HostShield v6.3.0

HostShield v6.3.0 — Security Hardening & Architecture Audit

Comprehensive security audit, architecture refactoring, and error handling improvements across the entire codebase. Net -1,400 lines (cleaner, more maintainable).

Security Hardening

• PBKDF2 PIN hashing — parental control PIN upgraded from SHA-256 to PBKDF2-HMAC-SHA256 (210K iterations) with automatic seamless migration on next login
• Encrypted backups — optional AES-256-GCM encryption for backup files with passphrase; existing plaintext backups remain readable
• DoH fail-closed — removed unpinned fallback client; all DoH queries now require certificate pinning (no silent downgrade)
• DoT response boundary check — rejects malformed/oversized DNS responses (12-4096 bytes)
• HTTPS-only sync URLs — remote rule sync enforces HTTPS with 10MB size limit and SHA-256 integrity hashing for change detection
• Shell injection prevention — RootUtil: quoted all file paths, replaced sed-based operations with Kotlin-side filtering
• WireGuard nonce randomization — transport nonces now randomly initialized to prevent reuse across sessions
• GeoIP HTTPS migration — switched from ip-api.com (HTTP) to ipapi.co (HTTPS, higher rate limits)
• Google Tink ProGuard rules — added for EncryptedSharedPreferences compatibility

Architecture Refactoring

• Preferences facade — AppPreferences now delegates to 6 domain-specific managers (BlockingPreferences, DnsPreferences, FirewallPreferences, SecurityPreferences, UiPreferences, SyncPreferences) while maintaining backward compatibility
• PacketClassifier extraction — IPv4/IPv6 packet classification logic extracted from DnsVpnService into standalone singleton for testability
• BlocklistHolder unified trie walk — single traversal gathers all decision signals instead of multiple passes
• SettingsScreen decomposition — massive UI extracted into dedicated section composables (DNS, VPN, Protection, Network Firewall)
• SettingsViewModel consolidation — 30+ separate flows grouped into 5 combined() flows

Database Optimization

• DB v12 -> v14 — two new migrations adding composite indices:
  • dns_logs(app_package, blocked, timestamp) for per-app drill-down
  • host_sources(enabled) and host_sources(category) for source filtering
  • user_rules(enabled, type) for rule filtering

Error Handling & UI

• Loading/error states on Logs, Firewall, and Sources screens with persistent error banners and dismiss actions
• Search history chips on Home screen for quick re-access
• Accessibility — content descriptions added to icon-only elements on AppsScreen
• BootReceiver lifecycle — SupervisorJob with explicit cancellation prevents orphaned coroutines
• BlockNotificationService — scope lifecycle tied to start/stop to prevent reuse after cancellation

Stats

• versionCode 56
• Net -1,400 lines (1,500 added, 2,900 removed)
• 34 files changed

HostShield v6.2.0

HostShield v6.2.0 — Major Release

The biggest update yet: 7 new versions (v5.2 through v6.2) with encrypted DNS protocols, content filtering, parental controls, threat intelligence, and 31+ screens.

Encrypted DNS (v6.0 - v6.2)

• DNS-over-TLS (RFC 7858) — TLSv1.3, 4 providers (Cloudflare, Google, Quad9, AdGuard)
• DNS-over-QUIC (RFC 9250) — QUIC Initial framing, 3 providers (AdGuard, NextDNS, Mullvad)
• WireGuard DNS Proxy — Noise_IKpsk2 handshake, AES-256-GCM transport encryption
• Unified dispatch chain: WireGuard > DoQ > DoT > DoH > UDP with automatic fallback

Content Filtering & Parental Controls (v6.1 - v6.2)

• 12+ content filter categories with suffix matching (toggle per category)
• Parental controls with 3 age profiles (Child/Teen/Adult) and PIN lock
• Per-app DNS rules — wildcard + exact match, allow > block precedence
• Safe Search enforcement — DNS-level rewriting for Google, Bing, DDG, YouTube

Threat Intelligence (v5.2 - v6.0)

• 4 threat intel feeds: abuse.ch URLhaus, Spamhaus DROP/EDROP, Emerging Threats, Disconnect Malware
• IPv4 radix trie for O(1) CIDR lookup, daily auto-refresh
• Network tracker detection: 200+ tracker domains (Disconnect + DuckDuckGo Tracker Radar)
• Wired into all DNS forwarding paths for domain + IP blocking

