v3.4.1: One-shot photos, restore redesign, QR fingerprint, UI improvements

Features:
- One-shot ephemeral photos with 2-phase secure deletion
- Restore screen redesign: 24-word BIP-39 autocomplete grid
- QR code fingerprint verification (SHA-256 hex + scanner)
- Send confirmation dialog, progress bar, retry button
- PIN forgot recovery via mnemonic phrase
- Send indicator icon in sent bubbles

Security:
- Anti-navigation bypass: immediate DB flag on one-shot open
- QR fingerprint uses hex encoding (no Unicode issues)
- Room v17: added oneShotOpened column

UI:
- Protocol display updated to PQXDH in contact profile
- Timestamp and maxWidth fixes in message bubbles
- 29 layout audit with fixes
- Custom scanner with torch toggle

Docs:
- All documentation updated (README FR/EN, SECURITY, CHANGELOG FR/EN,
  ARCHITECTURE FR/EN, CRYPTO FR/EN, STRUCTURE FR/EN)
- Version 3.4.1 (versionCode 6)

Author: DevBot667

README-en.md

@@ -57,9 +57,10 @@
 
 - **PQXDH**: X25519 + **ML-KEM-768** (post-quantum)
 - **AES-256-GCM** + **Double Ratchet** with PFS + healing
-- **Fingerprint emojis** 96-bit anti-MITM
+- **Fingerprint emojis** 96-bit anti-MITM + **QR code scanner**
 - **Independent verification** per user + system messages
-- **BIP-39** backup (24 words)
+- **BIP-39** backup (24 words) + autocomplete grid
+- **One-shot photos** — view once, 2-phase secure deletion
 - Private key in **Android Keystore** (StrongBox when available)
 - Encrypted local DB **SQLCipher**
 - **Message padding** fixed-size (256/1K/4K/16K)
@@ -83,6 +84,7 @@
 - **Dynamic bubbles** colored by theme
 - **App Lock** PIN + biometrics
 - **Disappearing messages** (30s → 1 month)
+- **One-shot photos** view once 🔥
 
 </td>
 </tr>
@@ -107,7 +109,7 @@
 |---|---------|---------|
 | 🔐 | **E2E Encryption** | PQXDH: X25519 + ML-KEM-768 + AES-256-GCM |
 | 🔄 | **Perfect Forward Secrecy** | Double Ratchet (DH + KDF chains) |
-| 🔏 | **Fingerprint emojis** | 96-bit, 16 emojis, anti-MITM |
+| 🔏 | **Fingerprint emojis + QR** | 96-bit, 16 emojis + QR code SHA-256, built-in scanner |
 | ✅ | **Independent verification** | Each user verifies separately, system message + clickable link |
 | 🛡️ | **DeviceSecurityManager** | StrongBox detection, MAXIMUM/STANDARD level |
 | 🕵️ | **Metadata hardening** | senderUid HMAC-hashed + messageIndex encrypted |
@@ -121,6 +123,7 @@
 | 📎 | **E2E file sharing** | Per-file AES-256-GCM via Firebase Storage |
 | 🔒 | **PBKDF2 PIN** | 600K iterations + salt (replaces SHA-256) |
 | ✍️ | **Ed25519 Signatures** | Every message signed, ✅/⚠️ badge anti-forgery |
+| 📸 | **One-shot photos** | View once (sender + receiver), 2-phase secure deletion |
 
 </details>
 
@@ -168,7 +171,7 @@
 | 🔒 | **App Lock** | 6-digit PIN + opt-in biometrics |
 | ⏰ | **Auto-lock** | Configurable timeout (5s → 5min) |
 | 🔑 | **BIP-39 Backup** | 24 words to backup identity key |
-| ♻️ | **Restore** | Recover on a new device via mnemonic |
+| ♻️ | **Restore** | Autocomplete 24-word grid + recover on new device |
 | 🗑️ | **Full deletion** | Cleans Firebase (profile, inbox, convos, signing keys) |
 | 📵 | **Anonymous** | Zero number, zero email, zero tracking |
 
