User Guide

Chameleon User Manual

Version 0.1.0-alpha · Chameleon — StealthX Platform · May 2026

Overview

What Is Chameleon?

Chameleon is a context-aware privacy layer for Android. It does not replace your existing apps — it runs silently on top of them. Using Android’s Accessibility Service, Chameleon intercepts text as you type in any whitelisted app (WhatsApp, Telegram, Signal, Gmail, and others), encrypts it in real time using XChaCha20-Poly1305, and reinjects the ciphertext. Your recipient sees encrypted text. No one between you and them — not the app, not the platform, not your carrier — can read it.

Beyond message encryption, Chameleon provides a context-aware rule engine that automatically adjusts your security level based on location, active app, WiFi network, time of day, or connected Bluetooth device. It also includes a Private Zone (encrypted file vault), a Decoy Profile system, and Geofencing.

How Chameleon Works

Overlay Encryption — The Accessibility Service detects text input in whitelisted apps. It passes content to an isolated crypto process (separated via AIDL), receives back the ciphertext, and injects it into the text field. You hit send. The recipient sees the encrypted string.
Decryption — The recipient’s Chameleon instance recognizes the ciphertext format and decrypts it transparently on display.
Rule Engine — Rules associate a trigger (location, app, WiFi, time, Bluetooth) with a security level. Chameleon evaluates all active rules and applies the highest matching level. Fail-secure: the highest level always wins.
Process Isolation — The Accessibility Service contains no cryptographic code. All encryption and key management happen in an isolated :crypto process. Even if the Accessibility Service were compromised, your keys remain protected.

Tier Overview

Chameleon uses IFR token locking for permanent tier access. No subscriptions.

Feature	Free	Pro ≥2,000 IFR	Elite ≥6,000 IFR
Overlay encryption	Yes	Yes	Yes
Whitelisted apps	Yes	Yes	Yes
Manual geofencing	3 zones max	Unlimited	Unlimited
Private Zone	100 MB cap	Unlimited	Unlimited
Automation rules	No	Yes	Yes
Automatic geofencing triggers	No	Yes	Yes
Decoy profile	No	No	Yes
Advanced threat detection	No	No	Yes
Zero telemetry mode	No	No	Yes

First-Time Setup

Step 1 — Enable the Accessibility Service

Chameleon’s overlay encryption requires the Android Accessibility Service. Without it, the app can display its dashboard but cannot intercept or encrypt any text.

Open Android Settings
Go to Accessibility
Find Chameleon in the list of installed services
Tap it and toggle Use service on
Confirm the system warning dialog

Important: The Accessibility Service must remain enabled for overlay encryption to function. Android may disable it after certain system updates or security policy changes — check back in Accessibility Settings if encryption stops working.

Step 2 — Enable the Overlay

Open Chameleon → Settings → Overlay Encryption. Toggle Overlay Active on. Enable the apps you want Chameleon to monitor. WhatsApp, Telegram, Signal, Discord, and Gmail are pre-configured.

Step 3 — Set Your Security Level

The Dashboard shows your current security level. Tap the level indicator to change it manually. To have Chameleon change it automatically based on context, configure the Rule Engine (Pro tier).

Step 4 — Unlock Features (Optional)

If you hold IFR tokens and want Pro or Elite features, open Settings → IFR Token and connect your Ethereum wallet.

Dashboard

Dashboard Overview

The Dashboard is the home screen. It shows:

Current security level — color-coded icon and label
Tier badge — top right (FREE, PRO, or ELITE)
Active Rules — a live list of automation rules currently matching your context
Quick action buttons — Overlay, Messenger, Keys

Security Levels

The Four Security Levels

Level	Color	Description
Public ●	Green	No encryption. Use only in fully trusted, private environments.
Protected ●	Yellow	Standard encryption. The default level.
Private ●	Orange	High encryption with stricter key parameters.
Camouflage ●	Red	Maximum protection. All security features active. Stealth mode.

When multiple rules match simultaneously, the highest security level always wins. Chameleon never downgrades security automatically.

Settings — IFR Token

IFR Token Unlock

The top of Settings shows your current tier and an Upgrade button. Tap it to open the IFR Unlock screen.

Tier Status Card

Shows: current tier badge, locked IFR amount, wallet address, and cache expiry (30-day window).

