How It Works

A detailed look at Kekkai's architecture and data flow.

The Kekkai Pipeline

Seven stages from sensor data to enforcement, all happening on your device.

Step 1

Sensors

Collect metadata about network flows, permissions, app behaviors

  • Network connection metadata
  • Permission usage events
  • Background activity patterns
  • Installation sources
Step 2

Feature Extraction

Process raw metadata into bucketed features

  • Request frequency buckets
  • Domain categorization
  • Permission combinations
  • Time-of-day patterns
Step 3

Baseline Store

Local database of normal behavior per app

  • Historical patterns
  • Statistical norms
  • Version tracking
  • User-approved changes
Step 4

Risk Scoring

Compare current behavior against baseline

  • Drift magnitude calculation
  • Anomaly significance scoring
  • Context-aware weighting
  • Confidence intervals
Step 5

Policy Engine

Decide what action to take based on mode and score

  • Monitor: Log only
  • Protect: Contain on drift
  • Redline: Contain by default
  • Per-app overrides
Step 6

VPN Enforcement

Block network access for contained apps

  • Local VPN service
  • Per-app routing rules
  • Kill switch protection
  • Conflict resolution
Step 7

Incident Explanation

Show user exactly what changed

  • Before/after comparison
  • Specific metrics that drifted
  • Timeline of changes
  • Approve or block controls

Important Clarifications

What Kekkai does and doesn't do under the hood.

No TLS Interception

Kekkai never performs man-in-the-middle attacks. We only see metadata like destination IPs and request frequency, never decrypted content.

Metadata-Only

No message content, no browsing history, no keystrokes. Just behavioral patterns and network metadata.

Local Storage by Default

All baselines and incident logs stored on your device. Optional cloud backup requires explicit consent.

Android Limitations

We cannot kill apps or read their memory. VPN containment blocks network but apps remain running. No root required.

Under the Hood

Technical implementation details for the curious.

VPN Service

Kekkai uses Android's VpnService API to create a local VPN tunnel. All network traffic routes through this VPN, allowing per-app filtering without root access.

The VPN runs entirely on-device. No remote servers involved. We can block specific apps while allowing others through, and we maintain a kill switch to prevent leaks if the VPN service crashes.

Baseline Learning

Baselines are built using a sliding window approach. We track metrics over 7, 14, and 30-day periods, calculating means, standard deviations, and percentiles.

New app installations start with a learning period where no enforcement happens. After sufficient data is collected, we begin comparing against the baseline.

Data Storage

All data is stored in an encrypted SQLite database on your device. The encryption key is derived from Android's keystore system.

Users can export sanitized data (with personally identifiable information removed) or purge all data at any time through the Privacy Center.