@@ -245,7 +248,7 @@ cd SecureChat
 | E2E file sharing (AES-256-GCM + Firebase Storage) | ✅ |
 | PBKDF2 PIN (600K iterations + salt) | ✅ |
 | R8/ProGuard obfuscation + complete log stripping (d/v/i/w/e/wtf) | ✅ |
-| Fingerprint emojis 96-bit anti-MITM | ✅ |
+| Fingerprint emojis 96-bit anti-MITM + QR code SHA-256 scanner | ✅ |
 | App Lock (PIN + biometrics) | ✅ |
 | Restrictive Firebase security rules | ✅ |
 | BIP-39 backup/restore (24 words) | ✅ |
@@ -271,6 +274,10 @@ cd SecureChat
 | Delete-after-failure (cleanup failed messages from Firebase) | ✅ |
 | Atomic dual-listener deduplication (ConcurrentHashMap) | ✅ |
 | Signing key cleanup on account deletion | ✅ |
+| One-shot photos (view once, 2-phase secure deletion) | ✅ |
+| QR code fingerprint scanner (SHA-256 hex, CustomScannerActivity) | ✅ |
+| BIP-39 autocomplete 24-word grid (restore redesign) | ✅ |
+| Forgot PIN (recovery via mnemonic phrase) | ✅ |
 
 > 📖 **Full Analysis** — [`SECURITY.md`](SECURITY.md) · [Crypto Protocol](docs/en/CRYPTO.md)
 
@@ -293,6 +300,7 @@ cd SecureChat
 | **V3.2** | Ed25519 Signing — Per-message signatures, ✅/⚠️ badge, Firebase rules hardening, signing key cleanup | ✅ Done |
 | **V3.3** | Material 3 + Tor + Attachment UX — M3 migration, full Tor integration, Session-style inline icons, Android 13+ permissions, log hardening | ✅ Done |
 | **V3.4** | PQXDH + Security — Post-quantum ML-KEM-768, deep link v2, QR name auto-fill, displayName hidden from Firebase, DeviceSecurityManager StrongBox, independent fingerprint verification, system messages, PQXDH desync fix, dual-listener fix, lastDeliveredAt | ✅ Done |
+| **V3.4.1** | One-Shot + UX — One-shot ephemeral photos, BIP-39 autocomplete grid, QR fingerprint scanner, send confirmation, progress bar, retry, 29 layout audit, forgot PIN | ✅ Done |
 | **V3.5** | Planned — App disguise + cover screen, Dual PIN, panic button, FLAG_SECURE, E2E voice messages, sealed sender, reply/quote | 🔜 |
 
 > 📖 **Details** — [Full Changelog](docs/en/CHANGELOG.md)
@@ -325,7 +333,7 @@ cd SecureChat
 | [**Crypto Protocol**](docs/en/CRYPTO.md) | X25519, Double Ratchet, fingerprint, threat model |
 | [**Setup**](docs/en/SETUP.md) | Prerequisites, Firebase, build, dependencies |
 | [**Structure**](docs/en/STRUCTURE.md) | Full project tree |
-| [**Changelog**](docs/en/CHANGELOG.md) | V1 → V3.4 history |
+| [**Changelog**](docs/en/CHANGELOG.md) | V1 → V3.4.1 history |
 | [**Security**](SECURITY.md) | Full audit, known limitations |
 
 </div>
@@ -344,7 +352,7 @@ Provided for **educational** purposes. Use it as a definitive base to understand
 
 <br/>
 
-<img src="https://img.shields.io/badge/SecureChat-V3.4-7c3aed?style=for-the-badge&logo=android&logoColor=white" />
+<img src="https://img.shields.io/badge/SecureChat-V3.4.1-7c3aed?style=for-the-badge&logo=android&logoColor=white" />
 
 <br/><br/>
 

README.md

@@ -57,9 +57,10 @@
 
 - **PQXDH** : X25519 + **ML-KEM-768** (post-quantique)
 - **AES-256-GCM** + **Double Ratchet** avec PFS + healing
-- **Fingerprint emojis** 96-bit anti-MITM
+- **Fingerprint emojis** 96-bit anti-MITM + **QR code scanner**
 - **Vérification indépendante** par utilisateur + messages système
-- **BIP-39** backup (24 mots)
+- **BIP-39** backup (24 mots) + grille autocomplete
+- **Photos one-shot** — vue unique, suppression sécurisée 2 phases
 - Clé privée dans **Android Keystore** (StrongBox si dispo)
 - Base locale chiffrée **SQLCipher**
 - **Message padding** taille fixe (256/1K/4K/16K)
@@ -83,6 +84,7 @@
 - **Bulles dynamiques** colorées par thème
 - **App Lock** PIN + biométrie
 - **Messages éphémères** (30s → 1 mois)
+- **Photos one-shot** vue unique 🔥
 