Connect Wallet (WalletConnect)

Tap Connect Wallet. Chameleon launches your installed Ethereum wallet app (MetaMask, Trust Wallet, etc.). Your wallet signs a challenge proving ownership of the address. Chameleon then queries the IFR contract on Ethereum Mainnet directly via public RPC endpoints — no account or API key required.

IFR Locked	Tier	Expiry
≥ 6,000 IFR	Elite	Never expires
≥ 2,000 IFR	Pro	Never expires
< 2,000 IFR	Free	Balance shown, no unlock

Manual Address Entry

Paste your Ethereum address (0x format). Chameleon verifies the locked balance on-chain. Manual verifications expire after 30 days and re-verify every 24 hours. If re-verification fails (offline), the cached tier is kept until expiry.

The verification result is stored in an encrypted local database protected by an HMAC-SHA256 tag computed with a hardware-backed key from Android Keystore. Any tampering with the cache causes the tier to revert to Free.

Settings — Overlay Encryption

Overlay Encryption

Controls the core text encryption feature. Access via Settings → Overlay Encryption.

Overlay Active

Master toggle for the entire overlay system. When off, Chameleon does not intercept any text in any app. Default: On.

Whitelisted Apps

Pre-configured apps (each with an on/off toggle):

WhatsApp
Telegram
Signal
Discord
Gmail

Toggle any app on to enable text interception in that app.

Custom Apps

To add any other app, enter its package name in the input field (e.g. com.custom.messenger) and tap Add. The package name must contain at least one dot. All added apps appear in the list with their own toggle.

How to find a package name: In Android Settings → Apps, find the app and look at its entry. You can also find package names in the Google Play Store URL for that app.

Security Properties of the Overlay

FLAG_SECURE applied to the overlay window — cannot be screenshotted independently
FLAG_NOT_FOCUSABLE — overlay never steals keyboard focus from the underlying app
Never drawn on the lock screen

Settings — Private Zone

Private Zone

An encrypted file vault stored locally on your device. Files are encrypted with XChaCha20-Poly1305. File names on disk are SHA-256 hashed — the original names are never written to storage in plaintext. The vault key is generated randomly on first use and stored in encrypted SharedPreferences (AES-256-GCM). It is never uploaded or backed up. Access via Settings → Private Zone.

File Count & List

The top of the screen shows the total number of encrypted files. Below is a scrollable list of all stored files, each labeled “Encrypted vault item”.

Import File

Opens the system file picker. Select any file type. The file is encrypted and stored in the vault. The original file is not deleted from its source — delete it manually after import if needed.

Secure Photo

Opens the camera. Take a photo. It is immediately compressed to JPEG (92% quality) and stored encrypted as photo_TIMESTAMP.jpg. The photo is never saved to your gallery or camera roll.

Storage Limits

Tier	Storage Limit
Free	100 MB total. An error is shown if you exceed the limit.
Pro & Elite	Unlimited

Settings — Geofencing

Geofencing

Define geographic zones. When you are physically inside a zone, the Rule Engine can use it as a trigger to automatically change your security level (Pro and Elite). Free tier: up to 3 zones. Pro / Elite: unlimited zones. Access via Settings → Geofencing.

Granting Location Permissions

Before adding zones, Chameleon needs location access:

Tap Allow Location — grants ACCESS_FINE_LOCATION at runtime.
On Android 10+: Tap Allow Background Location.
- Android 11+: You are redirected to Android Settings. Choose “Allow all the time” for Chameleon.
- Android 10: The permission is requested directly.

Background location is required for geofencing to trigger when Chameleon is not in the foreground. On some devices (Samsung, Huawei, Xiaomi), additional battery optimization settings must also be disabled.

Adding a Zone

Fill in all four fields and tap Add Geofence Zone:

Zone name — a label (e.g. “Office”, “Airport”)
Latitude — between -90.0 and 90.0
Longitude — between -180.0 and 180.0
Radius (meters) — minimum 100 m (enforced by Android’s geofencing API)

GPS accuracy tip: Typical GPS drift is ±5–10 meters. For office buildings or enclosed spaces, set a radius of at least 150–200 m to avoid false exits/entries.

Each zone appears as a card showing name, coordinates, and radius. Zones are active immediately after creation.

Settings — Rule Engine

Rule Engine Pro & Elite

Define context-aware rules that automatically set your security level. This setting is locked on Free tier. Tap Unlock to open the IFR unlock flow.

