Kyro Security

Secrets management

• All secrets in .env files
• .env must be in .gitignore — verify before every commit
• flutter_secure_storage for client-side secrets (uses Android Keystore)
• No hardcoded UUIDs, keys, or addresses in any source file

Network security (Flutter)

<!-- network_security_config.xml — no cleartext except localhost -->
<base-config cleartextTrafficPermitted="false"/>

Android permissions audit

VPN apps need these — no more:

• INTERNET ✓
• FOREGROUND_SERVICE ✓
• BIND_VPN_SERVICE ✓
• RECEIVE_BOOT_COMPLETED ✓ (auto-connect on boot)
• No: READ_CONTACTS, ACCESS_FINE_LOCATION, CAMERA

Go backend security

• Rate limit ALL endpoints (gin-contrib/limiter)
• Validate ALL inputs before processing
• Parameterised SQL — never string concatenation
• No user PII stored — anonymous device IDs only
• HTTPS only in production (Cloudflare handles this)

Pre-commit checklist

• No private keys in any .go or .dart file
• No .env files tracked by git
• No hardcoded server addresses in client code
• .gitignore covers: .env, *.key, *.jks, key.properties, wg0.conf
• flutter analyze clean
• go vet clean
• No fmt.Println in production Go code (use zerolog)
• All error paths handled (no silent failures)

DNS + IPv6 leak prevention

WireGuard client config must always include:

DNS = 1.1.1.1, 1.0.0.1
AllowedIPs = 0.0.0.0/0, ::/0

Missing ::/0 → IPv6 traffic bypasses tunnel → real IP leaks to sites.

ProGuard (Android release builds)

-keep class com.wireguard.** { *; }
-keep class org.amnezia.** { *; }
-keep class io.flutter.** { *; }