Privacy & Security

• 405 tracker SDK signatures (Exodus-style APK scanning, 8 categories)
• Captive portal handling — auto-pause VPN, show login notification, auto-resume
• TLS fingerprinting (JA3/JA4) for IPv4 and IPv6 non-DNS TCP packets
• Encrypted backups (AES-256-GCM, PBKDF2 key derivation)
• Crash reporter with expandable stack traces

New Screens (7)

• Content Filter, Parental Controls, DNS Benchmark, WebDAV Sync, Crash Reports, QR Config, TLS Fingerprints

Infrastructure

• No-VPN proxy mode — DNS blocking without VPN or root (port 5353)
• Local DNS server — portable Pi-hole mode with encrypted upstream
• QR code config sharing (GZIP+Base64)
• WebDAV cloud sync for settings backup
• DNS stamp parser (sdns:// DNSCrypt spec)
• Schedule presets (Focus, Sleep, Family, Work, Kids)
• Jetpack Glance widgets (toggle + stats)
• Vico charts (line, column, donut, histogram, horizontal bar)
• Lottie shield animation

Release Hardening Audit (v6.2)

• Fixed operator precedence bugs across 6 files (and 0xFF shl 8 → (and 0xFF) shl 8)
• Fixed WireGuardProxy returning plaintext on crypto failure
• Fixed OkHttp response leaks in 8 files
• Fixed shell command injection in RootUtil
• Fixed OfflineGeoIp overly broad 172.x private IP check
• Added ProGuard rules for new classes

Stats

• 52/52 roadmap items complete
• 31+ screens, 100+ Kotlin files
• DB v12 (12 migrations)
• versionCode 55

HostShield v5.0.0

v5.0.0 — Core Engine Upgrades

Major performance and reliability release focused on the DNS cache, blocking engine, and GeoIP subsystem.

DNS Cache Overhaul

• Serve-stale (RFC 8767) — Returns expired cache entries during WiFi/cellular transitions. 3-day stale window with 30s stale TTL. Background refresh on stale serve
• Negative caching (RFC 2308) — NXDOMAIN/NODATA responses cached with SOA-derived TTL
• SERVFAIL caching (RFC 9520) — Short-TTL caching prevents retry storms on upstream failures
• Cache prefetching (Unbound algorithm) — When TTL < 10% remaining and domain queried 3+ times, refreshes in background. Near-zero latency for popular domains
• Configurable TTL caps — 60s minimum floor, 24h maximum ceiling via Settings

Blocking Engine Performance

• Hash set fast path — O(1) exact-match lookup before trie traversal. ~2x faster for 90% of queries
• Filter decision LRU cache — 8K-entry cache for isBlocked() results. Skips trie entirely for hot domains
• Both caches auto-invalidated on blocklist update

CNAME Cloaking Enhancements

• CNAME cloak databases — Auto-updated from AdGuard cname-trackers + NextDNS cname-cloaking-blocklist
• SVCB/HTTPS record parsing — Detects SVCB-based cloaking via TYPE 64/65 TargetName extraction
• CnameCloakUpdater runs alongside HostsUpdateWorker on each periodic refresh cycle

Offline GeoIP

• MaxMind GeoLite2 — Bundled Country + ASN databases (~14MB). Unlimited lookups, zero-latency, no rate limits
• Replaces ip-api.com for country/ASN lookups (ip-api.com retained for city-level detail)
• Auto-initializes on app startup via appScope coroutine

Other

• ProGuard rules for CnameCloakUpdater, DnsCache.CacheResult, OfflineGeoIp, MaxMind/Jackson
• Updated README with comprehensive feature tables and architecture diagram
• Competitive research document added (docs/RESEARCH.md)

HostShield v4.6.0

HostShield v4.6.0

New Features

DNS Latency Sparkline (Home)

• Live mini-graph showing last 20 DNS response times as a smooth line chart
• Average latency displayed inline with query rate (e.g. "42 ms")
• Peach-colored sparkline updates every 5 seconds

Source Summary Stats (Sources Screen)

• Total domain count across all active sources (formatted with separators)
• Total download size (KB/MB)
• Unhealthy source count badge (only shown when > 0)

Search History (Home)

• Recent searches persisted to DataStore (last 10)
• History chips shown below search bar when field is empty
• Tap a chip to re-run that search instantly

Query Type Distribution (Stats)

• Color-coded horizontal bar chart showing A/AAAA/CNAME/MX/TXT/etc
• Percentage and absolute count per type
• 7-day window, auto-updates

Per-App DNS Drill-down (v4.5.0)

