QR and Verification feature

app/build.gradle.kts

@@ -90,6 +90,15 @@ dependencies {
 
     // Permissions
     implementation(libs.accompanist.permissions)
+
+    // QR
+    implementation(libs.zxing.core)
+    implementation(libs.mlkit.barcode.scanning)
+
+    // CameraX
+    implementation(libs.androidx.camera.camera2)
+    implementation(libs.androidx.camera.lifecycle)
+    implementation(libs.androidx.camera.compose)
 
     // Cryptography
     implementation(libs.bundles.cryptography)

app/src/main/AndroidManifest.xml

@@ -31,6 +31,8 @@
 
     <!-- Microphone for voice notes -->
     <uses-permission android:name="android.permission.RECORD_AUDIO" />
+    <!-- Camera for QR verification -->
+    <uses-permission android:name="android.permission.CAMERA" />
 
     <!-- Storage permissions for file sharing -->
     <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" android:maxSdkVersion="28" />
@@ -47,6 +49,7 @@
     <!-- Hardware features -->
     <uses-feature android:name="android.hardware.bluetooth_le" android:required="true" />
     <uses-feature android:name="android.hardware.bluetooth" android:required="true" />
+    <uses-feature android:name="android.hardware.camera" android:required="false" />
 
     <permission
         android:name="com.bitchat.android.permission.FORCE_FINISH"
@@ -89,6 +92,12 @@
                 <action android:name="android.intent.action.MAIN" />
                 <category android:name="android.intent.category.LAUNCHER" />
             </intent-filter>
+            <intent-filter>
+                <action android:name="android.intent.action.VIEW" />
+                <category android:name="android.intent.category.DEFAULT" />
+                <category android:name="android.intent.category.BROWSABLE" />
+                <data android:scheme="bitchat" android:host="verify" />
+            </intent-filter>
         </activity>
 
         <!-- Persistent foreground service to run the mesh in background -->

app/src/main/java/com/bitchat/android/MainActivity.kt

@@ -40,6 +40,7 @@ import com.bitchat.android.ui.ChatViewModel
 import com.bitchat.android.ui.OrientationAwareActivity
 import com.bitchat.android.ui.theme.BitchatTheme
 import com.bitchat.android.nostr.PoWPreferenceManager
+import com.bitchat.android.services.VerificationService
 import kotlinx.coroutines.delay
 import kotlinx.coroutines.launch
 
@@ -655,6 +656,7 @@ class MainActivity : OrientationAwareActivity() {
 
                 // Handle any notification intent
                 handleNotificationIntent(intent)
+                handleVerificationIntent(intent)
 
                 // Small delay to ensure mesh service is fully initialized
                 delay(500)
@@ -683,6 +685,7 @@ class MainActivity : OrientationAwareActivity() {
         // Handle notification intents when app is already running
         if (mainViewModel.onboardingState.value == OnboardingState.COMPLETE) {
             handleNotificationIntent(intent)
+            handleVerificationIntent(intent)
         }
     }
 
@@ -788,6 +791,17 @@ class MainActivity : OrientationAwareActivity() {
         }
     }
 
+    private fun handleVerificationIntent(intent: Intent) {
+        val uri = intent.data ?: return
+        if (uri.scheme != "bitchat" || uri.host != "verify") return
+
+        chatViewModel.showVerificationSheet()
+        val qr = VerificationService.verifyScannedQR(uri.toString())
+        if (qr != null) {
+            chatViewModel.beginQRVerification(qr)
+        }
+    }
+
 
     override fun onDestroy() {
         super.onDestroy()

app/src/main/java/com/bitchat/android/identity/SecureIdentityStateManager.kt

@@ -5,7 +5,10 @@ import android.content.SharedPreferences
 import androidx.security.crypto.EncryptedSharedPreferences
 import androidx.security.crypto.MasterKey
 import java.security.MessageDigest
+import android.util.Base64
 import android.util.Log
+import com.bitchat.android.util.hexEncodedString
+import androidx.core.content.edit
 
