SMS Forward is a secure Android application designed to forward SMS messages from one device (Sender) to another (Receiver) using a custom Spring Boot backend as a relay.
| Role Selection | Pairing Process |
|---|---|
 |
 |
| Sender Mode | Receiver Mode |
 |
 |
- End-to-End Encryption: Messages are encrypted locally using AES-GCM before being sent.
- Atomic Pop (Burn-After-Reading): Messages are deleted from the server immediately upon retrieval.
- Zero-Knowledge Backend: The relay server never sees your pairing code, encryption keys, or plaintext messages.
- Secure Persistence: Message history is stored securely on-device using Jetpack DataStore and encrypted with Google Tink.
- Modern UI: Built entirely with Jetpack Compose following Material 3 guidelines.
The project includes its own Spring Boot backend located in the backend/ directory.
- Navigate to the
backend/directory. - Run
./gradlew bootRun. - The backend will start on
http://localhost:8080. - For Android Emulator access, the app is configured to use
http://10.0.2.2:8080.
The application implements End-to-End Encryption (E2EE) for all forwarded messages.
When you pair two devices, they share a Pairing Code (a 12-character alphanumeric string). This code acts as the shared secret and never leaves the devices.
- Encryption Key: Derived from the Pairing Code using AES-256.
- Routing ID: A deterministic hash of the Pairing Code used as a "mailbox address" on the relay.
We use AES-GCM (Advanced Encryption Standard - Galois/Counter Mode):
- Confidentiality: Only devices with the Pairing Code can read messages.
- Integrity: GCM ensures messages haven't been tampered with in transit.
- Randomized IV: A fresh 12-byte Initialization Vector is generated for every message, ensuring that identical SMS content results in different ciphertexts.
On-device message history is persisted using Jetpack DataStore (ProtoBuf). To protect against local data theft on rooted devices, the DataStore is encrypted using Google Tink (Android Keystore).
The backend acts as a temporary relay. Messages are ephemeral:
- Atomic Retrieval: Once the Receiver fetches a message, it is instantly deleted from the server's memory.
- No Persistence: The backend uses in-memory storage; a server restart clears all pending messages.
- Zero-Knowledge Architecture: The server only sees a Routing ID and encrypted blobs. It never sees the Pairing Code or Encryption Keys.
- Authenticated Encryption: AES-GCM detects any tampering by the server or a man-in-the-middle.
- No Plaintext Leaks: Phone numbers and message bodies are encrypted before leaving the Sender device.
- Privacy by Design: The "Atomic Pop" behavior ensures your data doesn't linger on third-party infrastructure.