• Tap any app in "Top Querying Apps" on Home to see its DNS activity
• Two tabs: Domains (aggregated counts) and Timeline (chronological)
• Stats summary: allowed/blocked/unique domains

Quick Actions in Log Detail (v4.5.0)

• Permanent "Block Domain" / "Allow Domain" buttons in detail sheet
• Complements existing temporary allow (5m/15m/30m/1h)

Previous Releases in This Series

• v4.4.0: Interface labels, DNS cache controls, expanded notification, top apps
• v4.3.2: UI fixes (FlowRow wrapping, text field sizing)
• v4.3.1: 5 bug fixes from comprehensive audit
• v4.3.0: Notification pause/resume, CNAME cloak badge, source health alerts
• v4.2.0: DNS log data starvation fix, IPv6 DoH, fd error recovery
• v4.1.0: Custom DNS UI, firewall export, audit log viewer, anomaly detection
• v4.0.0: Infrastructure (audit logging, caching, stability metrics, DB v9)

HostShield v4.3.2

HostShield v4.3.2

UI Fixes

• Source category chips no longer smushed — replaced single-Row layout with FlowRow, chips now wrap to multiple lines naturally on any screen width
• Custom upstream DNS field — removed fixed 44dp height that clipped text; uses defaultMinSize(52dp) for proper padding
• Search bar — removed fixed 48dp height; uses defaultMinSize(52dp), text bumped to 14sp for readability
• DoH provider selector — single FlowRow replacing hardcoded two-row split; wraps naturally on narrow screens
• Feature status pills — FlowRow wrapping (DoH, DNS Trap, Firewalled, iptables) for narrow displays
• Category chip sizing — padding increased (8x5dp -> 10x6dp), text 10sp -> 11sp, count text 8sp -> 9sp

HostShield v4.3.1

HostShield v4.3.1

Bug Fixes (5 bugs from comprehensive audit)

• AutomationReceiver rate limiting fixed — rate limit state was lost on every broadcast delivery because BroadcastReceivers are re-created per intent. Moved to static companion object so rate limiting actually persists across calls.
• GeoIpLookup race condition fixed — concurrent lookups could both reset the rate limit window simultaneously. Now uses atomic compareAndSet() for thread-safe window resets.
• Source health notification channel — SourceHealthWorker now creates the alert notification channel before posting, fixing silent notification drops when VPN service hasn't started yet.
• Pause/resume thread safety — pauseResumeJob now @Volatile for proper cross-thread visibility between main thread and service coroutines.
• Query anomaly baseline thread safety — baselineRates list now synchronized, baselineQpm now @Volatile to prevent data races in anomaly detection.

What's New Since v3.9.0 (this release session)

v4.3.0 — UX Polish

• Notification pause/resume — "Pause 5m" action in VPN notification, shows "Resume" when paused
• CNAME CLOAK badge — red badge in DNS log detail sheet for CNAME-cloaked blocked entries
• Source health alerts — push notification when blocklist sources go DEAD
• Pretty upstream labels — "DoH: Cloudflare" instead of raw provider enum
• Alert notification channel for non-VPN system alerts

v4.2.0 — Core DNS Fixes

• DNS log data starvation fixed — CNAME chains, resolved IPs, response time, and upstream server now written to database (detail sheet was previously blank)
• CNAME-blocked domains now logged — were silently counted without log entry
• fd error tracking + auto-restart — TUN fd errors increment counter and trigger VPN restart
• IPv6 DoH support — IPv6 queries now honour DoH setting (was always plaintext)
• IPv6 DNS cache — cache lookup added for IPv6 queries (was missing entirely)
• DohBypassUpdater — uses shared OkHttpClient singleton instead of creating new instances

v4.1.0 — UI & Tooling

• Custom upstream DNS — editable text field in Settings > DNS with live save
• Firewall rule export/import — JSON export of per-app network rules
• Automation audit log viewer — new screen in Settings > Tools
• Query rate anomaly detection — warns on Home when rate exceeds 3x baseline
• Dropped queries banner + cache hit rate on Home dashboard

v4.0.0 — Infrastructure

• Automation API hardening — 5-second rate limiting per action/caller + full audit logging to Room DB
• GeoIP rate limiter — 40 req/min window + exponential backoff on 429
• OkHttpClient pooling — Hilt singleton replaces per-request client creation
• Tracker scan caching — Room-backed cache with 7-day TTL, version-aware invalidation
• VPN stability metrics — uptime, rebuilds, fd errors, dropped queries tracked daily
• DNS Cache card — hit rate, entries, evictions in Stats screen
• VPN Health card — healthy/unstable/degraded rating with 7-day aggregation
• Log buffer overflow detection — offer() replaces add(), tracks drops atomically
• Database v9 (3 new tables: tracker_scan_cache, automation_audit_log, vpn_stability)

