PACSAC logo

PACSAC

Mobile Data Self-Protection for Trusted Access in Untrusted Device Environments

PACSAC (Personalized and Cryptographically Secure Access Control) secures sensitive data on smartphones and tablets against application-layer compromise, rooted user-space attacks, and unauthorized process access — by binding plaintext access to cryptographically verified execution identity rather than operating-system permissions alone.

How it works
PACSAC trust chainA cryptographic trust chain links the authenticated user through the mobile OS and Trusted Execution Environment to encrypted data; an unauthorized rooted process is refused plaintext.UserAuthenticatedMobile OSRich exec envTEEHardware-rootedEncrypted dataPlaintext sealedCryptographic trust chainRooted processOutside the chainno valid identity → deniedPlaintext is released only when every link in the chain verifies.
The cryptographic trust chain — plaintext is released only inside a verified execution context, even on a rooted device.

How it works

PACSAC establishes a cryptographically secure chain from the authenticated end user, through the mobile operating environment, into the Trusted Execution Environment (TEE), and finally to encrypted data. Where conventional mobile protections rely primarily on operating-system access controls, PACSAC extends enforcement into cryptographic hardware trust boundaries.

Each access request is cryptographically verified against a secure trust chain incorporating:

  • Authenticated user identity — the person actually requesting access.
  • Authorized application identity — the specific app, not merely a permitted process name.
  • Device-specific hardware trust anchors — rooted in the device’s secure hardware.
  • Dynamic access-control policies — evaluated at the moment of access.

Protected data is released only when all verification conditions are satisfied. Unauthorized applications, compromised user-space processes, and rooted execution environments that fall outside the authorized trust chain are denied plaintext access.

What PACSAC protects against

Rooted user-space attacksPlaintext stays sealed even when the device is rooted and software isolation is weakened.
Unauthorized application accessOnly cryptographically authorized apps reach protected data.
Malware-based exfiltrationHarvested files are ciphertext outside the authorized context.
Credential misuseStolen credentials alone cannot satisfy the trust chain.
Runtime process impersonationAccess binds to verified execution identity, not a process label.
Application-layer code injectionInjected code confronts a cryptographic boundary it cannot forge.

Proven at global mobile scale

Deployed on close to one hundred million smartphones and protected by patents across North America, Europe, and Asia, PACSAC demonstrates that cryptographic data self-protection is not a theoretical model but a production-proven architecture operating at global scale. It is the foundational proof of BicDroid’s broader cryptographic security architecture.

Why it matters

Mobile devices increasingly serve as trusted endpoints for enterprise systems, healthcare workflows, financial services, and regulated communications. In this environment, protections that depend solely on operating-system controls are increasingly vulnerable to privilege escalation and application-layer compromise. PACSAC answers the central mobile-security challenge — how can sensitive data remain protected when software-layer trust assumptions fail? — with cryptographically enforced data self-protection.

The BicDroid family

Each product enforces its guarantee without depending on perimeter trust, host integrity, or the correct behaviour of the software it protects. Deploy one, or combine them for the complete cryptographic lifecycle.

QDocSEBIACSLineageCryptLightNet
Talk to BicDroid

Protect mobile data where software trust ends.

See how PACSAC anchors sensitive data to verified execution identity across your device fleet.

Talk to us →Contact details