How ProtectMyAPI Works
ProtectMyAPI is a secure API proxy that protects your mobile appβs API keys using hardware-backed device attestation. Your API keys never touch the device, and every request is cryptographically verified to come from your legitimate app.
π
The Problem We Solve: Mobile apps can be decompiled to steal API keys. ProtectMyAPI keeps your keys safe on our servers and verifies every request comes from a real, uncompromised device running your actual app.
The Security Problem
When you embed API keys in your mobile app:
β Your App Code
βββ Contains: API_KEY = "sk-abc123..."
βββ Hackers decompile your app β Find the key
βββ Bots use your key β Run up your bill
βββ You get banned from OpenAI/Stripe/etc.This happens constantly. Even obfuscation and encryption can be defeated by determined attackers.
The ProtectMyAPI Solution
β
With ProtectMyAPI
βββ Your App Code β Contains only App Token (not secret)
βββ API keys stored on ProtectMyAPI servers (encrypted)
βββ Every request verified with Apple/Google
βββ Only YOUR app on REAL devices can use your keysHow Requests Flow
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β Your App β β ProtectMyAPI β β API Provider β
β (iOS/Android) β β Servers β β (OpenAI, etc.) β
ββββββββββ¬βββββββββ ββββββββββ¬βββββββββ ββββββββββ¬βββββββββ
β β β
β 1. Request + Attestation β β
β βββββββββββββββββββββββββ>β β
β β β
β β 2. Verify with Apple/Google
β β ββββββββββββββββββββββββββΊβ
β β β
β β 3. Inject API key β
β β βββββββββββββββββββββββββ>β
β β β
β β 4. Receive response β
β β <ββββββββββββββββββββββββββ
β β β
β 5. Return to app β β
β <ββββββββββββββββββββββββββ βStep by Step:
- Your app makes a request β SDK adds cryptographic proof from the deviceβs secure hardware
- ProtectMyAPI verifies the attestation β Apple (App Attest) or Google (Play Integrity) confirms:
- β This is YOUR app (not a fake)
- β Running on a REAL device (not emulator)
- β Device is NOT jailbroken/rooted
- β App hasnβt been tampered with
- API key injected server-side β Your secret key is added to the request
- Request forwarded β ProtectMyAPI calls OpenAI/Stripe/etc. on your behalf
- Response returned β Your app gets the result (key never exposed)
Device Attestation Explained
iOS: Apple App Attest
App Attest uses the Secure Enclave β a dedicated security chip in every iPhone/iPad that:
- Generates cryptographic keys that canβt be extracted
- Signs requests proving they came from your legitimate app
- Apple validates these signatures on their servers
// What happens behind the scenes:
let attestation = SecureEnclave.generateAttestation(
bundleId: "com.yourcompany.app",
teamId: "ABCD1234",
challenge: serverChallenge
)
// Apple cryptographically signs this, proving authenticityAndroid: Google Play Integrity
Play Integrity uses TEE (Trusted Execution Environment) or StrongBox hardware to:
- Verify the device hasnβt been tampered with
- Confirm your app was installed from Google Play
- Sign requests with hardware-backed keys
// What happens behind the scenes:
val integrityToken = PlayIntegrity.requestIntegrityToken(
packageName = "com.yourcompany.app",
nonce = serverChallenge
)
// Google validates device integrity and app authenticityWhat Gets Blocked
| Threat | Protection |
|---|---|
| Decompiled apps | Attestation fails β no valid signature |
| Emulators/Simulators | No secure hardware β blocked |
| Jailbroken/Rooted devices | Integrity check fails β blocked |
| Man-in-the-middle attacks | Certificate pinning + signed requests |
| Replay attacks | Unique nonces + timestamps |
| Bot traffic | No valid attestation β blocked |
| Modified app binaries | Code signing verification fails |
Security Layers
ProtectMyAPI uses defense in depth with multiple security layers:
Layer 1: Device Attestation
- Apple App Attest (iOS)
- Google Play Integrity (Android)
- Hardware-backed cryptographic proof
Layer 2: Request Signing
- Every request signed with device-specific key
- Timestamps prevent replay attacks
- HMAC-SHA256 signatures
Layer 3: Transport Security
- TLS 1.3 encryption
- Certificate pinning
- No downgrade attacks
Layer 4: Server-Side Protection
- API keys encrypted at rest (AES-256)
- Rate limiting per device
- Anomaly detection
- Audit logging
Why Trust ProtectMyAPI?
We canβt read your API keys β theyβre encrypted with keys we donβt have access to
π Zero-Knowledge ArchitectureEnterprise-grade security audits and compliance
ποΈ SOC 2 Type II (Coming)Full data privacy compliance for EU users
π GDPR CompliantGlobal infrastructure with automatic failover
π 99.9% Uptime SLAPerformance Impact
| Operation | Overhead |
|---|---|
| First request (attestation setup) | ~200-300ms |
| Subsequent requests | ~20-30ms |
| Request proxying | ~10-15ms |
β‘
Total overhead for typical request: Under 50ms β imperceptible to users.
Comparison: With vs Without ProtectMyAPI
| Aspect | Without ProtectMyAPI | With ProtectMyAPI |
|---|---|---|
| API keys in app | β Exposed | β Never in app |
| Key theft risk | β High | β Eliminated |
| Bot protection | β None | β Hardware-verified |
| Emulator abuse | β Possible | β Blocked |
| Jailbreak abuse | β Possible | β Blocked |
| Backend required | β οΈ Yes, for security | β No, we handle it |
| Time to implement | β οΈ Days/weeks | β Minutes |