Technical Details

Encryption, location verification, and platform security

Security Architecture

GeoLocker combines three factors: something you know (password), somewhere you are (location), and something you have (device with Secure Enclave).

Knowledge
Master password + per-vault credentials

Location
GPS coordinates included in key derivation

Possession
Hardware-protected keys in the Secure Enclave

Even with a compromised password, data cannot be accessed without both the correct location and the physical device.

Encryption

AES-256-GCM provides confidentiality and authenticity. Keys are derived from a combination of the master password, device identifier, and the vault's secret coordinates.

Key = HKDF( PBKDF2(password, salt) + HMAC(location, salt) + deviceBinding )

Each vault uses a unique salt and key. Location coordinates are never stored in plaintext.

Location Verification

Location checks run entirely offline using cached GNSS data. The app supports GPS, GLONASS, Galileo, and BeiDou.

Typical horizontal accuracy is 2–5 meters. Radius checks include device-reported accuracy buffers.

Anti-spoofing techniques include multi-constellation validation, motion sensor correlation, and signal integrity checks. These measures are probabilistic.

iOS Platform Protections

Secure Enclave key storage

App sandbox + complete data protection class

Face ID / Touch ID integration

Automatic memory clearing after use

Dual Access Paths

Physical presence: Device must be inside the configured radius at unlock time.

Map navigation: With an unlocked device, the user can target the secret location on the in-app map. Both paths require knowledge of the exact coordinates.

Vault Isolation

Every vault is an independent cryptographic container with its own salt, key, and location. Compromising one vault yields no information about others.

Note: Plausible deniability and anti-spoofing features provide strong practical protection but are not absolute guarantees against determined adversaries with specialized equipment.