Security Architecture

ProtectMyAPI implements enterprise-grade security to protect your API keys and prevent unauthorized access.

🔒

We follow OWASP security guidelines, SOC 2 compliance requirements, and industry best practices for API security.

Zero-Trust Security Model

ProtectMyAPI operates on a zero-trust principle: every request must prove its legitimacy before accessing protected resources.

The 4-Layer Security Stack

┌─────────────────────────────────────────────┐
│  Layer 4: TLS 1.3 Encryption (Transit)      │
├─────────────────────────────────────────────┤
│  Layer 3: Device Attestation (Identity)     │
├─────────────────────────────────────────────┤
│  Layer 2: AES-256 Encryption (Storage)      │
├─────────────────────────────────────────────┤
│  Layer 1: Runtime Protection (Client)       │
└─────────────────────────────────────────────┘

Layer 1: Runtime Protection (Client-Side)

Our SDKs include built-in security checks that run on the device:

Jailbreak/Root Detection

iOS: Detects common jailbreak artifacts, Cydia, unauthorized paths
Android: Detects root binaries, Magisk, su access, test-keys

Debugger Detection

Blocks requests when debugger is attached
Prevents runtime analysis and memory inspection

Emulator/Simulator Detection

Identifies virtual environments
Blocks requests from non-physical devices (configurable)

Binary Integrity

Verifies app signature matches expected bundle ID
Detects repackaged or modified apps

Layer 2: Device Attestation (Identity)

Device attestation cryptographically proves the request comes from:

A genuine device (not emulated)
Your authentic app (not modified)
A secure environment (not compromised)

Apple App Attest (iOS)

┌─────────────┐         ┌──────────────────┐
│   iPhone    │         │  Apple Servers   │
│   (Your     │   ───►  │  (App Attest)    │
│    App)     │   ◄───  │                  │
└─────────────┘         └──────────────────┘
       │                         │
       │    Signed Assertion     │
       ▼                         ▼
┌─────────────────────────────────────────┐
│           ProtectMyAPI Server           │
│  • Verifies Apple signature             │
│  • Validates bundle ID                  │
│  • Checks device ID                     │
│  • Prevents replay attacks              │
└─────────────────────────────────────────┘

How it works:

App generates a key pair tied to device hardware
Apple signs the public key with bundle ID and team ID
For each request, device signs a challenge with private key
ProtectMyAPI verifies signature with Apple’s root certificate

Google Play Integrity (Android)

┌─────────────┐         ┌──────────────────┐
│   Android   │         │  Google Servers  │
│   (Your     │   ───►  │  (Play Integrity)│
│    App)     │   ◄───  │                  │
└─────────────┘         └──────────────────┘
       │                         │
       │    Integrity Token      │
       ▼                         ▼
┌─────────────────────────────────────────┐
│           ProtectMyAPI Server           │
│  • Decrypts integrity token             │
│  • Verifies package name                │
│  • Checks device verdict                │
│  • Validates app licensing              │
└─────────────────────────────────────────┘

Verdict Types:

MEETS_DEVICE_INTEGRITY: Genuine Android device
MEETS_BASIC_INTEGRITY: Device passes basic checks
MEETS_STRONG_INTEGRITY: Device has strong security
MEETS_VIRTUAL_INTEGRITY: Legitimate Android emulator

Layer 3: Encryption at Rest

All sensitive data is encrypted using AES-256-GCM:

What’s Encrypted

API keys and secrets
OAuth tokens
Service credentials
Webhook signing keys

Key Management

Encryption key derived from ENCRYPTION_KEY environment variable
Keys never logged or exposed in error messages
Regular key rotation supported
Hardware security module (HSM) integration available for enterprise

Encryption Process

┌──────────────────┐
│  Your API Key    │  "sk-abc123xyz..."
└────────┬─────────┘
         │
         ▼
┌──────────────────┐
│  AES-256-GCM     │  + Random IV
│  Encryption      │  + Auth Tag
└────────┬─────────┘
         │
         ▼
┌──────────────────┐
│  Encrypted Blob  │  "aGVsbG8gd29ybGQ..."
│  (Database)      │
└──────────────────┘

Layer 4: Encryption in Transit

All communications use TLS 1.3 with:

Configuration

TLS 1.3 only (TLS 1.2 fallback available)
Strong cipher suites (AEAD only)
Perfect Forward Secrecy (PFS)
Certificate pinning in SDKs

Pinned Certificates

Our SDKs pin to ProtectMyAPI’s root certificate to prevent MITM attacks:

// iOS SDK - Certificate pinning is automatic
ProtectMyAPI.configure(appToken: "your-token")
// Pinning enabled by default

// Android SDK - Certificate pinning is automatic
ProtectMyAPI.configure(appToken = "your-token")
// Pinning enabled by default