 </td>
 </tr>
@@ -107,7 +109,7 @@
 |---|---------|--------|
 | 🔐 | **Chiffrement E2E** | PQXDH : X25519 + ML-KEM-768 + AES-256-GCM |
 | 🔄 | **Perfect Forward Secrecy** | Double Ratchet (DH + KDF chains) |
-| 🔏 | **Fingerprint emojis** | 96-bit, 16 emojis, anti-MITM |
+| 🔏 | **Fingerprint emojis + QR** | 96-bit, 16 emojis + QR code SHA-256, scanner intégré |
 | ✅ | **Vérification indépendante** | Chacun vérifie de son côté, message système + lien cliquable |
 | 🛡️ | **DeviceSecurityManager** | Détection StrongBox, niveau MAXIMUM/STANDARD |
 | 🕵️ | **Metadata hardening** | senderUid hashé HMAC + messageIndex chiffré |
@@ -121,6 +123,7 @@
 | 📎 | **Fichiers E2E** | Chiffrement AES-256-GCM par fichier via Firebase Storage |
 | 🔒 | **PBKDF2 PIN** | 600K itérations + salt (remplace SHA-256) |
 | ✍️ | **Signature Ed25519** | Chaque message signé, badge ✅/⚠️ anti-falsification |
+| 📸 | **Photos one-shot** | Vue unique (sender + receiver), suppression sécurisée 2 phases |
 
 </details>
 
@@ -168,7 +171,7 @@
 | 🔒 | **App Lock** | PIN 6 chiffres + biométrie opt-in |
 | ⏰ | **Auto-lock** | Timeout configurable (5s → 5min) |
 | 🔑 | **Backup BIP-39** | 24 mots pour sauvegarder la clé d'identité |
-| ♻️ | **Restauration** | Restaurer sur un nouvel appareil via phrase |
+| ♻️ | **Restauration** | Grille autocomplete 24 mots + restaurer sur nouvel appareil |
 | 🗑️ | **Suppression complète** | Nettoie Firebase (profil, inbox, convos, clés de signature) |
 | 📵 | **Anonyme** | Zéro numéro, zéro email, zéro tracking |
 
@@ -245,7 +248,7 @@ cd SecureChat
 | Fichiers E2E (AES-256-GCM + Firebase Storage) | ✅ |
 | PBKDF2 PIN (600K itérations + salt) | ✅ |
 | R8/ProGuard obfuscation + log stripping complet (d/v/i/w/e/wtf) | ✅ |
-| Fingerprint emojis 96-bit anti-MITM | ✅ |
+| Fingerprint emojis 96-bit anti-MITM + QR code SHA-256 scanner | ✅ |
 | App Lock (PIN + biométrie) | ✅ |
 | Firebase security rules restrictives | ✅ |
 | BIP-39 backup/restore (24 mots) | ✅ |
@@ -293,6 +296,7 @@ cd SecureChat
 | **V3.2** | Ed25519 Signing — Signature par message, badge ✅/⚠️, durcissement Firebase rules, nettoyage clés | ✅ Done |
 | **V3.3** | Material 3 + Tor + Attachment UX — Migration M3, intégration Tor complète, icônes inline Session, permissions Android 13+, durcissement logs | ✅ Done |
 | **V3.4** | PQXDH + Security — ML-KEM-768 post-quantique, deep link v2, QR auto-fill nom, displayName masqué Firebase, DeviceSecurityManager StrongBox, vérification empreinte indépendante, messages système, fix désync PQXDH, fix dual-listener, lastDeliveredAt | ✅ Done |
+| **V3.4.1** | One-Shot + UX — Photos éphémères one-shot, grille BIP-39 autocomplete, QR fingerprint scanner, confirmation d'envoi, barre de progression, retry, audit 29 layouts, PIN oublié | ✅ Done |
 | **V3.5** | Planned — Camouflage app + faux écran, Dual PIN, panic button, FLAG_SECURE, messages vocaux E2E, sealed sender, reply/quote | 🔜 |
 
