v6.3.0: Security hardening audit, preferences refactor, DB indices, error handling

Security: PBKDF2 PIN hashing (auto-migrates SHA-256), encrypted backups (AES-256-GCM),
DoH fail-closed (removed unpinned fallback), DoT response boundary check, HTTPS-only
sync URLs with 10MB limit + SHA-256 integrity hashing, RootUtil shell injection fixes
(quoted paths, removed sed), WireGuard nonce randomization, GeoIP switched to ipapi.co
(HTTPS).

Refactoring: AppPreferences facade over 6 domain-specific managers, DnsVpnService packet
parsing extracted to PacketClassifier, BlocklistHolder unified trie walk, SettingsScreen
decomposed into section composables, SettingsViewModel consolidated flows.

Database: v12->v14 migrations adding composite indices for dns_logs, host_sources,
user_rules (faster per-app drill-down, category filtering).

UI: Error/loading states on Logs/Firewall/Sources screens, search history chips on Home,
accessibility content descriptions on AppsScreen.

Bug fixes: BootReceiver SupervisorJob lifecycle, BlockNotificationService scope recreation,
captive portal HTTP documentation.

Author: SysAdminDoc

app/app/build.gradle.kts

@@ -1,4 +1,4 @@
-// HostShield v6.2.0
+// HostShield v6.3.0
 plugins {
     id("com.android.application")
     id("org.jetbrains.kotlin.android")
@@ -15,8 +15,8 @@ android {
         applicationId = "com.hostshield"
         minSdk = 26
         targetSdk = 35
-        versionCode = 55
-        versionName = "6.2.0"
+        versionCode = 56
+        versionName = "6.3.0"
 
         testInstrumentationRunner = "androidx.test.runner.AndroidJUnitRunner"
 
@@ -145,6 +145,9 @@ dependencies {
     // DataStore for preferences
     implementation("androidx.datastore:datastore-preferences:1.1.1")
 
+    // AndroidX Security — EncryptedSharedPreferences (Roadmap #30)
+    implementation("androidx.security:security-crypto:1.1.0-alpha06")
+
     // Custom Tabs (captive portal login)
     implementation("androidx.browser:browser:1.8.0")
 

app/app/src/main/AndroidManifest.xml

@@ -23,13 +23,14 @@
 
     <application
         android:name=".HostShieldApp"
-        android:allowBackup="true"
+        android:allowBackup="false"
+        android:dataExtractionRules="@xml/data_extraction_rules"
         android:icon="@mipmap/ic_launcher"
         android:label="HostShield"
         android:networkSecurityConfig="@xml/network_security_config"
         android:supportsRtl="true"
         android:theme="@style/Theme.HostShield"
-        android:usesCleartextTraffic="true"
+        android:usesCleartextTraffic="false"
         tools:targetApi="35">
 
         <activity
@@ -85,7 +86,8 @@
         <receiver
             android:name=".service.BootReceiver"
             android:exported="true"
-            android:enabled="true">
+            android:enabled="true"
+            android:permission="android.permission.RECEIVE_BOOT_COMPLETED">
             <intent-filter>
                 <action android:name="android.intent.action.BOOT_COMPLETED" />
                 <action android:name="android.intent.action.QUICKBOOT_POWERON" />

app/app/src/main/java/com/hostshield/HostShieldApp.kt

@@ -3,6 +3,8 @@ package com.hostshield
 import android.app.Application
 import androidx.hilt.work.HiltWorkerFactory
 import androidx.work.Configuration
+import com.hostshield.data.preferences.SecurityPreferences
+import com.hostshield.data.preferences.SyncPreferences
 import com.hostshield.service.CnameCloakUpdater
 import com.hostshield.service.ThreatIntelWorker
 import com.hostshield.util.OfflineGeoIp
@@ -20,6 +22,8 @@ class HostShieldApp : Application(), Configuration.Provider {
     @Inject lateinit var workerFactory: HiltWorkerFactory
     @Inject lateinit var cnameCloakUpdater: CnameCloakUpdater
     @Inject lateinit var offlineGeoIp: OfflineGeoIp
+    @Inject lateinit var securityPreferences: SecurityPreferences
+    @Inject lateinit var syncPreferences: SyncPreferences
 
     private val appScope = CoroutineScope(SupervisorJob() + Dispatchers.IO)
 
@@ -29,6 +33,12 @@ class HostShieldApp : Application(), Configuration.Provider {
         appScope.launch { cnameCloakUpdater.loadCached() }
         appScope.launch { offlineGeoIp.initialize() }
 
+        // v6.2: Migrate plaintext secrets to EncryptedSharedPreferences (Roadmap #30)
+        appScope.launch {
+            securityPreferences.migratePlaintextSecrets()
+            syncPreferences.migratePlaintextSecrets()
+        }
+
         // v6.0: Schedule daily threat intelligence feed updates
         try { ThreatIntelWorker.schedule(this) }
         catch (e: Exception) { android.util.Log.w("HostShieldApp", "WorkManager scheduling failed: ${e.message}") }

app/app/src/main/java/com/hostshield/data/database/Daos.kt

@@ -172,6 +172,7 @@ interface DnsLogDao {
     suspend fun deleteOlderThan(before: Long)
 
