KeepLiveService (Fw) is an open-source security research and educational project that documents and implements Android process keep-alive techniques. The project is intended for:
- Security researchers studying Android process lifecycle management
- Developers who need to understand how background services survive on various Android versions and OEM ROMs
- Educational purposes demonstrating the interaction between applications and the Android framework
This project does not encourage malicious use. All strategies are implemented transparently and require explicit opt-in configuration.
| Version | Supported |
|---|---|
| 2.0.x | ✅ |
| 1.x.x | ❌ |
Only the latest major version receives security updates.
If you discover a security vulnerability in the KeepLiveService framework, please follow the responsible disclosure process below. Do not open a public GitHub issue for security vulnerabilities.
- Email: Send a detailed report to the project maintainer via the Telegram group as a private message to the group admin.
- Include:
- A clear description of the vulnerability
- Steps to reproduce the issue
- The potential impact or severity
- Any suggested fixes (if available)
- Response time: We aim to acknowledge reports within 72 hours and provide a resolution timeline within 7 days.
- Disclosure: We will coordinate with you on a public disclosure timeline after a fix is released. We typically target a 90-day disclosure window.
The following are considered in scope for security reports:
- Vulnerabilities in the framework library (
io.github.pangu-immortal:keeplive-framework) that could be exploited by a third party - Privilege escalation beyond what the framework is designed to provide
- Data exfiltration or unintended network communication
- Vulnerabilities in the native C++ layer (daemon process, Binder interactions)
The following are out of scope:
- The keep-alive strategies themselves (these are the documented purpose of the project)
- Issues requiring physical access to an unlocked device
- Issues in third-party dependencies (please report those to the respective projects)
- Social engineering attacks
When integrating KeepLiveService into your application:
- Only enable strategies you need -- disable aggressive strategies (e.g.,
enableForceStopResistance,enableVpnService) unless required. - Respect user consent -- always inform users about background services and obtain appropriate permissions.
- Follow Google Play policies -- some strategies may not comply with Google Play's background execution policies. Review the Google Play policy center before publishing.
- Keep the framework updated -- always use the latest version for security patches and compatibility fixes.
- Review permissions -- audit the permissions declared by the framework and remove any that are unnecessary for your use case.
We appreciate the security research community's efforts in making this project safer. Reporters who follow responsible disclosure will be credited in the project's release notes (unless they prefer to remain anonymous).