 > 📖 **Détails** — [Changelog complet](docs/fr/CHANGELOG.md)
@@ -325,7 +329,7 @@ cd SecureChat
 | [**Protocole Crypto**](docs/fr/CRYPTO.md) | X25519, Double Ratchet, fingerprint, modèle de menace |
 | [**Installation**](docs/fr/SETUP.md) | Prérequis, Firebase, build, dépendances |
 | [**Structure**](docs/fr/STRUCTURE.md) | Arbre complet du projet |
-| [**Changelog**](docs/fr/CHANGELOG.md) | Historique V1 → V3.4 |
+| [**Changelog**](docs/fr/CHANGELOG.md) | Historique V1 → V3.4.1 |
 | [**Sécurité**](SECURITY.md) | Audit complet, limites connues |
 
 </div>
@@ -344,7 +348,7 @@ Fourni à des fins **éducatives**. Utilisez-le comme base pour comprendre le ch
 
 <br/>
 
-<img src="https://img.shields.io/badge/SecureChat-V3.4-7c3aed?style=for-the-badge&logo=android&logoColor=white" />
+<img src="https://img.shields.io/badge/SecureChat-V3.4.1-7c3aed?style=for-the-badge&logo=android&logoColor=white" />
 
 <br/><br/>
 

SECURITY.md

@@ -4,7 +4,8 @@
 
 | Version | Supported |
 |---------|-----------|
-| 3.4.x   | ✅ Current |
+| 3.4.1   | ✅ Current |
+| 3.4.x   | ⚠️ Outdated |
 | 3.3.x   | ⚠️ Outdated |
 | 3.2.x   | ⚠️ Outdated |
 | 3.1.x   | ⚠️ Outdated |
@@ -38,6 +39,7 @@ SecureChat uses the following cryptographic primitives:
 | Message padding | 256 / 1024 / 4096 / 16384 bytes | 2-byte big-endian length header + random fill |
 | Conversation ID | SHA-256 | Hash of sorted public keys |
 | Fingerprint emojis | SHA-256 → 64-palette × 16 | 96-bit entropy, anti-MITM, independent verification per user |
+| Fingerprint QR code | SHA-256 hex (64 ASCII chars) | Hex encoding for QR scanner compatibility; `getSharedFingerprintHex()` |
 | Fingerprint events | Firebase notification (`verified:<ts>`) | Event-based notification only; verification state is strictly local per device |
 | senderUid hashing | HMAC-SHA256 | Keyed by conversationId, truncated to 128 bits |
 | PIN hashing | PBKDF2-HMAC-SHA256 | 600,000 iterations, 16-byte random salt |
@@ -181,3 +183,16 @@ SecureChat uses the following cryptographic primitives:
 - ✅ **Independent fingerprint verification**: each user's verified/unverified state is strictly local; Firebase event is a notification only (`fingerprintEvent: "verified:<timestamp>"`), never modifies the other user's state
 - ✅ **Fingerprint un-verify**: users can toggle verification status; button switches between "Marquer comme vérifié" / "Retirer la vérification"
 - ✅ **DB version 16**: added `lastDeliveredAt` column to Conversation entity (fallbackToDestructiveMigration)
+
+### V3.4.1 One-Shot Photos, Restore Redesign & QR Fingerprint
+
+- ✅ **One-shot ephemeral photos**: view-once images for both sender and receiver; 2-phase secure deletion (immediate DB flag + delayed file deletion)
+- ✅ **Anti-navigation bypass**: `flagOneShotOpened()` DAO flags DB immediately on click; physical file deleted after 5s coroutine delay; no `Handler.postDelayed` vulnerability
+- ✅ **One-shot file metadata**: `FILE|url|key|iv|fileName|fileSize|1` format; `oneShotOpened` column in Room DB
+- ✅ **QR code fingerprint**: fingerprint encoded as SHA-256 hex (64 ASCII chars) for QR; avoids Unicode emoji encoding mismatches
+- ✅ **QR fingerprint scanner**: uses `CustomScannerActivity` (same as contact invitation); hex comparison with `ignoreCase`; auto-verify on match
+- ✅ **`getSharedFingerprintHex()` method**: raw SHA-256 hex of sorted concatenated public keys (deterministic, encoding-safe)
+- ✅ **Restore screen BIP-39 grid**: 24 `AutoCompleteTextView` cells with BIP-39 autocomplete (2048 words); replaces single text field
+- ✅ **PIN recovery**: forgot PIN flow via mnemonic phrase verification
+- ✅ **Send confirmation dialog**: user confirms before sending files
+- ✅ **DB version 17**: added `oneShotOpened` column to MessageLocal entity (fallbackToDestructiveMigration)

