In development · Android · 2026

Android's first security-governed launcher.

EV-signed releases. Threat-modelled surfaces. Built to the standard that Nova Launcher left behind — by a UK-registered company, not a hobbyist side project.

Join the waitlist See the security architecture
Cryptographic Identity
EV Code-Signed
Every release signed with an Extended Validation certificate. Tampering is detectable.
Registered Entity
UK Limited Company
Meadowlarktech Ltd — registered in England, headquartered in Canary Wharf, London.
Verified Publisher
DUNS Registered
Dun & Bradstreet–verified business identity. Auditable supply chain.
Security as architecture

Not a feature.
Not a checkbox.
A constraint on every line.

Lark is governed by a documented methodology — SGIA, Security-Governed Incremental Architecture. Threat surfaces are mapped before features are written. Invariants are codified, not negotiated. AI-assisted development operates under strict human authority with confirmation gates on every change.

  • 01

    Threat-modelled surfaces

    Icon pack loading, widget hosting, IPC, app shortcuts, storage — each analysed and controlled before implementation.

  • 02

    Signed, reproducible releases

    EV-signed APK/AAB artefacts, built from tagged commits by CI. No unsigned builds, no mystery origins, no debug builds in production.

  • 03

    Permission minimalism

    No speculative permissions. Each grant is justified against a concrete, shipped feature — and auditable in the manifest.

  • 04

    Dedicated security waves

    Entire release cycles devoted solely to hardening. Security items are locked scope — numbered, tracked, and delivered alongside features.

  • 05

    Human authority over AI

    Code is written with AI assistance under a confirmation-gate contract. No autonomous commits, no silent changes, no drift.

The threat model

Every attack surface, mapped and controlled.

A home screen launcher touches almost every app on the device. We documented the threat surface explicitly before writing a line of production code — because a launcher you trust is a launcher whose compromises are understood.

Attack surface
Threat
Control
Icon pack loading
Malicious APK masquerading as icon pack
Signature verification and permission check before load
Widget hosting
Widget app injecting into launcher process
AppWidgetHost sandboxing with provider validation
App shortcuts
Pinned shortcuts launching unintended intents
Intent validation before execution
IPC and broadcasts
Spoofed package-change broadcasts
Explicit intent filtering and source validation
Local storage
Layout data exfiltration or corruption
Internal storage only, no world-readable files
Release pipeline
Sideload bypass, signing-key spoofing
EV-signed releases, no debug builds in production
The gap we're filling

Indie launchers cut corners. Lark doesn't.

Most Android launchers are single-developer side projects — useful, but with no verified publisher, no code-signing chain, and no governance around the code you trust with every app on your phone. Lark is built to a different bar.

Lark Launcher

Security-governed, release-disciplined

  • EV code signing — tamper-evident releases
  • UK Ltd company with DUNS verification
  • Documented threat model: icon packs, widgets, IPC
  • No debug builds ever published
  • Internal storage only — no world-readable layout data
  • Reproducible builds from Git tags
  • Confirmation-gated AI-assisted development
Typical indie launcher

Hobbyist shipping, unverified origin

  • Self-signed or ad-hoc signing keys
  • Individual developer — no corporate identity
  • No published threat model
  • Mixed debug/release build pipeline
  • External-storage artefacts, sometimes world-readable
  • Unclear release provenance
  • No governance around AI-generated code
What you get

A home screen that respects you.

Fast, customisable, quiet. The features you expect from a flagship launcher — engineered on an architecture that won't regress the moment the company behind it pivots.

Layout that survives.

Your home screen is a contract. It persists across restarts, crashes and OS upgrades — backed by Room with graceful recovery on corruption.

No ANR. Ever.

Icon loading, app queries, database work — all off the main thread. Zero tolerance for jank on 60 Hz or 120 Hz displays.

Privacy by architecture.

No telemetry, no analytics pipelines. Internal storage only. Minimal permissions — nothing speculative, nothing "just in case".

Icon packs, safely.

Signature-verified icon pack loading. Malicious APKs masquerading as icon packs can't gain a foothold in your launcher process.

Widgets, sandboxed.

Widget apps run behind AppWidgetHost sandboxing with provider validation. A broken widget can never crash the launcher.

Built incrementally.

Every release reproducible from a Git tag. Every change reviewed. No bulk commits, no surprise refactors — release discipline is a feature.

Early access

Be first in the flight path.

Join the waitlist for beta releases, build notes, and the occasional architecture write-up. No marketing spam. No third-party trackers.

You'll hear from us. Nobody else will.