     /** Batch delete for ANR-safe cleanup. Returns number of rows deleted. */
+    @Transaction
     @Query("DELETE FROM dns_logs WHERE id IN (SELECT id FROM dns_logs WHERE timestamp < :before LIMIT :batchSize)")
     suspend fun deleteOldestBatch(before: Long, batchSize: Int = 1000): Int
 
@@ -334,6 +335,12 @@ interface ProfileDao {
 
     @Query("UPDATE profiles SET is_active = 1 WHERE id = :id")
     suspend fun activate(id: Long)
+
+    @Transaction
+    suspend fun activateExclusive(id: Long) {
+        deactivateAll()
+        activate(id)
+    }
 }
 
 // Projection classes

app/app/src/main/java/com/hostshield/data/database/HostShieldDatabase.kt

@@ -19,7 +19,7 @@ import com.hostshield.data.model.*
         AutomationAuditEntry::class,
         VpnStabilityEntry::class
     ],
-    version = 12,
+    version = 14,
     exportSchema = true
 )
 @TypeConverters(Converters::class)

app/app/src/main/java/com/hostshield/data/database/Migrations.kt

@@ -17,6 +17,8 @@ import androidx.sqlite.db.SupportSQLiteDatabase
  * - v5: Added dns_logs.query_type + dns_logs indices + source health columns
  * - v6: Added dns_logs.response_time_ms, dns_logs.upstream_server,
  *        dns_logs.cname_chain columns for per-query detail view
+ * - v13: Composite indices for common query patterns
+ * - v14: Added index on host_sources.category
  */
 object Migrations {
 
@@ -131,6 +133,24 @@ object Migrations {
         }
     }
 
+    // v6.2.1: Add composite indices for common query patterns
+    val MIGRATION_12_13 = object : Migration(12, 13) {
+        override fun migrate(db: SupportSQLiteDatabase) {
+            // Composite index for per-app DNS log drill-down (AppLogsScreen)
+            db.execSQL("CREATE INDEX IF NOT EXISTS index_dns_logs_app_blocked_ts ON dns_logs (app_package, blocked, timestamp)")
+            // Index on enabled for source/rule filtering
+            db.execSQL("CREATE INDEX IF NOT EXISTS index_host_sources_enabled ON host_sources (enabled)")
+            db.execSQL("CREATE INDEX IF NOT EXISTS index_user_rules_enabled_type ON user_rules (enabled, type)")
+        }
+    }
+
+    // v6.2.2: Add index on host_sources.category for category-filtered queries
+    val MIGRATION_13_14 = object : Migration(13, 14) {
+        override fun migrate(db: SupportSQLiteDatabase) {
+            db.execSQL("CREATE INDEX IF NOT EXISTS index_host_sources_category ON host_sources (category)")
+        }
+    }
+
     /** All migrations in order. Pass to Room.databaseBuilder().addMigrations(). */
-    val ALL = arrayOf(MIGRATION_5_6, MIGRATION_6_7, MIGRATION_7_8, MIGRATION_8_9, MIGRATION_9_10, MIGRATION_10_11, MIGRATION_11_12)
+    val ALL = arrayOf(MIGRATION_5_6, MIGRATION_6_7, MIGRATION_7_8, MIGRATION_8_9, MIGRATION_9_10, MIGRATION_10_11, MIGRATION_11_12, MIGRATION_12_13, MIGRATION_13_14)
 }

app/app/src/main/java/com/hostshield/data/model/Entities.kt

@@ -20,7 +20,13 @@ enum class SourceHealth {
     UNKNOWN, OK, STALE, ERROR, DEAD
 }
 
-@Entity(tableName = "host_sources")
+@Entity(
+    tableName = "host_sources",
+    indices = [
+        Index(value = ["enabled"]),
+        Index(value = ["category"])
+    ]
+)
 data class HostSource(
     @PrimaryKey(autoGenerate = true) val id: Long = 0,
     @ColumnInfo(name = "url") val url: String,
@@ -44,7 +50,10 @@ data class HostSource(
 
 @Entity(
     tableName = "user_rules",
-    indices = [Index(value = ["hostname"], unique = true)]
+    indices = [
+        Index(value = ["hostname"], unique = true),
+        Index(value = ["enabled", "type"])
+    ]
 )
 data class UserRule(
     @PrimaryKey(autoGenerate = true) val id: Long = 0,
@@ -64,7 +73,8 @@ data class UserRule(
         Index(value = ["timestamp"]),
         Index(value = ["blocked", "timestamp"]),  // composite for filtered log queries
         Index(value = ["hostname"]),
-        Index(value = ["app_package"])
+        Index(value = ["app_package"]),
+        Index(value = ["app_package", "blocked", "timestamp"])  // composite for per-app drill-down
     ]
 )
 data class DnsLogEntry(