Documentation

1. Spectre Solutions

Spectre Solutions specializes in the development of security-hardened mobile solutions.
Our focus is on creating systems built on encrypted communication, comprehensive mobile security, and full user control over the device.

We also provide custom-tailored security solutions designed to meet the specific needs of enterprises, institutions, and individuals with high security requirements.
We engage with our clients across all stages—consulting, security architecture design, implementation, and long-term maintenance.

Spectre Solutions unifies technology, expertise, and infrastructure into a complete service that goes beyond standard hardware and software offerings.
All our services and infrastructure are hosted exclusively in data centers located in Switzerland, ensuring compliance with the highest security standards.

Our flagship product is the Spectre Phone—a hardened mobile device based on Google Pixel hardware running Castrum OS, a custom operating system free of Google services and tracking systems.
It provides users with complete technical and data control over the device and its operation.

1.1 Target Audience

Spectre Solutions develops solutions for users who require a high level of security, privacy, and control over their mobile devices.
Our offerings are primarily intended for:

• Organizations and individuals managing sensitive data
• Users operating in high-surveillance-risk environments
• Those seeking to operate independently of commercial ecosystems

1.2 Our Security Approach

Spectre Solutions is built on the principles of security by design and the zero-trust model.
Our solutions are engineered to eliminate reliance on third-party services at the system level, minimize attack surfaces, and ensure users maintain complete control over all components of their device.

Core principles of our approach include:

• Elimination of telemetry and all forms of tracking
• Data encryption using proven cryptographic standards
• A hardened system kernel and exploit mitigation techniques
• An isolated infrastructure with no ties to Google or other commercial services

2. Spectre Phone

Spectre Phone is not an ordinary smartphone — it is a dedicated security solution with integrated components for encrypted communication, secure internet access, data protection, and system-level control.
The device contains no commercial apps, tracking elements, or background services that could compromise user privacy.

2.1 What’s Included

Spectre Phone is a pre-configured security solution, ready for immediate use.
Upon purchase, the user receives a fully prepared system that includes the following key components:

• Google Pixel device with pre-installed Castrum OS
• Secure WireGuard VPN
• Extended European eSIM package
• Encrypted communication application
• Private App Store
• Device Control Center (DCC) for advanced system policies
• Encrypted support access via the pre-installed MyPhone app

2.2 Why Google Pixel

Spectre Phone is built exclusively on Google Pixel devices due to their unmatched technical control and security flexibility.
The key reasons for selecting Pixel hardware include:

• Unlockable bootloader – Enables secure installation of our custom OS with re-locking after configuration
• Titan M2 security chip – Hardware-backed integrity verification, secure key storage, and support for verified boot
• Long-term update support – Official firmware and open documentation ensure reliable maintenance
• No carrier bloatware – Clean devices without pre-installed third-party software or operator locks
• eSIM support – Essential for seamless integration with our global connectivity services
• Full control over hardware components – Including modem, Wi-Fi, and system partitions

Pixel devices are currently the only available Android hardware platform that enables system hardening, secure re-locking, and uncompromised support for hardware-bound encryption.

2.2.1 Supported Models

Spectre Phone is based on verified Google Pixel smartphones that support bootloader unlocking and secure installation of Castrum OS.
The following models are currently supported:

• Pixel 6 – Oriole
• Pixel 6a – Bluejay
• Pixel 6 Pro – Raven
• Pixel 7 – Panther
• Pixel 7a – Lynx
• Pixel 7 Pro – Cheetah
• Pixel 8 – Shiba
• Pixel 8 Pro – Husky
• Pixel 9 – Tokay
• Pixel 9a – Tegu
• Pixel 9 Pro – Caiman
• Pixel 9 Pro XL – Komodo

The list of supported devices is regularly updated.

2.3 Warranty & Lifecycle

Each Spectre Phone is a brand-new device and undergoes full testing before delivery.
A 1-year hardware warranty is included, covering any defects under normal usage conditions.

The Castrum OS receives regular security and feature updates, ensuring long-term viability and continued protection throughout the device’s lifecycle.

3. Operating System: Castrum OS

Castrum OS is a security-hardened operating system based on the Android Open Source Project (AOSP), without any integration of Google services or external APIs.
It is an independently developed security platform that uses AOSP solely as a technical base.
The system introduces a custom multi-layered security architecture, independent control mechanisms, and removes all components that do not meet our strict security criteria.
It is designed and optimized for users who demand full control over their device, data, and communications.

3.1 Core Security Features

Castrum OS integrates advanced security mechanisms across the operating system, hardware, and communication stack.
It is built to protect against local, remote, and physical threats, with a focus on preventing vulnerabilities, unauthorized access, and tracking.

