KVProxy Security Overview

How KVProxy helps keep third-party API keys out of your mobile app, without forcing you to build and operate your own proxy backend.

What KVProxy is protecting

Most key leaks happen because API keys get shipped in a client (mobile app) and can be extracted (reverse-engineering, jailbroken devices, traffic interception, leaked logs, etc.). KVProxy’s core security goal is simple:

  • Your third-party API keys never live in the mobile app
  • Requests are authenticated from real devices before we’ll proxy anything
  • Secrets are encrypted at rest and handled with “least exposure” in our systems

1) DeviceCheck verification

DeviceCheck is an Apple service that lets an iOS device prove to a server that it’s a legitimate Apple device + app context, rather than a random script on the internet.

How KVProxy uses DeviceCheck

  • During client registration, the KVProxy client collects a DeviceCheck token from the device.
  • KVProxy validates that token using your Apple DeviceCheck credentials (the certificate you upload).
  • Only clients that pass this validation can be registered and issued a KVProxy identity (i.e., “this is a real client instance we recognize”).

Why this matters

This blocks a large class of abuse:

  • Bot registration (scripts trying to create “fake clients”)
  • Credential stuffing where attackers try to impersonate your app
  • Direct proxy abuse by non-app actors

DeviceCheck helps ensure requests originate from real app installs on real devices—not a malicious agent pretending to be your client.

2) Certificate pinning (MITM resistance)

TLS (Transport Layer Security) is the encryption layer used by HTTPS. A classic attack is MITM (Man-in-the-Middle), where an attacker intercepts traffic and tries to read or modify it.

How KVProxy uses certificate pinning

  • The KVProxy client is configured to only trust KVProxy endpoints that present KVProxy’s expected server certificate (or public key / certificate chain pin, depending on implementation).
  • If a network intercept tries to present a different certificate—even one that would normally be “valid” under the device’s trust store—the KVProxy client refuses the connection.

Why this matters (especially for registration)

Registration is the highest-value moment for an attacker, because it’s where they’d want to:

  • scrape/relay DeviceCheck tokens
  • impersonate a real device’s registration flow
  • bootstrap a long-lived access path

Plain-English takeaway: Certificate pinning makes it much harder for anyone “in the middle” (malicious Wi-Fi, corporate proxies, compromised networks) to spy on or manipulate your KVProxy registration traffic.

3) Encryption of secrets in our database (at-rest protection)

KVProxy stores a few extremely sensitive things:

  • Your DeviceCheck certificate (used to validate device tokens)
  • Your replacement keys (your third-party API keys and secrets)

What KVProxy does

  • Encryption at rest: sensitive materials are encrypted before being stored in the database.
  • Decryption only in memory: secrets are decrypted only to proxy a request or to display a secret in the dashboard during configuration.
  • No secret logging: secrets are not written to logs, analytics, or telemetry.

Why this matters

If someone got read access to the database (misconfiguration, compromised credential, snapshot exposure), encrypted secrets dramatically reduce the “instant reuse” blast radius.

4) What KVProxy does not claim to do

A credible security story includes boundaries.

  • KVProxy cannot stop a user from copy/pasting their own keys into unsafe places outside KVProxy.
  • KVProxy can’t fully protect a device that’s compromised at runtime (e.g., deeply instrumented malware on a rooted/jailbroken device). It can raise the cost and reduce scalable abuse.
  • KVProxy isn’t a general-purpose “proxy any huge file” system; it’s optimized for API-shaped requests, not bulk transfer.

Quick mental model

  • Your app never ships secrets (no keys in the app)
  • Real devices prove themselves (DeviceCheck)
  • Traffic can’t be easily intercepted (certificate pinning)
  • Secrets stay encrypted at rest

That’s the core KVProxy security posture.