Xopoz - Privacy-first GPS team tracking app built entirely on OpenStreetMap

Hi everyone,

I’m Tiri, an independent developer based in Germany. I reached out to the OSMF board asking where to present my project, and Héctor kindly pointed me here.

I’m building Xopoz, an Android GPS team tracking app for professional field teams - mountain guides, search & rescue volunteers, NGO field operations, adventure tour operators. The app is
built entirely on OpenStreetMap with zero Google dependency.

Why OSM matters to this project

OpenStreetMap is not just a fallback for Xopoz - it’s the foundation. The app uses OSMDroid for all map rendering and has zero Google Maps or Google Play Services dependency. This means it
runs on de-Googled phones (GrapheneOS, LineageOS, /e/OS, CalyxOS) with full functionality.

Users can also configure any raster tile server as their map source - corporate tile servers, satellite imagery, offline MBTiles caches, or their own self-hosted TileServer GL instances. OSM
is the default and the heart of the map experience.

What makes Xopoz different

• End-to-end encrypted GPS positions - Every coordinate is AES-128 encrypted on-device with team-specific keys before transmission. The server stores only encrypted blobs and cannot see real
  locations (zero-knowledge architecture).
• Device-focused teams - Each device is an independent tracking entity. You can track phones, vehicles, equipment - anything with GPS - as individual team members.
• Battery-efficient - Hardware motion sensor wake, adaptive GPS/network switching, up to 90% power reduction when stationary. Designed for all-day field use.
• Custom map servers - Any raster tile source with dynamic style switching and offline support.
• No Google anything - No Play Services, no Firebase, no Analytics. Direct Android GPS API.
• Made in Europe with European privacy values. No ads, no data selling.

Who it’s for

The primary audiences are professionals who already understand maps and coordination challenges:

• Mountain guides tracking clients across terrain
• Search & rescue volunteers coordinating in the field
• NGOs managing field staff with privacy requirements
• Tour operators monitoring group safety

Where things stand

The app is in pre-release. (Not yet on google play) The Android client and .NET backend API are functional. I’m looking for feedback from the OSM community and early testers willing to try it in real field
conditions.
Full documentation is not Yet online, but I will be happy to answer all your question as I own the full stack.

Short demo video (with technical detail):

I’m happy to answer any technical questions about the OSM integration, the architecture, or anything else. Feedback at any level - from “this is useful” to “have you considered X” - is
genuinely valuable at this stage.

Also having contact with Osm licensing crew to ensure App will be compliant would please me.
Also Google Play make mandatory 20 independant testers before app goes to the public space. And would be happy to have privileged contacts interested to play testers in exchange of the App in demo mode.

Thanks for reading,
Tiri
—————-
you may find different shorts on youtube with the keyword “Xopoz”

tiri@tiritix.com

For people interested on tracks, it will bring a track manager, here some sample screenshots.
give me your feedback.
as reminder I am looking for first potential testers and feedback about ideas.

Screenshot_20260309-1745111080×2400 463 KB

… and i am not allowed to put more than 1 picture

above is a track imported as gpx file from

First version of user guide, along with specification is now online:

The full workflow of team creation + team join is now online on video!

In this video, I walk you through the complete team creation and joining workflow in Xopoz — a privacy-first GPS location tracker that puts security at the core of every feature. What you’ll see:

• Creating a new tracking team from scratch

• Generating an awesome QR code that contains your team’s encrypted access credentials

• Scanning the QR code from a second device to join the squad instantly

• Real-time encrypted position sharing between team members on the map

Why Xopoz encryption is different: Every team in Xopoz uses its own independent AES-128 encryption key. When you create a team, a unique cryptographic key is generated locally on YOUR device — it never touches the server. The server stores only encrypted GPS coordinates that are meaningless without your team key. The QR code is the independent out-of-band channel used to share the encryption key between devices. This means:

• End-to-end encrypted (E2E) — the server cannot read your positions

• Each team has its own isolated AES key — compromising one team reveals nothing about another

• Key exchange happens device-to-device via QR scan — no key ever transmitted over the network

• Zero-knowledge architecture — even the server admin cannot decrypt your location data

Xopoz is now finally available for testing on Google Play!

contact me if you want to have a free seat !

xopoz@tiritix.com

I will be happy to list you on Google testing platform ( mandatory for you to access the application )

Any reason why it (the homepage at least) smells of AI vibecoding?

Fair question. Yes — Claude Code is part of the workflow. Not as an autopilot, as a
collaborator I drive and challenge. 20+ years of software engineering on my side,
8 months of work, 1400+ reviewed commits, each one signed off by me personally.

If you want to judge the substance rather than the landing page, the specification
and architecture describe exactly what was built:

Happy to answer technical questions on any part of it.

Considering that it is stated in the first post that

And then later state that it can be tested via Google Play seems contradictory.

Will there be options to test over Obtanium or F-Droid?

Thanks for raising this — it’s a fair question and worth clarifying, because the two things are often conflated.

