Security Architecture

Understanding the carrier-grade authentication infrastructure.

Cloud Infrastructure

Client & Server SDKs
Google Cloud
ApigeeAPIGEE
US Region
Zone
K8sRedis
Zone
K8sRedis
EU Region
Zone
K8sRedis
Zone
K8sRedis
AWS
ApigeeAPIGEE
US Region
AZ 1
K8sRedis
AZ 2
K8sRedis
EU Region
AZ 1
K8sRedis
AZ 2
K8sRedis
Telco Carriers
+
Security & Monitoring Stack
WizCloud SecurityOX SecurityAppSecAkeylessSecrets ManagementKubernetesGKE / EKSRedisRedis Cache

Key Security Principles

1. Hardware-Isolated Authentication

Authentication relies on the SIM and the device's secure enclave (or trusted execution environment), which operate in isolated memory and CPU space separate from the application layer. This hardware-level isolation means applications cannot access or tamper with the authentication credentials. All authorization, session creation, and validation occur server-side.

2. OAuth-Style Authorization Flow

Partners receive client_id and client_secret credentials that are exchanged for short-lived, scoped access tokens. Access tokens are issued by Glide, not generated or stored on the client.

3. Cryptographically Bound Sessions

Temporary encrypted artifacts are generated by the carrier's TS.43 service using Glide-provided keys. These can only be decrypted by Glide's backend and are bound to a specific session and context.

Why Common Attacks Fail

Attack VectorWhy It Fails
Copy client-side dataCannot be decrypted by third party
Replay sessionCannot establish new session - tokens are single-use. Replay protection is also enforced at the underlying protocol level.
Bypass validationBackend-issued session validation required
Phone number spoofingSIM-level authentication (EAP-AKA) determines physical SIM