HostShield v3.7.0

HostShield v3.7.0

75 Kotlin source files | 20,800+ source lines | 20+ screens | DB v7

New in v3.7.0

Per-App Privacy Report

Grade each app A through F based on DNS tracking behavior. AppPrivacyScorer analyzes:

• Tracker domain connections (analytics, telemetry, ad networks)
• Suspicious TLD queries
• Block rate and query volume
• Detailed insights and top blocked domains per app

Full privacy report screen with average score, worst offenders, and expandable app cards.

Rule Sync via URL

Subscribe to remote hosts-format block lists that auto-sync during periodic updates. Configure multiple URLs in DNS Tools > Config > Remote Rule Sync. Domains are fetched and merged into the active blocklist on every HostsUpdateWorker cycle.

Blocked Domain Trends

New DAO queries for comparing recent (24h) vs previous (24h) blocked domains, enabling trending analysis of which trackers are increasing or decreasing.

Live Query Rate Gauge

Real-time queries/min and blocks/min displayed on the Home dashboard. Updates every 5 seconds from the VPN live query stream.

Category Quick Toggles

One-tap enable/disable entire source categories directly from the Home screen. Shows enabled/total count badges.

---

Cumulative Features (v3.0.0 → v3.7.0)

Category	Features
DNS Blocking	Trie lookup, CNAME cloaking, DNS cache, DoH bypass (65+ domains), DNS trap, multiple upstream DNS
Modes	VPN mode, Root mode, per-app firewall (iptables)
Rules	Exact, wildcard, regex patterns, redirect, temporary allow, clipboard import
Sources	8 categories (incl. allowlists), overlap analysis, health check, changelog tracking, Pi-hole import
Privacy	Privacy score (0-100), per-app privacy grades (A-F), suspicious TLD detection, domain age check
Monitoring	DNS latency chart, 7-day trends, hourly activity, query type filter, search history
Tools	DNS leak test, rule tester, hosts editor, DNS tools (lookup/ping/traceroute), diagnostic export
Scheduling	Bedtime mode, WiFi SSID profiles, time-based profile switching
Export	Stats CSV, PCAP, shareable blocklist, backup/restore, auto-backup
UX	App shortcuts, 2 widgets, deep links, accent colors, notification actions, domain pinning
Integration	Automation API (Tasker/MacroDroid), rule sync URLs, remote DoH list updates

Install

Download the APK below and install. Onboarding wizard guides setup.

HostShield v3.6.0

HostShield v3.6.0

72 Kotlin source files | 20,392 source lines | 17+ screens | DB v7

Massive feature update spanning v3.1.0 through v3.6.0 — 42 new features across 6 releases.

---

New in v3.6.0

Live Query Rate

Real-time queries/min and blocks/min gauge displayed on the Home dashboard. Updates every 5 seconds from the VPN live query stream.

Category Quick Toggles

One-tap enable/disable entire source categories (Ads, Trackers, Malware, Adult, etc.) directly from the Home screen. Shows enabled/total count per category.

Hosts File Editor

Direct /etc/hosts editor for root mode. View and edit the raw hosts file with line count, entry count, syntax highlighting, and save/reload.

Pi-hole Import

Import Pi-hole teleporter backups — supports domainlist CSV (exact/regex block/allow), adlist URLs, and plain gravity domain lists. Auto-detected during import.

Deep Link Handler

Open specific screens via hostshield:// URLs:

• hostshield://logs — DNS Logs
• hostshield://stats — Statistics
• hostshield://settings — Settings
• hostshield://firewall — Firewall
• hostshield://leak-test — DNS Leak Test

Notification Quick Actions

Block alert notifications now include Firewall App and View Logs action buttons for immediate response without opening the full app.