System-Level Security

• Verified Boot & Hardware-Backed Integrity
  Each system component is verified at boot using cryptographic signatures bound to the Titan M2 chip.
• AES-256 Full-Disk Encryption
  All data is encrypted with keys protected by hardware. Extraction is impossible without both physical access and the user’s passphrase.
• Wipe Password & Auto-Wipe
  A special duress password instantly erases the device. Additionally, data is automatically wiped after multiple failed unlock attempts.
• BFU Mode (Before First Unlock)
  After inactivity, the device enters a fully encrypted state where all data remains inaccessible without the primary decryption key.
• Attack Surface Reduction
  Non-essential system components such as Google Play Services, binders, legacy codecs, and Fused Location Provider (FLP) are removed to minimize vulnerability exposure.
• Process Isolation
  The system utilizes SELinux, seccomp-bpf, and Linux namespaces to isolate components and restrict kernel-level privileges.
• Permission Hardening
  All permissions are requested dynamically, and each app has strictly separated access to system resources.
  Users can manually disable access to network, sensors, location, etc.

USB & Network Control

• USB-C Port Management
  Can be set to “charge-only” mode. ADB and USB data transfer are disabled when the device is locked.
• WireGuard VPN Enforcement
  All traffic is routed through a secure VPN tunnel. Any traffic attempting to bypass the VPN is blocked at the system level.
• Legacy Protocol Removal
  Legacy VoIP, unencrypted DNS, outdated TLS protocols, and similar components are disabled or removed.

Application & Infrastructure Layer

• Application Sandboxing & Control
  All apps run in isolated contexts with minimal privileges.
  Background activity and access to sensors, Wi-Fi, and mobile data can be restricted.
• No Telemetry or Tracking
  The OS includes no advertising services, no Google ID, no FCM/GCM, and no third-party push services.
• Switzerland-Based Infrastructure
  OS updates, app store, and encrypted messaging servers are fully self-hosted and located in Switzerland.

3.2 System Architecture

Castrum OS is based on a layered, security-hardened architecture.
All components are modular, operate under minimal privilege, and are clearly separated by access level.

Kernel & Core System

• Hardened Kernel
  Configured with multiple security extensions:
  • CONFIG_CFI_CLANG (Control Flow Integrity)
  • CONFIG_SHADOW_CALL_STACK (ROP attack protection)
  • CONFIG_HARDENED_USERCOPY and Memory Tagging Extension (MTE)
  • seccomp-bpf syscall filtering
  • Removal of legacy drivers and unused components
• SELinux
  Custom policies restrict system and user services under least-privilege principles.
• Verified Boot
  System components are cryptographically signed and verified at every boot, enforced with Titan M2 hardware support.

System Separation & Control

• Sandboxing & Namespaces
  Each system service and app runs in an isolated context, preventing lateral movement within the OS.
• User-Controlled Feature Access
  Components like camera, GPS, networking, and USB can be managed and disabled via DCC.
• Infrastructure
  All services (updates, store, messaging) run on Swiss-based servers under full in-house control.

Data & Application Layer

• Partition-Level AES-256 Encryption
  Using fscrypt v2, integrated with verified boot for integrity and security.
• App Sandboxing & Permission Isolation
  Each application has:
  • Isolated filesystem access
  • Unique UID and SELinux context
  • Configurable per-app network access
• Separated Boot-Time Initialization
  Critical services and user apps are initialized separately to reduce exploitability during boot.

3.3 Device Control Center (DCC)

The Device Control Center (DCC) is a system-integrated policy management tool for Castrum OS.
It gives users full control over device behavior, apps, and communication channels—without requiring third-party MDM software or cloud connectivity.

All DCC functions operate locally at the system level and can be permanently locked, preventing changes by third parties or unauthorized apps.

3.3.1 DCC Policy Categories

1. System & Access

• Block Unknown Sources
• Block USB Storage / Debugging (ADB)
• Block Factory Reset
• Block Developer Options (including OEM Unlock)
• Restrict User Profiles & Guest Accounts

2. Network & Communication

• Block Bluetooth
• Disable Hotspot
• Enforce Always-On VPN
• Block Dialer / SMS (disable insecure protocols)
• Block Location Services

3. Data Protection

• Wipe Data (after 10 failed attempts)
• App-Level Data Encryption
• Enforce Password Complexity (alphanumeric, symbols)
• Restrict Cloud Backups (local storage only)

4. App Visibility & Interface Control

• Block Camera (software-level deactivation)
• Block Screen Capture / Recording
• Hide Specific Apps (Gallery, Camera, File Manager, SMS, Phone)

5. Biometrics

• Block Fingerprint Unlock / Authentication

DCC allows complete local control without relying on cloud-based MDM platforms, eliminating remote access risks.
It is suitable for both individuals and organizations who require fine-grained control over attack surfaces, communication flows, and functional exposure.

3.4 Update & Maintenance Policy

Castrum OS features its own secure update system to ensure long-term maintainability without dependence on external servers or OEM infrastructure.
All updates are developed, signed, and distributed exclusively through our infrastructure.