app/build.gradle.kts

@@ -22,8 +22,8 @@ android {
         applicationId = "com.securechat"
         minSdk = 33
         targetSdk = 35
-        versionCode = 5
-        versionName = "3.4.0"
+        versionCode = 6
+        versionName = "3.4.1"
 
         testInstrumentationRunner = "androidx.test.runner.AndroidJUnitRunner"
     }

app/src/main/java/com/securechat/crypto/CryptoManager.kt

@@ -518,6 +518,14 @@ object CryptoManager {
         return emojis.chunked(4).joinToString(" ") { it.joinToString("") }
     }
 
+    /** Returns the raw SHA-256 hex of the shared fingerprint (deterministic, safe for QR). */
+    fun getSharedFingerprintHex(myPubKeyBase64: String, contactPubKeyBase64: String): String {
+        val sorted = listOf(myPubKeyBase64, contactPubKeyBase64).sorted()
+        val combined = (sorted[0] + sorted[1]).toByteArray(Charsets.UTF_8)
+        val hash = MessageDigest.getInstance("SHA-256").digest(combined)
+        return hash.joinToString("") { "%02x".format(it) }
+    }
+
     fun hmacSha256(key: ByteArray, data: ByteArray): ByteArray {
         val mac = javax.crypto.Mac.getInstance("HmacSHA256")
         mac.init(SecretKeySpec(key, "HmacSHA256"))

app/src/main/java/com/securechat/crypto/MnemonicManager.kt

@@ -28,6 +28,9 @@ object MnemonicManager {
 
     private var wordList: List<String> = emptyList()
 
+    /** Expose the loaded BIP-39 wordlist for autocomplete UI. */
+    fun getWordList(): List<String> = wordList
+
     fun init(context: Context) {
         if (wordList.isNotEmpty()) return
         wordList = context.resources.openRawResource(

app/src/main/java/com/securechat/data/local/MessageLocalDao.kt

@@ -56,6 +56,12 @@ interface MessageLocalDao {
     @Query("UPDATE messages SET expiresAt = :expiresAt WHERE localId = :messageId")
     suspend fun setExpiresAt(messageId: String, expiresAt: Long)
 
+    @Query("UPDATE messages SET oneShotOpened = 1, localFilePath = NULL WHERE localId = :messageId")
+    suspend fun markOneShotOpened(messageId: String)
+
+    @Query("UPDATE messages SET oneShotOpened = 1 WHERE localId = :messageId")
+    suspend fun flagOneShotOpened(messageId: String)
+
     @Query("SELECT * FROM messages WHERE localId = :messageId LIMIT 1")
     suspend fun getMessageById(messageId: String): MessageLocal?
 

app/src/main/java/com/securechat/data/local/SecureChatDatabase.kt

@@ -51,7 +51,7 @@ import java.security.SecureRandom
         MessageLocal::class,
         RatchetState::class
     ],
-    version = 16,
+    version = 17,
     exportSchema = false
 )
 abstract class SecureChatDatabase : RoomDatabase() {

app/src/main/java/com/securechat/data/model/MessageLocal.kt

@@ -47,5 +47,7 @@ data class MessageLocal(
     val fileName: String? = null,         // Original file name
     val fileSize: Long = 0,               // File size in bytes
     val localFilePath: String? = null,    // Path to decrypted file on device
-    val signatureValid: Boolean? = null   // null = no signature, true = valid, false = invalid
+    val signatureValid: Boolean? = null,  // null = no signature, true = valid, false = invalid
+    val isOneShot: Boolean = false,       // true = image visible once then deleted
+    val oneShotOpened: Boolean = false    // true = one-shot image was already viewed
 )