---

v3.5.0 Features

• Rule Test Playground — Test if domains match your exact, wildcard, or regex rules with match source details
• Temporary Allow — Unblock a domain for 5/15/30/60 minutes with automatic re-blocking
• Domain Age Checker — RDAP-based registration age lookup; flags domains <30 days old
• Stats Widget — Second home screen widget showing blocked today, queries, and block rate
• Privacy Score Card — Circular progress score on Home dashboard with pass/fail count
• Search History — Last 10 searches remembered in DNS logs

v3.4.0 Features

• Privacy Score — 0-100 protection rating based on 11 configuration factors
• Scheduled Blocking — Auto-enable/disable by time window (bedtime mode / work hours)
• Query Type Filter — Filter DNS logs by A, AAAA, CNAME, MX, TXT record types
• Suspicious TLD Detection — Flags queries to high-abuse TLDs (.tk, .xyz, .onion, etc.)
• Batch Source Health Check — One-tap reachability test for all enabled sources

v3.3.0 Features

• DNS Leak Test — Built-in verification that DNS queries route through HostShield
• Import from Clipboard — Paste domains to bulk-add as block rules
• Accent Color Picker — 6 accent colors (Teal, Blue, Purple, Green, Pink, Peach)
• Auto Backup — Scheduled backup to app storage with 5-backup rotation
• IP Blocking — Block connections to specific IP addresses
• Domain Pinning — Pin/star domains from log detail sheet for monitoring

v3.2.0 Features

• App Shortcuts — Long-press launcher icon: Toggle, Refresh Lists, Open Logs
• Enhanced Widget — Blocked today count, mode badge, last update time
• Bulk Log Actions — Multi-select domains with long-press, batch block/allow
• DNS Latency Chart — Per-hour average and peak response time visualization
• Network-aware Profiles — Auto-switch blocking profiles by WiFi SSID
• Regex Rules — Block/allow domains by regex pattern with live validation
• Domain Reputation — One-tap VirusTotal, URLhaus, Whois lookup from log detail
• Source Update Changelog — Track new/removed domains between blocklist updates

v3.1.0 Features

• Scheduled DoH Bypass Updates — Remote DoH domain list refreshed on every periodic cycle
• Multiple Upstream DNS — Comma-separated servers with automatic fallback
• Auto Update Check — Silent check on Settings open, shows banner only for updates
• Allowlist Sources — 3 curated sources (Anudeep x2, HaGeZi) auto-subtracted from blocklist
• Blocklist Overlap Analysis — Pairwise source comparison with efficiency metrics
• Stats CSV Export — Daily stats, top blocked domains, top apps as CSV

---

Cumulative Stats (v3.0.0 → v3.6.0)

Metric	v3.0.0	v3.6.0
Kotlin source files	62	72
Source lines	17,458	20,392
UI screens	9	17+
Database version	6	7
Source categories	7	8 (+ ALLOWLIST)
Import formats	4	6 (+ Pi-hole, clipboard)
Widgets	1	2 (toggle + stats)
App shortcuts	0	3
Deep link routes	0	8

---

Install

Download the APK below and install. The onboarding wizard guides you through VPN or Root mode setup.

v3.0.0 BETA

New in v3.0.0

DNS Response Cache (LRU + TTL)

DnsCache — 2000-entry positive cache + 500-entry negative cache with TTL-aware expiration. Integrated into all forwarding paths (UDP, UDP fallback, DoH, IPv6). Serves repeated queries from memory instead of hitting upstream.

• TTL extracted from DNS response (minimum across all RRs)
• TTL clamped to 10s floor / 1 hour ceiling
• Truncated and SERVFAIL responses never cached
• NXDOMAIN cached with shorter 60s TTL
• LRU eviction when cache is full
• Cache stats: hit rate, size, eviction count
• Transaction ID patching on cache hits

CNAME Cloaking Detection

CnameCloakDetector — Inspects DNS response CNAME chains against the active blocklist. Catches first-party CNAME cloaking (the #1 technique ad networks use to bypass DNS blockers).

• Extracts all CNAME targets from answer section
• Checks each target against BlocklistHolder
• Integrated into all forwarding paths — if any CNAME target is blocked, the entire response is replaced with a block response
• Also extracts resolved IPs from responses for detail view
• Max chain depth of 10 to prevent abuse

Database Migration System

Migrations.kt — Proper Room database migrations for safe upgrades from any version. Prevents the crash-on-update bomb that existed in v2.x.

• MIGRATION_5_6: Adds response_time_ms, upstream_server, cname_chain, resolved_ips columns to dns_logs
• Registered in DatabaseModule alongside existing migrations
• fallbackToDestructiveMigration() kept as safety net

DnsLogEntry Enhanced Schema

4 new columns for per-query detail view:

• response_time_ms — Latency tracking (INT)
• upstream_server — Which DNS server answered (TEXT)
• cname_chain — Comma-separated CNAME targets found (TEXT)
• resolved_ips — Comma-separated answer IPs (TEXT)

7-Day Trend Line Chart

TrendLineChart composable in Stats screen — dual-line canvas chart showing blocked (red) vs. total (blue) queries per day over the past week. Day labels, data points, and legend.

