, and user-installed applications.

Platform-signed applications do not inherently run under android.uid.system. Instead, they operate under distinct UIDs unless they are explicitly assigned system-level privileges. This separation reinforces the fact that signing alone does not equate to system-level authority. It also highlights the importance of executing security logic within the protected system_server environment.

Standard Security Monitoring

While operating within system_server, Renati performs continuous automated security assessments with a vantage point that no application-layer tool can match. It maintains full visibility into the system state as events propagate upward from the kernel through the HAL and ART. Security monitoring includes several key functions.

• Detection of unauthorised or tampered packages
• Identification of cloaking applications and concealment techniques
• Monitoring for unauthorised root access and privilege escalation
• Verification of critical system binary integrity
• Assessment of device state including unlock status, developer mode, and ADB access
• Continuous verification of SELinux policy enforcement

Because these checks execute before application layer processes are fully engaged, they cannot be bypassed, disabled, or manipulated by anything operating at the application layer, including sophisticated exploits targeting privileged or system-signed processes.

Enhanced Telemetry and Remote Logging

Optional

For use cases demanding deeper forensic visibility, Renati offers an optional enhanced logging mode. When a user explicitly opts into this tier, the system provides high-level telemetry by providing data typically restricted to low-level debugging interfaces like ADB. This telemetry includes.

• Network activity and anomalous connection behaviour
• System call monitoring and process-level telemetry
• Security event logs and policy violation records
• Radio and baseband layer logs

The inclusion of baseband telemetry is particularly important. Certain attack vectors operate below the operating system layer within radio firmware components. These activities are entirely invisible to conventional endpoint and security monitoring tools.

Enterprise, Government and Defence Origins

Enhanced telemetry and remote logging was originally architected for enterprise, government, and defence deployments, where integration with existing Security Information and Event Management (SIEM) infrastructure is a baseline operational requirement. In those environments, the telemetry produced by this module feeds directly into SOC workflows, enabling real-time correlation, triage, and incident response by trained security analysts. By providing access to radio logs and security event data, Renati enables analysis that goes far beyond typical compliance-focused monitoring.

Experimental Feature and Opt-In Availability

The enhanced telemetry and remote logging features are available as an experimental, opt-in feature. This design is intentional because enabling it exposes detailed system information. When enabled, data is transmitted securely for centralized analysis. Automated redaction is applied on the device side to reduce the risk of exposing sensitive information such as API keys or authentication tokens.

It is important to note that these enhanced capabilities are under active development, and this feature should be considered a supplement to broader security practices. The core threat detection capabilities of Renati operate independently and continue to provide robust security monitoring even without it. The optional feature is designed to enhance visibility where a higher level of threat analysis is required.

Renati Socket Service

The Renati Socket Service

, also known as our Secure Socket Tunnel, provides real-time, low-latency, high-performance bi-directional communication with our infrastructure. Initially developed to optimize battery life and streamline device management through our built-in mobile device management service. RSS facilitates secure authentication between the client and server, offering protection on both public and untrusted networks. This ensures secure provisioning and safeguards against data leaks, making RSS essential for communication security. We are currently working to extend the API, enabling our applications to integrate with RSS for Single Sign-On with ChatMail, consolidating all communications through a single, secure tunnel.

Renati Package Service

The Renati Package Service

, securely delivers applications to our device, ensuring the integrity and safety of every installation. By leveraging advanced techniques such as hashing, signature checks, and Brotli compression, the service guarantees that only authentic, unaltered applications are installed. Hashing and signature checks verify the authenticity of the package, preventing tampering or malicious modifications. Meanwhile, Brotli compression optimizes the delivery of applications, reducing file sizes and enhancing download efficiency without compromising security. This robust approach ensures that every app installed on the device is both secure and reliable

Renati Mobile Device Management

The Renati Device Management Service

, is a dedicated service integrated directly into System Server, the first process forked by Zygote and the core of Android’s operation. Unlike traditional Mobile Device Management (MDM) solutions, which run as a standalone application and can be disabled or manipulated by advanced exploits.

As a security-focused operating system, device management must also be deeply embedded within its core. Some of the exploits available work by blocking communication between MDM agents and system processes, our system-level integration eliminates vulnerabilities that often compromise traditional MDM agents, ensuring tamper-resistant administration. Renati allows administrators to securely perform critical functions like factory resets, application management and policy enforcement. With a security-first architecture, embedding device management within System Server ensures that security remains a fundamental part of the operating system at every level.

Privacy-Focused Device Management

Many traditional MDM solutions overstep their intended purpose, collecting excessive data such as IMEI numbers, real-time tracking information and the ability to reset a devices password to gain access. RDM ensures that only essential management functions are accessible to administrators.

• UUID-Based Identification: Unlike standard MDMs that rely on IMEI tracking, Renati assigns each device a unique, randomly generated UUID for identification and management.
• Minimal Data Collection: The management system only provides necessary administrative functions without unnecessary tracking or interference.

Administrator Capabilities

Renati’s management system allows organization administrators to perform only the essential functions required for device administration, ensuring both security and privacy.

These include:

• Factory Reset – Securely wipes the device, with the option to delete eSIMS.
• Check Installed Applications – Retrieves a list of installed apps to verify compliance.
• Refresh and Apply Device Policies – Update the device with predefined organizational policies.
• Assign Groups & Access Mask Applications – Manages device applications based on group membership and update channel.
• Change Update Channels – Configures the device’s OTA update settings to allow for alternative update channels.
• Enable/Disable Roaming – Grants administrators control over cellular roaming functionality.

Renati’s system-integrated device management approach provides a secure alternative to traditional MDM solutions. By embedding management within System Server, it prevents common exploits that compromise administrative control, ensuring devices remain secure, manageable, and resistant to unauthorized tampering. With a focus on minimal data collection, UUID- based identification, and core security integration, Renati redefines how device management should function in a security-first operating system.