 /**
  * Manages persistent identity storage and peer ID rotation - 100% compatible with iOS implementation
@@ -24,9 +27,15 @@ class SecureIdentityStateManager(private val context: Context) {
         private const val KEY_STATIC_PUBLIC_KEY = "static_public_key"
         private const val KEY_SIGNING_PRIVATE_KEY = "signing_private_key"
         private const val KEY_SIGNING_PUBLIC_KEY = "signing_public_key"
+        private const val KEY_VERIFIED_FINGERPRINTS = "verified_fingerprints"
+        private const val KEY_CACHED_PEER_FINGERPRINTS = "cached_peer_fingerprints"
+        private const val KEY_CACHED_PEER_NOISE_KEYS = "cached_peer_noise_keys"
+        private const val KEY_CACHED_NOISE_FINGERPRINTS = "cached_noise_fingerprints"
+        private const val KEY_CACHED_FINGERPRINT_NICKNAMES = "cached_fingerprint_nicknames"
     }
 
     private val prefs: SharedPreferences
+    private val lock = Any()
 
     init {
         // Create master key for encryption
@@ -168,7 +177,7 @@ class SecureIdentityStateManager(private val context: Context) {
     fun generateFingerprint(publicKeyData: ByteArray): String {
         val digest = MessageDigest.getInstance("SHA-256")
         val hash = digest.digest(publicKeyData)
-        return hash.joinToString("") { "%02x".format(it) }
+        return hash.hexEncodedString()
     }
 