New DailyBreakdown query in DnsLogDao groups by date with blocked/total counts.

Diagnostic Report Generator

DiagnosticExporter — Generates comprehensive text report for debugging:

• Device info (model, Android version, ABI, kernel)
• App config (block method, DoH, DNS trap, firewall, etc.)
• Blocklist stats
• Last 50 DNS log entries
• VPN interface state (TUN detection)
• System DNS servers
• Private DNS detection
• Shareable via Android share sheet (FileProvider)

CI/CD Pipeline

.github/workflows/ci.yml — GitHub Actions workflow:

• test: Runs testFullDebugUnitTest on push/PR
• build: Builds both full and play debug APKs (matrix strategy)
• release: Attaches release APKs to GitHub Releases
• Gradle caching for fast builds
• Test result upload as artifacts

DNS Cache Integration in Forwarding

All forwarding methods now:

1. Check cache before sending upstream query
2. Run CNAME cloaking detection on upstream response
3. Cache successful responses with TTL
4. Block if any CNAME target is in blocklist

Repository Layer

Added getDailyBreakdown() passthrough for 7-day trend chart.

New DAO Queries

• getLogsForApp(pkg) — Filter DNS logs by app package
• getById(id) — Single log entry lookup for detail view
• getDailyBreakdown(since) — Daily blocked/total aggregation for trend charts

---

Files Changed/Added in v3.0.0

New files:

• DnsCache.kt (238 lines) — DNS response cache
• CnameCloakDetector.kt (202 lines) — CNAME cloaking detection
• DiagnosticExporter.kt (211 lines) — Diagnostic report generator
• Migrations.kt (38 lines) — Database migration v5→v6
• .github/workflows/ci.yml — CI/CD pipeline

Modified:

• DnsVpnService.kt (1628→1621) — Cache + CNAME integration, dead code removal
• Entities.kt (128→132) — 4 new DnsLogEntry columns
• Daos.kt (354→378) — 3 new queries + DailyBreakdown projection
• HostShieldDatabase.kt — version 5→6
• DatabaseModule.kt — MIGRATION_5_6 registered
• HostShieldRepository.kt — getDailyBreakdown()
• StatsScreen.kt (391→480) — 7-day trend chart + TrendLineChart composable
• SettingsScreen.kt — Diagnostics section
• SettingsViewModel.kt — generateDiagnosticReport()

HostShield v1.0.0 BETA

Changelog

• CRITICAL FIX: VPN now uses DNS-only routing (no more dropped non-DNS traffic)
• CRITICAL FIX: VPN mode now builds and loads the blocklist before starting
• CRITICAL FIX: Added <property> tag for specialUse foreground service (Android 14+ crash fix)
• CRITICAL FIX: startForeground() now passes foregroundServiceType (Android 14+ requirement)
• CRITICAL FIX: Thread-safe TUN writes via Channel serializer (no more concurrent I/O)
• CRITICAL FIX: NXDOMAIN response now sets AA/RA flags for proper resolver acceptance
• Block/whitelist domains directly from DNS log entries (tap to expand, inline actions)
• Log filtering: All / Blocked / Allowed filter chips with live counts
• Detailed log expansion: query type badge, full timestamp, copy/block/whitelist buttons
• Settings dialogs: IPv4/IPv6 redirect, update interval, and log retention all editable in-app
• POST_NOTIFICATIONS permission request on Android 13+
• Proper enableEdgeToEdge() + deprecation-safe status/nav bar coloring for API 35
• Wildcard rules checked during VPN real-time filtering (not just hosts file build)
• SharedBlocklistHolder pattern for safe ViewModel↔Service blocklist handoff
• Daily stats aggregation from VPN service into BlockStats table
• Boot receiver now re-schedules health and cleanup workers
• Statistics dashboard with custom Canvas charts
• Wildcard pattern blocking, source health monitoring
• Onboarding wizard, log cleanup worker
• VPN DNS blocking, DoH resolver, homescreen widget
• App exclusions, hosts diff viewer, backup/restore
• Auto-updates via WorkManager, boot persistence
• MVVM architecture with Hilt DI, Room database
• Root hosts file blocking with Magisk support
• 8 pre-seeded sources, AMOLED dark theme