Architecture Overview
A Phosra-powered parental control system has four components:- Parent creates a family and child profile via the dashboard or API
- Parent creates and activates a policy with age-appropriate rules
- Parent registers the child’s device (iOS or Android)
- The device SDK fetches the compiled policy from the API
- The enforcement engine applies rules using native OS APIs
- The device reports enforcement status and usage data back to Phosra
- When the parent updates rules, a push notification triggers immediate re-sync
Registration Flow
From the parent’s app, register the child’s device. This returns a one-time API key that the child’s device stores locally.
Policy Lifecycle
A policy goes through these stages:1. Create a Draft Policy
2. Generate Age-Appropriate Rules
3. Activate the Policy
4. Device Fetches the Compiled Policy
The device SDK callsGET /device/policy and receives a CompiledPolicy with all rules translated into an enforceable format (content filters, screen time, web filters, etc.).
5. On-Device Enforcement
The enforcement engine maps each policy section to native OS APIs and applies the restrictions.6. Report Back
The device submits an enforcement status report listing per-category results (enforced, partial, failed, unsupported).
Platform Comparison
| Capability | iOS | Android |
|---|---|---|
| Content filtering | ManagedSettings (age rating + app blocking) | UsageStatsManager + Overlay |
| Screen time limits | DeviceActivity (native schedules) | UsageStatsManager + AlarmManager |
| Web filtering | ManagedSettings (webContent) | Local VPN (DNS interception) |
| Purchase controls | ManagedSettings (appStore) | DevicePolicyManager |
| App blocking | ManagedSettings (blockedApplications) | AccessibilityService + Overlay |
| Notification control | ManagedSettings (iOS 16.4+) | NotificationListenerService |
| Background sync | APNs silent push + Timer | WorkManager + FCM |
| Key storage | Keychain | EncryptedSharedPreferences |
| Min OS version | iOS 16.0 | Android 8.0 (API 26) |
| Special entitlements | FamilyControls entitlement (Apple approval) | Permissions Declaration Form (Play Console) |
| Policy refresh | APNs silent push + polling | FCM data message + WorkManager |
Handling Age Transitions
When a child crosses an age bracket boundary (e.g., turning 13), the parent may want to adjust their policy. Phosra makes this straightforward:Automatic Detection
The Phosra API knows each child’s birth date and automatically computes the age group. When the age group changes, a webhook event is fired:Regenerate Rules
CallgenerateFromAge to update rules for the new age group:
Gradual Relaxation
For a smoother transition, adjust specific rules rather than regenerating everything:Multi-Device Setup
A single child can have multiple devices registered, and each receives the same compiled policy.Register Multiple Devices
- Has its own unique API key (stored in that device’s secure storage)
- Fetches the same compiled policy
- Reports enforcement status independently
- Receives push notifications independently
Cross-Device Screen Time
Screen time is tracked per-device. To enforce a combined limit across devices, use the Phosra API to aggregate:List Devices for a Child
Offline Enforcement
Both SDKs cache the most recent compiled policy on-device, enabling enforcement even without network connectivity.How It Works
-
When a policy is fetched, the SDK stores it locally:
- iOS: UserDefaults or app container (policy data is non-sensitive)
- Android: SharedPreferences
- On app launch or device reboot, the enforcement engine loads the cached policy and re-applies it immediately.
- When network returns, the SDK syncs with the API and applies any updates.
Cache Strategy
Considerations
- Cached policies remain enforced indefinitely until a newer version is fetched
- Screen time counters persist across reboots (stored locally)
- If a parent revokes a device, the revocation takes effect on the next successful API call
- For maximum reliability, use APNs (iOS) or FCM (Android) to push policy updates immediately
Security Considerations
API Key Storage
| Platform | Storage | Protection |
|---|---|---|
| iOS | Keychain | Hardware-backed, kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly |
| Android | EncryptedSharedPreferences | AES-256 via Android Keystore |
- Generated server-side as 32 random bytes (hex-encoded, 64 characters)
- Returned exactly once during device registration
- Stored as a SHA-256 hash on the server; the plaintext is never stored server-side
- Used as
X-Device-Keyheader for all device-authenticated API calls
Tamper Detection
Prevent the child from bypassing enforcement:iOS
- FamilyControls runs at the OS level; apps cannot bypass it
- ManagedSettings persists across app deletion and reinstall
- DeviceActivity monitoring continues even if the app is force-quit
- Shield UI is rendered by the OS, not the app
Android
- Device Admin prevents app uninstall without parent PIN
- VPN service runs as foreground service (persistent)
- AccessibilityService restarts automatically if killed
- Boot receiver re-applies enforcement after reboot
- Overlay blocks interaction with restricted apps
Communication Security
- All API communication uses HTTPS (TLS 1.2+)
- Device keys are transmitted only once (during registration)
- Conditional fetching (
since_version) minimizes data transfer - Push notifications contain only the event type and version number, not policy data