Rule Trigger Types

Trigger	How It Works	Example
App	Activates when a specific app is in the foreground	Telegram open → Private
WiFi	Activates when connected to a specific SSID	“Airport_Free” SSID → Camouflage
Location	Activates when inside a named geofence zone	“Work” zone → Protected
Time	Activates during a defined time window	Weekdays 09:00–17:00 → Protected
Bluetooth	Activates when a specific BT device is connected	Car BT → Protected

Conflict Resolution

If multiple rules match at the same time, Chameleon always applies the highest security level. It never downgrades. If no rules match, the default is Protected.

Example: “Work WiFi → Protected” and “Evening hours → Private” both active = result is Private.

Dashboard Display

Active rules are listed on the Dashboard under “Active Rules”, showing each rule’s name, trigger type, and resulting security level.

Settings — Decoy Profile

Decoy Profile Elite only

The Decoy Profile creates a second, empty identity accessible via a wrong PIN. If someone forces you to unlock the device, you enter the decoy PIN and they see a clean, empty app with no messages, no files, and no zones configured. Access via Settings → Decoy Profile.

This setting is locked on Free and Pro tiers. Unlock Elite via IFR token locking to access it.

Setup

Enter Real PIN — 4–12 digits. This unlocks your actual data.
Enter Decoy PIN — 4–12 digits. Must not match the Real PIN.
Enter Confirm Decoy PIN — re-enter the decoy PIN.
Tap Save Decoy Profile.

Status changes to “Status: Enabled” (shown in green).

How It Works on Launch

When Decoy is enabled, Chameleon shows a PIN unlock screen on every app launch.

Enter the Real PIN → actual profile loads (all data accessible)
Enter the Decoy PIN → decoy mode loads (empty: no messages, no files, no zones)
While in decoy mode, tap Lock to return to the PIN screen

Disabling

Return to Settings → Decoy Profile → tap Disable Decoy Profile.

PIN Storage

Both PINs are hashed with Argon2id (64 MB memory cost, 3 iterations) with a unique random salt per PIN. The hashes and salts are stored in encrypted SharedPreferences. The raw PINs are never stored anywhere.

There is no PIN recovery. If you forget your Real PIN after enabling Decoy, you will be locked into the decoy profile. Reinstalling the app is the only option, which destroys all data.

Permissions

Permissions Reference

Permission	Purpose	How It Is Granted
Accessibility Service	Text interception for overlay encryption	Manually in Android Settings → Accessibility
System Alert Window	Overlay display over other apps	Checked at overlay activation
Camera	QR code scanning for key exchange	Runtime, on first use
Fine Location	Geofencing zone detection	Runtime, when adding first zone
Background Location	Geofencing while app is in background	Runtime, after fine location granted
Foreground Service	Location tracking worker for geofencing	Declared, no user prompt
Biometric	Optional PIN/face/fingerprint auth	Declared, used if configured
Vibrate	Security alert haptics	Declared, no user prompt
Boot Completed	Auto-restart rule engine after reboot	Declared, no user prompt
NFC	Key exchange via NFC (future)	Runtime, future feature

Chameleon has no internet permission. IFR verification is performed by your external wallet app. Chameleon communicates with the wallet via Android Intents, not direct network calls.

Troubleshooting

Common Issues

Overlay is not encrypting text — Check that the Accessibility Service is still enabled: Android Settings → Accessibility → Chameleon → Use service: On. Verify the target app is in your whitelist and Overlay Active is on.
Geofencing not triggering — Ensure background location is set to “Allow all the time”: Android Settings → Apps → Chameleon → Permissions → Location. On Samsung/Huawei/Xiaomi, also disable battery optimization for Chameleon.
Decoy PIN screen not appearing — Decoy must be enabled and saved. Open Settings → Decoy Profile and confirm the status shows “Status: Enabled” (green). Force-close the app (not just minimize) and reopen.
Files missing from Private Zone — Files imported into the vault exist only in the encrypted vault directory. They do not appear in your gallery, file manager, or any other app.
Tier shows Free after IFR verification — Ensure your tokens are locked in the IFR contract, not just held in your wallet. Visit ifrunit.tech to lock tokens. Then return to Settings → IFR Token and verify again.
App crashes on new device after reinstall — If Decoy Profile was enabled on the previous installation, the hashed PINs are gone with the old install. The app will open normally (no PIN screen). Reconfigure Decoy if needed.