     /**
@@ -178,6 +187,112 @@ class SecureIdentityStateManager(private val context: Context) {
         // SHA-256 fingerprint should be 64 hex characters
         return fingerprint.matches(Regex("^[a-fA-F0-9]{64}$"))
     }
+
+    // MARK: - Verified Fingerprints
+
+    fun getVerifiedFingerprints(): Set<String> {
+        return prefs.getStringSet(KEY_VERIFIED_FINGERPRINTS, emptySet())?.toSet() ?: emptySet()
+    }
+
+    fun isVerifiedFingerprint(fingerprint: String): Boolean {
+        return getVerifiedFingerprints().contains(fingerprint)
+    }
+
+    fun setVerifiedFingerprint(fingerprint: String, verified: Boolean) {
+        if (!isValidFingerprint(fingerprint)) return
+        synchronized(lock) {
+            val current = prefs.getStringSet(KEY_VERIFIED_FINGERPRINTS, emptySet())?.toMutableSet() ?: mutableSetOf()
+            if (verified) {
+                current.add(fingerprint)
+            } else {
+                current.remove(fingerprint)
+            }
+            prefs.edit { putStringSet(KEY_VERIFIED_FINGERPRINTS, current) }
+        }
+    }
+
+    fun getCachedPeerFingerprint(peerID: String): String? {
+        val pid = peerID.lowercase()
+        // Reading is safe without lock for SharedPreferences, but synchronizing ensures memory visibility
+        // if we are paranoid, but SharedPreferences is generally thread-safe for reads.
+        // However, to ensure we don't read a partial update (unlikely with SP), we can leave it.
+        // The critical part is the write.
+        val entries = prefs.getStringSet(KEY_CACHED_PEER_FINGERPRINTS, emptySet()) ?: return null
+        val entry = entries.firstOrNull { it.startsWith("$pid:") } ?: return null
+        return entry.substringAfter(':').takeIf { isValidFingerprint(it) }
+    }
+
+    fun cachePeerFingerprint(peerID: String, fingerprint: String) {
+        if (!isValidFingerprint(fingerprint)) return
+        val pid = peerID.lowercase()
+        synchronized(lock) {
+            val current = prefs.getStringSet(KEY_CACHED_PEER_FINGERPRINTS, emptySet())?.toMutableSet() ?: mutableSetOf()
+            current.removeAll { it.startsWith("$pid:") }
+            current.add("$pid:$fingerprint")
+            prefs.edit { putStringSet(KEY_CACHED_PEER_FINGERPRINTS, current) }
+        }
+    }
+
+    fun getCachedNoiseKey(peerID: String): String? {
+        val pid = peerID.lowercase()
+        val entries = prefs.getStringSet(KEY_CACHED_PEER_NOISE_KEYS, emptySet()) ?: return null
+        val entry = entries.firstOrNull { it.startsWith("$pid=") } ?: return null
+        return entry.substringAfter('=').takeIf { it.matches(Regex("^[a-fA-F0-9]{64}$")) }
+    }
+
+    fun cachePeerNoiseKey(peerID: String, noiseKeyHex: String) {
+        if (!noiseKeyHex.matches(Regex("^[a-fA-F0-9]{64}$"))) return
+        val pid = peerID.lowercase()
+        synchronized(lock) {
+            val current = prefs.getStringSet(KEY_CACHED_PEER_NOISE_KEYS, emptySet())?.toMutableSet() ?: mutableSetOf()
+            current.removeAll { it.startsWith("$pid=") }
+            current.add("$pid=${noiseKeyHex.lowercase()}")
+            prefs.edit { putStringSet(KEY_CACHED_PEER_NOISE_KEYS, current) }
+        }
+    }
+
+    fun getCachedNoiseFingerprint(noiseKeyHex: String): String? {
+        val key = noiseKeyHex.lowercase()
+        val entries = prefs.getStringSet(KEY_CACHED_NOISE_FINGERPRINTS, emptySet()) ?: return null
+        val entry = entries.firstOrNull { it.startsWith("$key=") } ?: return null
+        return entry.substringAfter('=').takeIf { isValidFingerprint(it) }
+    }
+
+    fun cacheNoiseFingerprint(noiseKeyHex: String, fingerprint: String) {
+        if (!isValidFingerprint(fingerprint)) return
+        if (!noiseKeyHex.matches(Regex("^[a-fA-F0-9]{64}$"))) return
+        val key = noiseKeyHex.lowercase()
+        synchronized(lock) {
+            val current = prefs.getStringSet(KEY_CACHED_NOISE_FINGERPRINTS, emptySet())?.toMutableSet() ?: mutableSetOf()
+            current.removeAll { it.startsWith("$key=") }
+            current.add("$key=$fingerprint")
+            prefs.edit { putStringSet(KEY_CACHED_NOISE_FINGERPRINTS, current) }
+        }
+    }
+
+    fun getCachedFingerprintNickname(fingerprint: String): String? {
+        if (!isValidFingerprint(fingerprint)) return null
+        val key = fingerprint.lowercase()
+        val entries = prefs.getStringSet(KEY_CACHED_FINGERPRINT_NICKNAMES, emptySet()) ?: return null
+        val entry = entries.firstOrNull { it.startsWith("$key=") } ?: return null
+        val encoded = entry.substringAfter('=')
+        return runCatching {
+            val bytes = Base64.decode(encoded, Base64.NO_WRAP)
+            String(bytes, Charsets.UTF_8)
+        }.getOrNull()
+    }
+
+    fun cacheFingerprintNickname(fingerprint: String, nickname: String) {
+        if (!isValidFingerprint(fingerprint)) return
+        val key = fingerprint.lowercase()
+        val encoded = Base64.encodeToString(nickname.toByteArray(Charsets.UTF_8), Base64.NO_WRAP)
+        synchronized(lock) {
+            val current = prefs.getStringSet(KEY_CACHED_FINGERPRINT_NICKNAMES, emptySet())?.toMutableSet() ?: mutableSetOf()
+            current.removeAll { it.startsWith("$key=") }
+            current.add("$key=$encoded")
+            prefs.edit { putStringSet(KEY_CACHED_FINGERPRINT_NICKNAMES, current) }
+        }
+    }
 
