Every claim on this site is verifiable from the source. This page documents the exact toolchain (down to point releases), the 16 KB ELF compliance, the APK signature, and the step-by-step build procedure.
From gradle/libs.versions.toml and gradle/wrapper/gradle-wrapper.properties. Copy these versions exactly to reproduce the build.
kotlin.time.Instant + LiteRT-LM 0.11.0 metadata compatgradle-8.14-bin.ziplitertlm-android:0.11.0 — Gemma 4 native @Tool runtimedev.ohs.fhir:fhir-model:1.0.0-beta03 — Apache 2.0libsqlite3x.so (upgraded from 3.45.0)Strategy.P2P_CLUSTER · BLE + Wi-Fi DirectTested on macOS 15 (Apple Silicon) and Ubuntu 24.04. Should work on Windows 11 with WSL2.
Download Android Studio Koala or later. Use the SDK Manager to install:
git clone https://github.com/kurodohenroonsen/JemmaPass.git
cd jemmapass
git checkout v1.0.14 # the submitted hackathon tag
Create local.properties in the project root:
sdk.dir=/Users/your-name/Library/Android/sdk
ndk.dir=/Users/your-name/Library/Android/sdk/ndk/27.2.12479018
./gradlew --refresh-dependencies dependencies
This downloads Gemma 4 LiteRT runtime, Kotlin FHIR, requery SQLite, ML Kit, and the rest. ~600 MB on first sync.
./gradlew clean assembleRelease
# APK lands at:
ls -la app/build/outputs/apk/release/
~3-5 minutes on M2 / Ryzen 7 hardware. The release APK is debug-signed for hackathon distribution (we don't ship a production key — anyone can re-sign for their own deployment).
shasum -a 256 app/build/outputs/apk/release/*.apk
# Compare with the SHA-256 published on hackathon.html#apk
# A matching hash proves you built the same artifact we submitted.
Android 15 enforces 16 KB native page alignment for all .so files shipped via Google Play (deadline November 1, 2025). Here is how to verify JemmaPass complies.
llvm-objdump proof
Each native library inside the APK should show align 2**14 (= 16 384 bytes = 16 KB) on its LOAD segments. We tested all 11 .so files shipped with JemmaPass v1.0.14.
# Extract native libs from the release APK
cd app/build/outputs/apk/release/
unzip -o *.apk -d apk-contents/
# Path to NDK llvm-objdump (adjust version if needed)
LLVM=$ANDROID_NDK_HOME/toolchains/llvm/prebuilt/darwin-x86_64/bin/llvm-objdump
# Verify each .so file in arm64-v8a (the Pixel 9 ABI)
for so in apk-contents/lib/arm64-v8a/*.so; do
echo "=== $(basename $so) ==="
$LLVM -p $so | grep -E "p_align|LOAD" | head -5
done
=== libsqlite3x.so ===
LOAD off 0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**14
LOAD off 0x00020000 vaddr 0x00400000 paddr 0x00400000 align 2**14
LOAD off 0x00060000 vaddr 0x00800000 paddr 0x00800000 align 2**14
^^^^
16 KB (2**14 = 16384)
=== liblitertlm_jni.so ===
LOAD off 0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**14
LOAD off 0x00040000 vaddr 0x00400000 paddr 0x00400000 align 2**14
=== libimage_processing_util_jni.so ===
LOAD off 0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**14
[... 8 more libs, all showing align 2**14 ...]
✅ ALL 11 .so files comply with 16 KB page-size alignment.
requery:sqlite-android:3.49.0 (the first version with 16 KB-aligned libsqlite3x.so).
The APK is signed with a debug key (per hackathon distribution norms). To verify the APK you downloaded matches what we built:
shasum -a 256 jemmapass-v1.0.14-release.apk
# The expected SHA-256 is published on hackathon.html#apk after the final release build.
# Compare your output against that published hash.
# If they match → the bytes are identical to our submission.
# Path to apksigner from Android SDK build-tools
APKSIGNER=$ANDROID_HOME/build-tools/35.0.0/apksigner
# Verify
$APKSIGNER verify --verbose jemmapass-v1.0.14-release.apk
# Expected output:
# Verifies
# Verified using v1 scheme (JAR signing): false
# Verified using v2 scheme (APK Signature Scheme v2): true
# Verified using v3 scheme (APK Signature Scheme v3): true
# Verified using v4 scheme (APK Signature Scheme v4): false
# Number of signers: 1
$APKSIGNER verify --print-certs jemmapass-v1.0.14-release.apk
# Should show the certificate fingerprint matching what we publish
# on the hackathon page. Any mismatch = the APK was re-signed by someone else.
A judge with a Pixel 9 and a USB cable can validate the full claim of "100% offline operation" in under 10 minutes.
Enable "Install unknown apps" on your file manager → tap the APK file → confirm install. No Play Store, no Google account required.
On first launch, JemmaPass downloads Gemma 4 E4B (3.4 GB) and knowledge_full.db (3.36 GB) from jemmapass.net/models/ over Wi-Fi. This is the only time the app touches the network.
Pull down the notification shade. Tap the airplane icon. Wait 5 seconds for radios to fully shut down. From this point on, the app cannot reach the internet — period.
Voice your name + birth date. Add an allergy by voice ("I'm allergic to penicillin"). Scan a medication box with the camera. Watch Gemma 4 resolve everything to clinical codes locally.
Tap "Share". The _j2: QR appears. Note its size (single QR, no multi-frame splitting for a typical profile).
Take a second Android device (or your iPhone with native Camera). Scan the QR. The profile loads instantly. On iPhone, the multilingual text fallback channel shows the allergy in English/Japanese.
With the penicillin-allergic profile loaded, scan an Augmentin box (or any beta-lactam). RED ALERT fires in <200 ms with localized TTS. This is the killer moment of the demo, reproducible on your device.
On device A, enable SOS Mode. On device B (within ~10 m), open Rescuer Mode. Device A's pruned profile appears on device B within ~6 seconds, having traveled over BLE + Wi-Fi Direct only.
Two ways to forensically verify that JemmaPass makes ZERO network calls during clinical operations (after the initial model download).
# Find the JemmaPass UID
APP_UID=$(adb shell dumpsys package be.heyman.android.jemmapassdemo | grep userId | head -1 | awk '{print $1}' | cut -d= -f2)
# Reset network counters
adb shell cmd netstats reset
# Run the full demo flow on the device
# Capture stats
adb shell cmd netstats get --uid $APP_UID
# Expected during the demo (with airplane mode):
# rxBytes: 0
# txBytes: 0
Wrap the Pixel 9 in two layers of aluminum foil (cellular + Wi-Fi + BLE all blocked). Open JemmaPass. Run the full demo. Everything works. Unwrap. Compare. There is no difference because there are no network calls being silently made.
OkHttp, Retrofit, HttpURLConnection, or any networking primitive. You'll find them only in two places: (1) the first-boot model downloader (which gates itself on Wi-Fi presence), and (2) the optional crash-report upload (off by default in v1.0.14). No clinical decision touches the network.
Reproducibility proves the artifact is real. The benchmarks page shows it's actually fast.