An open-source Android camera that embeds cryptographic proof of authenticity at the moment of capture. ECDSA P-256 signed. SHA-256 hashed. 14 physical sensors fingerprinted.
C2PA-inspired content provenance for the 3 billion Android devices that flagship-only solutions ignore.
Six steps. One shutter press. Zero servers.
Take a photo with TrueShot, or enable Auto Mode to seal photos from any camera app automatically.
Accelerometer, gyroscope, magnetometer, barometer, light, proximity, gravity, rotation vectors, step counter — all sampled at the exact instant of the shutter.
Cryptographic hash computed on JPEG bytes up to the end-of-image marker. Change one pixel, the hash breaks.
Sensor data, EXIF metadata, device identity, screen risk score, and correlation hash — all packed into a JSON manifest.
Private key in Android Keystore (StrongBox/TEE) signs the manifest. Key is hardware-bound and non-extractable.
Signed manifest appended after JPEG EOI marker. Standard image viewers display the photo normally. Anyone can verify.
Every photo captures a physical snapshot of the device's environment at the exact moment of the shutter. 14 simultaneous sensor readings create a fingerprint that's extremely difficult to forge coherently.
Photographing a screen showing a deepfake is an attack that no existing provenance system addresses. TrueShot introduces a sensor-based approach: cross-correlating physical sensor readings at capture time to detect anomalies consistent with screen photography.
Six signals — proximity, light/ISO mismatch, magnetometer anomaly, gyroscope stability, dark room without flash, step counter — are scored from 0 to 100. This works regardless of screen technology (LCD, OLED, MicroLED) because it uses physics, not pixels.
Multiple photos from different devices can be verified as mutually consistent — without any communication between devices.
Drop two or more photos on the web verifier. The JavaScript compares barometric pressure (within 2 hPa), timestamps (within 5 minutes), GPS (within ~100m), and a correlation hash. Three photos from three independent devices with physically coherent sensors are practically impossible to fabricate.
Every photo is checked against 8 independent criteria: manifest presence, manifest validity, SHA-256 hash, ECDSA signature, key attestation, timestamp consistency, sensor plausibility, and screen capture detection.
Enable once, forget about it. TrueShot runs a background service that detects new photos from any camera app and creates a sealed copy with the full manifest. No workflow changes needed.
Drag and drop one or more TrueShot photos. ECDSA signature verification and SHA-256 hash recalculation run entirely in your browser via WebCrypto API. Your photos never leave your device.
Open VerifierSHA-256 — Any modification to the image bytes, even a single pixel, produces a completely different hash.
ECDSA P-256 — Without the device's private key, forging a valid signature is computationally infeasible.
Android Keystore — Private key stored in TEE or StrongBox hardware. Non-exportable by design.
signedPayload — Each manifest binds to its specific image hash. Copying a manifest to another photo fails verification.
TrueShot provides tamper-evident cryptographic proof of capture. It does not guarantee content truthfulness, detect deepfakes, or constitute legal evidence.
14 Gradle modules. ~5,700 lines of Kotlin. Zero C++. Zero ML models. MIT License.
Every line of code is auditable. Every cryptographic operation is standard. Every privacy claim is verifiable.
View Source on GitHub