Defeat biometric fingerprinting by obfuscating your keystroke dynamics.
Websites use high-resolution JavaScript timers to capture your unique typing pattern—the timing between key presses (flight time) and the duration each key is held down (dwell time). This creates a biometric "fingerprint" that identifies you across sites, even when using a VPN or Incognito mode.
ShuffleKeys operates at the system level to neutralize tracking by intercepting physical keystrokes and re-emitting them as synthetic events.
- Quantization: Rounds timing to discrete "buckets" to eliminate precise millisecond patterns.
-
Controlled Noise: Injects Gaussian noise (
$\sigma$ ) into flight and dwell times. - Timestamp Spoofing: Replaces raw hardware timestamps with spoofed data to mislead trackers.
In this demo, the biometric registration fails to verify the user because the underlying rhythm is replaced by a randomized "persona". TypingDNA provides a way to test it through their demo Authentication API.
- Core Engine: Rust — High-performance, low-latency keystroke manipulation using
nix,libc, and OS-specific APIs (evdevon Linux,CoreGraphicson macOS). - Desktop Framework: Tauri v2 — Lightweight desktop wrapper using native webviews for a minimal footprint.
- Frontend UI: React + TypeScript — Modern, type-safe interface for real-time monitoring and configuration.
- Styling: Tailwind CSS + Lucide — Sleek, utility-first design and iconography.
- Build System:
Makefile— Standardized entry points for CLI, UI, and maintenance tasks. - Backend Tooling:
Cargo(Package Manager),Clippy(Linter),rustfmt(Formatter). - Frontend Tooling:
Vite(Build Tool),NPM(Package Manager),PostCSS(CSS Transformation).
- Rust toolchain (install via rustup.rs)
- Node.js and npm
# Clone the repository
git clone https://github.com/your-repo/shufflekeys.git
cd shufflekeys
# Run the setup script to build and configure permissions
make setupShuffleKeys is not signed with an Apple Developer certificate, so macOS will show a warning:
"ShuffleKeys" cannot be opened because Apple could not verify it is free of malware.
To bypass this, remove the quarantine attribute after downloading:
xattr -cr /Applications/ShuffleKeys.appAlternatively, right-click the app and select Open — macOS will give you the option to open it anyway.
The recommended way to use ShuffleKeys is through the desktop app:
make appFrom the UI, you can toggle protection on and off and adjust the obfuscation strength.
You can also run ShuffleKeys directly from the terminal:
make run # Run with obfuscation ON (sudo)
make run-off # Run in passthrough mode (sudo)
make run-status # Show current configmake build # Debug build
make test # Run all tests
make lint # Run clippy + format check
make fmt # Auto-format code
make app-build # Build desktop app for distribution
make ci # Full CI pipeline
make help # Show all available commandsThe application requires Accessibility (and potentially Input Monitoring) permissions. The setup script will guide you to the correct menu in System Settings.
After reinstalling or updating: macOS invalidates the existing accessibility grant when the binary changes. If the toggle is already on but ShuffleKeys reports missing permissions, remove the entry and re-add it in System Settings -> Privacy & Security -> Accessibility (select ShuffleKeys, click the - button, then re-open the app and add it back with +).
The application requires access to /dev/uinput. The setup script will create the necessary udev rules and add your user to the input group. You must log out and back in for these changes to take effect.
Settings can be tuned in the Desktop UI or manually in ~/.config/shufflekeys/config.toml:
- Strength: Balance between original timing and full obfuscation (0.7 is recommended).
- Max Latency: The maximum delay (in ms) allowed for a single keystroke.
- Buckets: The quantization level for timing intervals.
- Noise: The amount of Gaussian jitter added to prevent bucket analysis.