Update Mechanism

• OTA updates are delivered via encrypted channels from Swiss-based servers
• Updates are cryptographically signed and verified via Verified Boot prior to installation
• Updates can be triggered manually or scheduled for periodic automatic checks

Security Principles

• No integration with Google Play or its update mechanisms — full independence
• No updates introduce components that affect privacy or open additional system services
• No forced updates — users retain full control over when and how to update

4. Integrated Services

Spectre Phone includes all essential services required for secure, independent, and fully functional mobile use—without linking to user accounts, without sharing data with third parties, and without relying on external app providers.
All integrated features are native to Castrum OS, activated immediately upon device boot, and aligned with a strict no-telemetry, no-tracking security model.

4.1 Secure VPN

Spectre Phone includes a system-integrated VPN service based on the WireGuard protocol.
Secure VPN is preconfigured and automatically activated on first device boot.

Key features:

• Always-On Activation – VPN is permanently enabled; all traffic outside the VPN tunnel is blocked at the system level
• Encrypted Traffic – Uses verified cryptographic algorithms (ChaCha20-Poly1305 / AES-256)
• Anonymity – No logging of traffic, IP addresses, or metadata
• Strict No-Log Policy – No user activity or connection details are stored or processed

Secure VPN ensures that no app or service can access the internet without passing through a trusted encrypted tunnel.
The VPN service is included in the device or subscription plan.

4.2 Global eSIM

Each Spectre Phone comes with a preloaded eSIM data package, providing users with secure and private mobile connectivity – without a physical SIM card and without identification requirements.

Features of the eSIM package:

• Includes 5 GB of data per month for 12 months, totaling 60 GB, valid for 365 days from activation
• Operates across Europe and beyond, with automatic switching between supported carriers
• No registration, personal information, or documents required
• Not tied to any mobile operator or Google account
• Castrum OS treats the eSIM as a secure and fully locally managed interface – with no involvement from external profile managers or mobile carriers
• Once the data allowance is used up, additional data can be purchased

Supported Countries (55):
Albania, Andorra, Austria, Azerbaijan, Belarus, Belgium, Bosnia and Herzegovina, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Faroe Islands, Finland, France, Georgia, Germany, Gibraltar, Greece, Guernsey, Hungary, Iceland, Ireland, Isle of Man, Israel, Italy (including Vatican City), Jersey, Kosovo, Kyrgyzstan, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Mayotte, Moldova, Montenegro, Netherlands, North Macedonia, Norway, Poland, Portugal, Romania, Russia, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey, Ukraine, United Kingdom (UK), Uzbekistan

4.3 Secure Chat

Spectre Phone includes a proprietary secure messaging application designed to protect message content, metadata, and user identity.
All communication is handled via a private XMPP infrastructure hosted in Switzerland, with no phone numbers or external identifiers involved.

Key Features:

• End-to-End Encryption (OMEMO) – Messages, files, and calls are fully encrypted using the OMEMO protocol
• Anonymous Usage – No phone number, email, or registration required. Each user receives a system-generated unique identity
• Group Chats – Supports secure group conversations with full content encryption
• Local Encrypted Storage – All messages are stored only on the device, encrypted. No cloud sync or automatic backups
• Encrypted Voice Calls – Users can place encrypted VoIP calls within the secure infrastructure
• Closed Communication System – Communication is restricted to other Spectre Phone users. The system is intentionally closed to external traffic
• Swiss-Based Infrastructure – All servers are hosted under privacy-protective Swiss jurisdiction

4.4 Secure App Store

Spectre Phone includes a dedicated app store that operates independently of the Google ecosystem and requires no user account.
The store is a native component of Castrum OS and is designed for secure, transparent, and controlled app installation.

Key Features:

• No Google Account Required
  No sign-in, cloud sync, or identity assignment. All downloads are anonymous
• No Telemetry or Tracking
  App usage is not logged. No advertising identifiers or analytics libraries are used
• Manually Reviewed Apps
  Every app is manually verified and curated. Only applications compliant with Castrum OS’s security policy are included
• Local Permission Control
  During installation, users receive a clear overview of required permissions and can control access to camera, microphone, location, network, and more
• No Background Updates Without Consent
  All updates are manual and require explicit user approval. No silent or automated updates occur

Usage:

• The app store is accessible via the system menu
• Apps are downloaded via HTTPS from Swiss servers
• Downloaded APKs are verified and sandboxed before installation

The Castrum OS app store enables functional software usage without compromise—maintaining full user control while keeping the system closed and resistant to application-level intrusion.

5. Management & Support

Spectre Phone includes a dedicated technical support solution provided through the pre-installed MyPhone application.
Support services are implemented with the same security principles as the rest of the system.

Spectre Phone is delivered with basic usage documentation that covers key security features, initial setup, and access to support resources.

Available Documentation Formats

• Pre-installed on the device
  Basic instructions are accessible directly within the MyPhone app.
• Offline PDF
  Users receive the complete user guide in PDF format upon purchase.

Documentation Updates

• Documentation is updated in line with new Castrum OS versions.
• Users are notified through the system when major updates are released.