The parental control that can't spy on your kid.
OpenWarden runs entirely on your own phones. No subscription. No cloud. No company reading your family's messages, including us. You get real control over your kid's Android, and your kid can see exactly what it does.
Free forever. Apache 2.0. Funded by grants and donations, never by you.
- Ed25519 signed policy
- Sealed-box encrypted log
- BIP39 recovery phrase
- Works fully offline
- Zero analytics, zero trackers
Most "parental control" apps are surveillance with a friendly logo.
OpenWarden is built the opposite way. The things that make it different aren't features bolted on. They're the architecture.
It runs on your phones, not our servers.
Policy is enforced locally on the kid's device and edited from yours. The two sync directly over your own Wi-Fi. There is no OpenWarden account, no backend, and nothing for us, or anyone else, to breach. It keeps working with the internet off.
It can't read your kid's content. By design.
No message bodies, no photo libraries, no search history, no keystrokes, no in-app screens. The app doesn't request the permissions that would make it possible. This isn't a setting you trust us to leave off. It's a capability we never built.
Your kid is never kept in the dark.
Every category OpenWarden tracks is listed on a plain-language screen on the kid's own phone. The audit log they see is the same one you see. A teacher, doctor, or the other parent can read it too. Surveillance hidden from the watched person is exactly what we refuse to ship.
No subscription, no lock-in, no telemetry.
Apache 2.0 and free forever, funded by grants and donations. The policy format is open and anyone can implement it. A 24-word recovery phrase is the root authority, and it lets you leave cleanly whenever you want.
What OpenWarden will never see.
The strongest thing we can show you isn't a feature list. It's the list of things this app refuses to do, the same list your kid can read on their phone.
Never Out of reach, on purpose
None of this is collected, logged, or sent anywhere. Not to you, not to us, not to anyone.
Your kid's messagesSMS and in-app chats are never read.Their photos and videosAn optional check runs on-device, then forgets. Nothing is saved or sent.Audio and call recordingsThe app physically can't record on the phone.Search historyNever read.KeystrokesNo keyboard logging, ever.Inside-app screensNo Roblox chat, no Discord DMs, no scrolling feeds.
In the open What it does see
Just enough to enforce the rules you set, all of it visible to your kid on their own phone.
- Which apps, and for how longTotals only, never what happened inside.
- The time windows you setBedtime, school hours, lock-now.
- Video sessions by network signatureThat a video played, not its title or content.
- Who called or texted, and whenNumbers and times, never the words.
- Location, only by a rule you both seeLike a curfew check, never a live map.
We didn't forget these features. We refuse them. This is the line between parental control and stalkerware, and OpenWarden is built so it can't cross it, even if we wanted to.
Two phones. Your Wi-Fi. Nothing in between.
Set up the kid's phone once.
You provision OpenWarden as the device's owner over USB. From then on it enforces policy locally, even with no internet and after a reboot.
Edit the rules from your phone.
Allowlists, time windows, lock-now. Each change is cryptographically signed and sent straight to the kid's phone over your home Wi-Fi. No relay, no inbox in the cloud.
Everyone reads the same record.
Both parents and the kid see one shared, honest audit log. There's no primary-parent backdoor and no view that's hidden from anyone the kid chooses to show.
Built to be checked, not just believed.
Every promise on this page is backed by source you can read and crypto you can audit. None of it asks you to take our word for it.
Open crypto, documented end to end.
Policy bundles are signed with Ed25519 and canonicalized with RFC 8785. The event log is sealed to the parent's key with a libsodium sealed box, so the kid's device can't even read what it wrote. Replay is blocked by a monotonic policy_seq with a freshness window. Recovery is a BIP39 24-word phrase.
Fail-closed, and adversarial about it.
Every error path defaults to more restriction, never less. The threat model treats even the parent as a possible adversary, and the design refuses covert monitoring on principle. Read the attacks, the defenses, and the ethics, then try to break them.
Honest status: the plan is done, the build is just starting.
OpenWarden is pre-1.0. The specs, the threat model, and the ethics are written and complete. The code is at the beginning. That's exactly why now is a good time to help shape it.
The core: real local control on a stock Android phone, fully offline-tolerant.
- App allowlist + blocklist
- Bedtime & school-time windows
- Signed policy bundles
- Sealed-box event log
- 24-word recovery + printable PDF
- Kid transparency screen
- "Ask a parent" requests
Quality of life and reach, once v1 is stable.
- DNS content filter
- Install-approval flow
- On-device NSFW image check (opt-in)
- iOS parent app
- WireGuard & Tailscale transports
- Multi-child UI
Smarter, still local, still opt-in.
- Geofencing (home, school)
- On-device text classifier (opt-in per app)
- Call screening + contacts allowlist
- Earned screen-time / time bank
v1 targets the Pixel 7 first; broader device support comes later. Every line above stays inside the pledge: no cloud analysis, no content monitoring, no subscription, ever.
A tool like this can be misused. So we built against it.
"Parental control" software is one of the most weaponized categories there is. OpenWarden treats that risk as a design problem, not a disclaimer: the kid always sees what's monitored, help is one tap away on every screen, and older teens can remove it on their own. If you are in an unsafe home, you deserve real help.
- 988 Suicide & Crisis Lifeline
- 1-800-422-4453 Childhelp
- Text HOME to 741741
- Coalition Against Stalkerware