Infrastructure Security

Network Architecture

┌─────────────────────────────────────────────────────┐
│                  Cloudflare (WAF)                   │
│  • DDoS protection  • Rate limiting  • Bot defense │
└─────────────────────────┬───────────────────────────┘
                          │
┌─────────────────────────┼───────────────────────────┐
│                    Load Balancer                    │
│              (Geographic distribution)              │
└─────────────────────────┬───────────────────────────┘
                          │
          ┌───────────────┼───────────────┐
          │               │               │
    ┌─────▼─────┐   ┌─────▼─────┐   ┌─────▼─────┐
    │ API Node  │   │ API Node  │   │ API Node  │
    │    #1     │   │    #2     │   │    #3     │
    └─────┬─────┘   └─────┬─────┘   └─────┬─────┘
          │               │               │
          └───────────────┼───────────────┘
                          │
┌─────────────────────────┼───────────────────────────┐
│              Internal Network (VPC)                 │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐ │
│  │  PostgreSQL │  │    Redis    │  │   BullMQ    │ │
│  │  (Primary)  │  │   (Cache)   │  │   (Jobs)    │ │
│  └─────────────┘  └─────────────┘  └─────────────┘ │
└─────────────────────────────────────────────────────┘

Server Security

Isolated VPC: Database not accessible from internet
Firewall rules: Whitelist-only access
Encrypted storage: All disks encrypted at rest
Regular patching: Automated security updates

Access Control

MFA required: All team members use 2FA
Audit logging: All admin actions logged
Principle of least privilege: Minimal access by default
IP allowlisting: Admin access from approved IPs only

Application Security

Authentication

JWT tokens: Short-lived (15 min) with refresh tokens
Secure cookies: HttpOnly, Secure, SameSite=Strict
Password hashing: bcrypt with cost factor 12
IP verification: New IPs require email verification

Rate Limiting

Resource	Limit	Window
API requests	100/min	Per IP
Auth attempts	5/min	Per IP
Password reset	3/hour	Per email
Account creation	5/day	Per IP

Input Validation

Zod schemas: All input validated server-side
Parameterized queries: No SQL injection possible
Content-type validation: Strict MIME type checking
Size limits: Request body max 10MB

Data Protection

What We Store

Data	Encrypted	Retention
API keys	✅ AES-256	Until deleted
Passwords	✅ bcrypt	Until deleted
Request logs	✅	30 days
Analytics	❌	Aggregated only
PII (email)	❌	Until deleted

What We Never Store

❌ Plain-text API keys
❌ Full request/response bodies
❌ Credit card numbers (Stripe handles)
❌ Biometric data

Data Deletion

Soft-delete with 30-day grace period
Hard-delete from all backups after 90 days
GDPR-compliant data export available

Compliance & Certifications

Current Compliance

GDPR: Full compliance for EU users
CCPA: California privacy rights
SOC 2 Type II: In progress
ISO 27001: Planned

Security Practices

Annual penetration testing
Quarterly vulnerability scans
Bug bounty program (coming soon)
Security incident response plan

Secure Development Practices

Code Security

Dependency scanning: Automated vulnerability detection
Code review: All changes peer-reviewed
Static analysis: ESLint security plugins
Secret scanning: Pre-commit hooks prevent credential leaks

CI/CD Security

Signed commits: GPG-signed releases
Protected branches: Main branch protected
Automated tests: Security tests in CI pipeline
Deployment approval: Manual approval for production

Incident Response

If You Suspect a Breach

Rotate your secrets

Immediately rotate all API keys in the dashboard under Services → Manage → Rotate Secret.

Check audit logs

Review the Analytics section for unusual activity patterns.

Contact us

Email [email protected] with details. We respond within 1 hour for security issues.

Enable additional protection

Consider enabling stricter attestation settings or IP allowlisting.

Our Commitment

24-hour notification: We notify affected users within 24 hours of confirmed breach
Transparent communication: Full disclosure of what happened
Free remediation: No charge for breach-related support

Security Best Practices

For Your App

⚠️

Even with ProtectMyAPI, follow these security practices in your app.

Keep SDKs updated: We patch security issues quickly
Use certificate pinning: Enabled by default in our SDKs
Enable all attestation checks: Don’t disable for production
Monitor your analytics: Watch for unusual patterns
Rotate secrets regularly: At least every 90 days

For Your Team

Use strong passwords: 16+ characters, unique per account
Enable MFA: Required for all team members
Limit admin access: Only necessary people
Review audit logs: Monthly at minimum

Security Contact

Report vulnerabilities: [email protected]

PGP Key: Available on request for encrypted communication

We take all security reports seriously and respond within 24 hours.

⚠️ Error Codes 🔒 Privacy & Compliance