     // MARK: - Peer ID Rotation Management (removed)
     // Android now derives peer ID from the persisted Noise identity fingerprint.

app/src/main/java/com/bitchat/android/mesh/BluetoothMeshService.kt

@@ -7,12 +7,15 @@ import com.bitchat.android.model.BitchatMessage
 import com.bitchat.android.protocol.MessagePadding
 import com.bitchat.android.model.RoutedPacket
 import com.bitchat.android.model.IdentityAnnouncement
+import com.bitchat.android.model.NoisePayload
+import com.bitchat.android.model.NoisePayloadType
 import com.bitchat.android.protocol.BitchatPacket
 import com.bitchat.android.protocol.MessageType
 import com.bitchat.android.protocol.SpecialRecipients
 import com.bitchat.android.model.RequestSyncPacket
 import com.bitchat.android.sync.GossipSyncManager
 import com.bitchat.android.util.toHexString
+import com.bitchat.android.services.VerificationService
 import kotlinx.coroutines.*
 import java.util.*
 import kotlin.math.sign
@@ -72,6 +75,7 @@ class BluetoothMeshService(private val context: Context) {
 
     init {
         Log.i(TAG, "Initializing BluetoothMeshService for peer=$myPeerID")
+        VerificationService.configure(encryptionService)
         setupDelegates()
         messageHandler.packetProcessor = packetProcessor
         //startPeriodicDebugLogging()
@@ -414,6 +418,14 @@ class BluetoothMeshService(private val context: Context) {
             override fun onReadReceiptReceived(messageID: String, peerID: String) {
                 delegate?.didReceiveReadReceipt(messageID, peerID)
             }
+
+            override fun onVerifyChallengeReceived(peerID: String, payload: ByteArray, timestampMs: Long) {
+                delegate?.didReceiveVerifyChallenge(peerID, payload, timestampMs)
+            }
+
+            override fun onVerifyResponseReceived(peerID: String, payload: ByteArray, timestampMs: Long) {
+                delegate?.didReceiveVerifyResponse(peerID, payload, timestampMs)
+            }
         }
 
         // PacketProcessor delegates
@@ -939,6 +951,50 @@ class BluetoothMeshService(private val context: Context) {
             }
         }
     }
+
+    // MARK: QR Verification over Noise
+
+    fun sendVerifyChallenge(peerID: String, noiseKeyHex: String, nonceA: ByteArray) {
+        val tlv = VerificationService.buildVerifyChallenge(noiseKeyHex, nonceA)
+        val payload = NoisePayload(
+            type = NoisePayloadType.VERIFY_CHALLENGE,
+            data = tlv
+        )
+        sendNoisePayloadToPeer(payload, peerID, "verify challenge")
+    }
+
+    fun sendVerifyResponse(peerID: String, noiseKeyHex: String, nonceA: ByteArray) {
+        val tlv = VerificationService.buildVerifyResponse(noiseKeyHex, nonceA) ?: return
+        val payload = NoisePayload(
+            type = NoisePayloadType.VERIFY_RESPONSE,
+            data = tlv
+        )
+        sendNoisePayloadToPeer(payload, peerID, "verify response")
+    }
+
+    private fun sendNoisePayloadToPeer(payload: NoisePayload, recipientPeerID: String, label: String) {
+        serviceScope.launch {
+            try {
+                val encrypted = encryptionService.encrypt(payload.encode(), recipientPeerID)
+                val packet = BitchatPacket(
+                    version = 1u,
+                    type = MessageType.NOISE_ENCRYPTED.value,
+                    senderID = hexStringToByteArray(myPeerID),
+                    recipientID = hexStringToByteArray(recipientPeerID),
+                    timestamp = System.currentTimeMillis().toULong(),
+                    payload = encrypted,
+                    signature = null,
+                    ttl = com.bitchat.android.util.AppConstants.MESSAGE_TTL_HOPS
+                )
+
+                val signedPacket = signPacketBeforeBroadcast(packet)
+                connectionManager.broadcastPacket(RoutedPacket(signedPacket))
+                Log.d(TAG, "📤 Sent $label to $recipientPeerID (${payload.data.size} bytes)")
+            } catch (e: Exception) {
+                Log.e(TAG, "Failed to send $label to $recipientPeerID: ${e.message}")
+            }
+        }
+    }
 
