AI Guard
The AI tab houses Tetherand's defenses against AI-era threats — the class of attacks that scaled massively after the 2024 capability boom in generative models. Every defense here is constructed in two layers:
- A deterministic primary — a rule, threshold, or heuristic that always applies. This is the load-bearing part. It functions correctly without any model present.
- A contributory classifier — an on-device model that refines the primary's verdict and catches novel patterns. This is the advisory part. It can never trigger a destructive action on its own.
This separation is non-negotiable. It exists so the app's behaviour is always auditable: every actionable decision is traceable to a rule, not a black-box model.
Deterministic primaries (always engaged)
| Defense | What the rule does |
|---|---|
| Prompt-injection clipboard scrubber | Watches clipboard changes for known injection scaffolds — Ignore-previous-instructions, chat-template markers, common jailbreak prefixes. Surfaces a high-severity alert; does not auto-clear. |
| Phishing message scorer | Four-axis classifier (urgency, authority, financial-ask, URL look-alike). Two-or-more axes scoring high yields a High verdict. Catches typo-squat domains via a small Levenshtein and a cheap IDN-homoglyph swap. |
| Pseudo-perplexity AI-text badge | Four signals (average word length, function-word density, colloquial markers, punctuation density) combine into a heuristic "this looks AI-generated" score. Inspired by the Binoculars approach but uses no neural component. |
| Provenance check | Scans inbound images and video for C2PA / SynthID / Content Credentials markers. Surfaces Genuine / Synthetic / Unknown verdicts using a Boyer–Moore–Horspool needle scan over the raw bytes. |
| Egress LLM-API SNI watch | A rule-only watchlist of cloud LLM API hostnames (18 exact, 10 suffix-matched). Surfaces any app on the device that talks to one of these. |
| MTK NPU sysfs watcher | Polls /sys/devices/platform/mtk_apu and similar paths for NPU activity. A background app using the NPU is a red flag — covert local-model inference is a real threat. |
| Voiceprint vault + safe-word handshake | Trusted-contact registry stored encrypted at rest. The "verify caller" flow uses a pre-agreed safe word, hashed with SHA-256, as the verification step. |
| HIBP OSINT exposure | Have-I-Been-Pwned password check using the k-anonymity range API — only the first five characters of the SHA-1 of the password leave the device. Opt-in. |
| Conference field guide | Static catalogue of eight AI-era attacker tactics relevant to 5364C13D 34. Updated through whatever privacy chain is active. |
Contributory classifiers (model-driven)
A small ensemble of locally-running models, all INT4-quantised, all running on the 5364C13D's NPU via LiteRT:
| Model | Job | Size (compressed) | Latency |
|---|---|---|---|
phi-tetherand-3b-q4 | Phishing / social-engineering / prompt-injection classification on inbound messages | ~1.8 GB | ~120 ms / message |
voiceguard-v1 | Speech-synthesis detection on inbound call audio | ~30 MB | ~40 ms / second of audio |
textguard-v1 | LLM-generated text detection (Binoculars-style ensemble) | ~20 MB | ~60 ms / message |
qrguard-v1 | Adversarial QR / image lure detection | ~8 MB | ~30 ms / image |
The four-model bundle (~2.4 GB compressed) is not included in the v0.1 APK. It ships separately through the in-app delta-update path, delivered over the active privacy chain only, signed against a cosign public key pinned in the APK. Until then the AI tab shows "Not bundled — deterministic core in effect" for each row, and the deterministic primaries handle every decision.
Reading the AI tab
The top of the page shows a models X/Y counter — how many of the four contributory models are loaded.
The middle section lists deterministic primaries, each with a green-dot indicator confirming it is engaged.
The bottom of the page surfaces user-facing tools:
- Egress LLM-API scan — paste any DNS-query log you have (from AdGuard, PCAPdroid, etc) and the watchlist flags every hit.
- Verify-caller handshake — register a phone number with a safe-word hash; when you suspect a deepfake call, use the safe word to cross-verify.
- OSINT exposure — opt-in HIBP password check.
- Field guide — current AI-era attacker tactics.
AI-era threats Tetherand counters
| Threat | Counter |
|---|---|
| Voice deepfake on call | Safe-word handshake (deterministic) + voiceguard-v1 synthesis-artefact score |
| Vishing scaffold | Conversation-state rules (urgency + authority + secrecy + financial-ask + channel-mismatch) |
| LLM-generated text in a message | Open-algorithm perplexity test + textguard-v1 |
| Adversarial QR or image lure | URL-pattern + perceptual-hash blocklist + qrguard-v1 |
| Prompt injection via shared text | Regex match against known scaffolds → clipboard scrubber alert |
| Synthetic-media provenance check | C2PA / SynthID / Content Credentials signature verify (cryptographic) |
| Covert local-model use by background app | MTK NPU sysfs watcher with foreground-app correlation |
| Egress to cloud LLM APIs | SNI watchlist (rule-only) |
| Personalised phishing from your OSINT | HIBP exposure dashboard + phishing-rule message classifier |