How it works

What happens under the hood, step by step. Seven stages, all on your phone. Nothing leaves your device.

From data to decision

Step 1

Sensors

Collects metadata about network connections, permissions, and app behavior.

  • Network connection metadata (destination IP, port, timing)
  • Permission usage events
  • Background activity patterns
  • Installation sources (Play Store vs sideloaded)

Step 2

Feature extraction

Turns raw metadata into useful patterns.

  • Request frequency buckets
  • Domain categorization
  • Permission combinations
  • Time-of-day patterns

Step 3

Baseline store

A local record of what is normal for each app.

  • Historical patterns per app
  • Statistical norms (mean, stddev, percentiles)
  • Version tracking
  • User-approved changes

Step 4

Risk scoring

Compares current behavior to what is normal.

  • Drift magnitude calculation
  • Anomaly significance scoring
  • Context-aware weighting
  • Confidence intervals

Step 5

Policy engine

Decides what to do based on your settings and the risk score.

  • Monitor: log only
  • Protect: contain on drift
  • Redline: contain by default
  • Per-app overrides

Step 6

VPN enforcement

Blocks internet access for flagged apps via a local VPN.

  • Local VPN service (no remote servers)
  • Per-app routing rules
  • Kill switch protection
  • Conflict resolution with other VPNs

Step 7

Incident explanation

Shows you exactly what triggered the alert.

  • Before/after comparison
  • Specific metrics that drifted
  • Timeline of changes
  • Allow or block controls

Important caveats

No TLS interception

Baselyt never performs man-in-the-middle attacks on encrypted traffic. We only see metadata like destination IPs and request frequency, never decrypted content.

Metadata-only

No message content, no browsing history, no keystrokes. Only behavioral patterns and network metadata.

Local storage by default

All baselines and incident logs are stored on your device. Optional cloud backup (planned) would require your explicit consent.

Android limitations

Baselyt cannot kill apps or read their memory. VPN containment blocks network access, but apps remain running. No root required.

Technical details

VPN service

Baselyt uses Android's VpnService API to create a local VPN tunnel. All network traffic routes through this tunnel, allowing per-app filtering without root access.

The VPN runs entirely on-device. No remote servers. Per-app blocking, persistent notification showing protection status, and a kill switch to prevent leaks if the service stops.

Baseline learning

Baselines are built using a sliding window approach. Metrics are tracked over 7, 14, and 30-day periods, calculating means, standard deviations, and percentiles.

New app installations start with a learning period where no enforcement happens. After sufficient data, comparison against the baseline begins.

Data storage

All data is stored in an encrypted SQLite database on your device. The encryption key is derived from Android's keystore system.

You will be able to export cleaned data (personal identifiers removed) or delete everything through the Privacy Center. This feature is planned and not yet implemented.