     /**
      * Send broadcast announce with TLV-encoded identity announcement - exactly like iOS
@@ -1127,6 +1183,10 @@ class BluetoothMeshService(private val context: Context) {
     fun getIdentityFingerprint(): String {
         return encryptionService.getIdentityFingerprint()
     }
+
+    fun getStaticNoisePublicKey(): ByteArray? {
+        return encryptionService.getStaticPublicKey()
+    }
 
     /**
      * Check if encryption icon should be shown for a peer
@@ -1283,6 +1343,8 @@ interface BluetoothMeshDelegate {
     fun didReceiveChannelLeave(channel: String, fromPeer: String)
     fun didReceiveDeliveryAck(messageID: String, recipientPeerID: String)
     fun didReceiveReadReceipt(messageID: String, recipientPeerID: String)
+    fun didReceiveVerifyChallenge(peerID: String, payload: ByteArray, timestampMs: Long)
+    fun didReceiveVerifyResponse(peerID: String, payload: ByteArray, timestampMs: Long)
     fun decryptChannelMessage(encryptedContent: ByteArray, channel: String): String?
     fun getNickname(): String?
     fun isFavorite(peerID: String): Boolean

app/src/main/java/com/bitchat/android/mesh/MessageHandler.kt

@@ -157,6 +157,14 @@ class MessageHandler(private val myPeerID: String, private val appContext: andro
                     // Simplified: Call delegate with messageID and peerID directly
                     delegate?.onReadReceiptReceived(messageID, peerID)
                 }
+                com.bitchat.android.model.NoisePayloadType.VERIFY_CHALLENGE -> {
+                    Log.d(TAG, "🔐 Verify challenge received from $peerID (${noisePayload.data.size} bytes)")
+                    delegate?.onVerifyChallengeReceived(peerID, noisePayload.data, packet.timestamp.toLong())
+                }
+                com.bitchat.android.model.NoisePayloadType.VERIFY_RESPONSE -> {
+                    Log.d(TAG, "🔐 Verify response received from $peerID (${noisePayload.data.size} bytes)")
+                    delegate?.onVerifyResponseReceived(peerID, noisePayload.data, packet.timestamp.toLong())
+                }
             }
 
         } catch (e: Exception) {
@@ -611,4 +619,6 @@ interface MessageHandlerDelegate {
     fun onChannelLeave(channel: String, fromPeer: String)
     fun onDeliveryAckReceived(messageID: String, peerID: String)
     fun onReadReceiptReceived(messageID: String, peerID: String)
+    fun onVerifyChallengeReceived(peerID: String, payload: ByteArray, timestampMs: Long)
+    fun onVerifyResponseReceived(peerID: String, payload: ByteArray, timestampMs: Long)
 }

app/src/main/java/com/bitchat/android/model/NoiseEncrypted.kt

@@ -21,6 +21,8 @@ enum class NoisePayloadType(val value: UByte) {
     PRIVATE_MESSAGE(0x01u),     // Private chat message with TLV encoding
     READ_RECEIPT(0x02u),        // Message was read
     DELIVERED(0x03u),           // Message was delivered
+    VERIFY_CHALLENGE(0x10u),    // Verification challenge
+    VERIFY_RESPONSE(0x11u),     // Verification response
     FILE_TRANSFER(0x20u);