Legal

Security Policy

TeleNav is built around local encryption and private Telegram storage. This page explains what the design protects, what it cannot protect, and how to report security issues.

Effective date: May 24, 2026 Last updated: May 24, 2026

1. Security Model

TeleNav is designed for a personal Android phone and a personal Telegram account. It assumes Android, device lock screen, Android Keystore, enrolled biometrics, and the app sandbox are functioning correctly.

The app is not designed to defend against a fully compromised operating system, rooted device, malicious keyboard, screen recorder, physical attacker with device control, or leaked recovery material.

2. What TeleNav Is Designed to Protect

  • File content is encrypted locally before upload.
  • Metadata is encrypted locally before upload, including original filename, MIME type, original size, timestamps, content hash, and folder information.
  • Uploads are intended to be encrypted-only; plaintext Telegram upload is not the intended design.
  • Large files are split into encrypted chunks before upload.
  • Vault key material is wrapped by password-derived and Android Keystore-backed keys.
  • Optional biometric unlock uses Android biometric authentication to unlock the existing protected vault key.
  • Telegram API credentials and TDLib database keys are protected through the unlocked vault design.

3. What TeleNav Does Not Protect

  • Telegram can still see account activity, upload timing, number of chunks or messages, approximate encrypted sizes, and Saved Messages usage.
  • Exported files saved outside TeleNav are ordinary plaintext unless you separately protect them.
  • If you lose your vault password and recovery kit, encrypted files may be unrecoverable.
  • If your Telegram account is suspended, deleted, inaccessible, or rate-limited, TeleNav access may fail.
  • If your phone is compromised, app-level encryption may not protect active sessions or decrypted data.

4. Safe Usage

  • Use a strong vault password, not a reused short PIN, for important files.
  • Export a recovery kit and store it somewhere private before factory reset, reinstalling, or moving phones.
  • Keep your phone updated and avoid rooted or untrusted devices.
  • Do not share API hashes, OTPs, Telegram 2FA passwords, vault passwords, recovery kits, or recovery passwords.
  • Do not paste secrets into bug reports, screenshots, emails, or public posts.
  • Keep separate backups for data you cannot afford to lose.

5. Responsible Disclosure

If you discover a security vulnerability, please report it privately before public disclosure. Include the affected version, device details, clear reproduction steps, logs without secrets, and the potential impact.

Send security reports to: info.assistgroupofficial@gmail.com

Do not access other people's accounts, exfiltrate data, run destructive tests, perform denial-of-service attacks, or publish exploit details before we have a reasonable opportunity to investigate.

6. No Security Guarantee

Security is a goal, not a warranty. TeleNav is provided without a guarantee that it will stop every attack, preserve every file, or satisfy every legal or compliance requirement.