Hey Dev Community! š
Iām currently building Aigris, an open-source, 100% on-device AI cybersecurity agent designed to protect everyday mobile users from real-time threats like phishing and financial scams.
The project is fully public, and you can check out the architecture or roast my code here:
š GitHub Repository:
https://github.com/ullah-naqeeb/aigris.git
To intercept phishing attempts before the browser renders the malicious payload, I made a specific engineering choice: I implemented an Android Accessibility Service to extract the full URL string directly from the address bars of major browsers (Chrome, Edge, Samsung Internet).
Under the hood, the pipeline is highly optimized for consumer hardware to respect strict resource constraints (< 5% CPU when idle, < 200MB RAM footprint):
Asynchronous Inference: URL extraction and local ONNX model inferences are completely offloaded from the Main Thread using Kotlin Coroutines (Dispatchers.Default).
TTL Memory Caching: An Android LruCache stores up to 100 entries with a 10-minute Time-To-Live (TTL). Hits skip the ONNX inference entirely to save battery.
URL Normalization: Query parameters and fragments are stripped before lookup to maximize cache efficiency.
The Dilemma: The Accessibility Service Friction š
While this architecture works flawlessly under the hood and successfully bypasses Android OS deep-link restrictions, Iām facing a major philosophical and practical crossroads regarding UX and app distribution.
As we all know, Accessibility APIs are notoriously difficult to clear on the Google Play Store if your app isn't strictly an assistive technology. Google is (rightfully) aggressive about blocking apps that use these permissions due to historical malware abuse.
Even for sideloaded or open-source apps, asking a non-technical consumer to go deep into Android Settings, find "Downloaded Services," and toggle a scary warning switch is a massive user friction.
My Questions to the Community:
Did I pick the wrong tool? Is there a less invasive, modern Android API that can achieve system-wide or browser-wide URL interception without root and without relying on local VPN loops (which often mess with battery and DNS encryption)?
Play Store compliance: Has anyone successfully published a security-focused app utilizing Accessibility Services recently? What was your experience with the review board?
UX alternatives: If I stick with this, what's the best way to explain this "scary permission" to a regular user without overwhelming them?
Iād love to hear your thoughts, architectural critiques, or alternative approaches. If you find the project interesting, feel free to contribute or drop a āļø on GitHub!
Looking forward to your feedback! š¬
Top comments (0)