Google Play (the marketplace) and Google Play Services (the runtime SDK) are independent.

• Google Play Services is the proprietary SDK that apps embed and call at runtime for things like FusedLocationProvider, push notifications via FCM, Maps SDK, etc. This is what de-Googled phones don’t have, and this is what would break an app on GrapheneOS /
  LineageOS / /e/OS / CalyxOS.
• Google Play is just a storefront that distributes APKs. The APK it ships is the same APK regardless of where you install it from.

Xopoz has zero Google Play Services calls — no FusedLocation, no FCM, no Google Maps SDK, no Firebase, no Crashlytics. Location comes directly from Android’s LocationManager, maps are rendered via OSMDroid from OSM tiles, and there is no analytics or tracking
SDK. That’s what makes it run with full functionality on de-Googled phones. The fact that the APK happens to also be listed on Play Store doesn’t change any of that — it’s purely a distribution convenience for users who have Play.

On alternative distribution: a dedicated release page is being set up at tiritix.com/xopoz where signed APKs will be available for direct download (not yet). This means:

• Install directly from the website on any Android (de-Googled or not)
• Obtainium-compatible — users can subscribe to the release URL and get automatic updates without any marketplace
• No Google account, no Play Services, no middleman required

I understand F-Droid would be the preferred channel for many in this community, but the source remains private, so F-Droid main repo isn’t possible. The direct-download + Obtainium path gives the same install-and-auto-update experience without requiring Play.

Happy to answer further questions.

last feauture under test is “Reality Obscuration” to highlight trails of team members:

Privacy first sounds interesting. I read that topic once, now the forum software always shows me new posts arrived. Privacy by obscurity begs questions. I’d rather see some of the thumbs down people voice their concerns, not just as an emoticon. BTW: I guess I am not the target audience, as mentioned in top post. There may be a market, not sure enough people in the set crave for privacy.

First release is available independant from Google Play market place:
it is independant apk.

xopoz-manifest607×1211 172 KB

I know of disaster response teams who are looking for privacy friendly team location tracking solutions. In theory this app ticks a few of those boxes and something like this is a good idea, but there are several red flags that would prevent me from recommending this to people.
A very incomplete list:

• It’s closed source, developed by one person and relies on a private proprietary central server.
  Even from just the reliability aspect, that’s a no-go for something that’s critical for the mission and for the health and safety of the team members. I wouldn’t be very confident about the service availability for when you need it in the short term, nor about the availability of the project as a whole in the long term in case something happens to you or you simply move on to something else.
• Presumably you want to monetize this at some point, but there’s no information about required subscriptions, pricing, etc…
• The information that’s available about the app is filled with meaningless buzzwords and obvious AI generated content that doesn’t inspire confidence about the quality.
• Privacy doesn’t end with just the location data. Even if the central server doesn’t see the location information, you require a user account with personally identifiable information (email addresses) for each user, know which teams a user is in and the identity of the other members of that team, etc…
• Withholding information about the encryption schemes and protocols is just security by obscurity and generally seen as unsound in cryptographic circles. It just prevents easy verification of the security guarantees, but does nothing to stop dedicated attackers. The security of a cryptographic scheme purely stems from the secret keys, not from uncertainty about the algorithm.
• In your marketing material you claim that the encryption keys for the location data are only stored in the Android keystore hardware security module (which isn’t available on every phone) and are inaccessible, yet they can be exported and are used for adding new devices? (And even if only group admins have the key in an accessible format, you’d still always have a full encryption/decryption oracle so the TPM doesn’t really bring much benefit).
• “Military grade encryption” is an absolutely meaningless marketing term (especially when it essentially always just means bog standard basic AES) and is a red flag all by itself. It means you either want to trick users who don’t know about encryption with fancy words that sound ‘cool’, or even worse, you believe in it yourself which shows you don’t actually know anything about cryptography.

Great idea that could be useful to people. However:

• It’s closed software with no way of telling if what you list is implemented or not.
• Using AI to develop a privacy centered app needing correct implementation of cryptography is problematic. Especially as a closed source software. How can we be convinced it’s just not a AI hack job and security/privacy nightmare?
• Using open OSM data in a closed source project and asking the community of volunteers to test it for you is, to me, not ethical.
• The AI video “trailer” really puts me off.

Also as @Woazboat Woazboat noted the documentation is riddled with AI speak an terms like “military grade encryption” is meaningless and making me doubt the cryptogrraphic implementation.

In short, nice idea, but its unique features really requires it to be FOSS.

Any reason why your app isn’t opensource as others ask?

Is it to stop us from seeing the annoyingly messy code your AI spat out and that you might’ve not bothered optimizing? You can’t just call yourself a “developer” if all you do is ask AI to spit out programs all on its own

Oh and Military-Grade Encryption™ means nothing these days… especially when every single VPN sellout- I mean, sponsorship on YouTube uses it as an argument to sell subscriptions

Thank you,
documentation is updated and available here: