Technical Documentation v1.0
SafeStream Architecture
A Serverless, P2P Approach to Parental Monitoring
How I use WebRTC and AES-256 to keep child activity data off the cloud.
01
The Problem
Most parental control apps act as a "Man-in-the-Middle". They upload your child’s entire browsing history, location, and app usage to a centralized cloud database. This creates a massive honeypot for hackers and a privacy nightmare for families.
02
The Solution
SafeStream acts as a pure P2P relay. The Parent device is the only database.
03
The Stack
ClientNative Android(Kotlin + Jetpack Compose)
ConnectivityWebRTC Data Channels
DiscoveryNSD & TURN(Local LAN & Remote Traversal)
EncryptionAES-256-GCM(Custom Implementation)
04
Architecture Diagram
[Child De…
Technical Documentation v1.0
SafeStream Architecture
A Serverless, P2P Approach to Parental Monitoring
How I use WebRTC and AES-256 to keep child activity data off the cloud.
01
The Problem
Most parental control apps act as a "Man-in-the-Middle". They upload your child’s entire browsing history, location, and app usage to a centralized cloud database. This creates a massive honeypot for hackers and a privacy nightmare for families.
02
The Solution
SafeStream acts as a pure P2P relay. The Parent device is the only database.
03
The Stack
ClientNative Android(Kotlin + Jetpack Compose)
ConnectivityWebRTC Data Channels
DiscoveryNSD & TURN(Local LAN & Remote Traversal)
EncryptionAES-256-GCM(Custom Implementation)
04
Architecture Diagram
[Child Device]
Kotlin + Compose
AES-256
▶
AES-256
▼
[TURN/Relay]
Traversal & Relay
Encrypted
▶
Encrypted
▼
[Parent Device]
SQLite DB
05
How it works (Technical)
Handshake
Devices pair automatically via Network Service Discovery (NSD) on the local network, exchanging ECDH public keys to establish a secure encrypted tunnel.
Signaling
I use a lightweight Firebase Signaling service only to exchange SDP offers/answers. No user data payload ever touches Firebase.
Transport
- If on the same LAN: Direct socket connection via NSD.
- If remote: Traversal using STUN/TURN servers.
Data Layer
JSON payloads (activity logs) are compressed (GZIP), encrypted (AES-256), and sent over the WebRTC Data Channel.
Persistence
The Parent app decrypts the payload and stores it locally in a Room (SQLite) database.
06
Why Free? (The Business Model)
I am an indie developer, not a data mining corp.
Core features:Free.
Costs:Running TURN servers costs bandwidth.
Revenue:To cover bandwidth, high-res screenshot downloads consume "Credits". Credits are refilled by watching optional rewarded ads. This keeps the infrastructure sustainable without subscriptions or data selling.
07
_JOIN_ROOT_ACCESS
We need tech-savvy parents to stress-test our P2P tunnels.
If you understand NAT traversal and care about privacy, you are the tester we are looking for. Get early access to the .apk before public release.
// BETA_PROGRAM_INITIALIZATION
08
FAQ for Developers
Is it open source?
The core crypto and P2P modules will be open-sourced soon for auditing.
What permissions does it use?
Accessibility Services (strictly for scraping video titles on-device), Usage Stats, and Location. No root required.