Psylo 1.0 System Architecture

by Talal Haj Bakry and Tommy Mysk
This is the first in a series of posts covering technical aspects of Psylo. Here, we’ll explore the overall system architecture, including subscriptions, authorization, integration with the Mysk Private Proxy Network, and highlight trade-offs and future improvements identified in this initial 1.0 release.

Table of Contents

Since Psylo isn’t currently open source, transparency is crucial to earn our users’ trust. We’re always ready to answer your questions and provide more details via X, Mastodon, and Bluesky.

Overview#

Psylo 1.0 Architecture Diagram

Psylo is a privacy-focused web browser for iOS and iPadOS. Each browser tab, known as a silo, provides isolated storage, cookies, and even a unique IP address through integration with the Mysk Private Proxy Network. When browsing, traffic from each silo is securely tunneled through one of over 40 proxy servers within this network, which further routes traffic through Proton VPN exit nodes via WireGuard.

Subscribing through the App Store#

Psylo is offered as a subscription using Apple’s In-App Subscription system. A key goal for Psylo is maintaining complete user anonymity — we never want to know the identities of our users. Thus, users aren’t required to create accounts or provide any personally identifiable information (PII), such as names, emails, or phone numbers. Instead, Psylo leverages Apple’s subscription infrastructure, which does not share any PII with developers, keeping user identities anonymous to us.

Here’s how subscribing works:

  1. Subscription Purchase: Users subscribe within the Psylo app using Apple’s system. The app generates a random subscription ID, sent as an “App Account Token” alongside the transaction. (Note: If you already see a concern here, we address it later in this post.)

  2. Signed App Store Transaction Object: Apple issues a signed transaction object containing no PII, meaning we can’t trace subscription IDs back to individual users.

  3. Transaction Validation: The Psylo app forwards this transaction object to Psylo Server, our Swift-based backend responsible for subscription validation, authorization, bandwidth tracking, and other critical aspects of the system (more details in future posts).

  4. Issuing Access Tokens: After validating and storing the transaction, Psylo Server returns a signed access token to the Psylo app.

  5. Proxy Connection: Using this access token, the Psylo app establishes secure HTTPS tunnels from each silo to the Mysk Private Proxy Network.

Mysk Private Proxy Network#

Central to Psylo’s design is the Mysk Private Proxy Network, currently comprising over 40 servers. Each silo can be configured to independently connect to any of the servers distributed globally in the following countries:

  • Canada
  • Germany
  • United States
  • United Kingdom
  • Japan
  • Australia
  • Brazil

Cloud Providers#

Our infrastructure is built on servers and virtual machines from DigitalOcean, Hetzner, and Vultr. Each instance runs software which we fully control, and we’ve avoided managed services such as managed databases.

Proxy Servers#

Each node hosts an HTTPS proxy server routing HTTPS traffic between silos and destination websites via a Proton VPN exit node. Proxy servers cannot inspect the contents of HTTPS traffic, although they do see destination hostnames. Our strict no-log policy ensures no host or IP data is logged or stored. Network requests remain in memory, never cached or persisted.

DNS Filtering#

DNS requests pass through the Mysk Private Proxy Network using Cloudflare’s 1.1.1.1 DNS resolver, rather than through the Psylo app. This approach has two primary benefits:

  1. DNS requests are invisible to ISPs or local network monitors. (iOS apps cannot configure custom DNS settings.)
  2. Known tracking domains are filtered out, preventing websites using tracking scripts from receiving network requests from Psylo users.

Cloudflare’s DNS resolver doesn’t mine or sell data, though this has little effect here as DNS requests cannot be traced back to any subscriber IDs.

Proton VPN Exit Nodes#

We’re excited to reveal that we’re currently working with Proton VPN to provide VPN connections for each proxy server. Websites accessed via Psylo only see Proton VPN IP addresses, and Psylo users enjoy many of the benefits provided by Proton VPN.

A key benefit of using Proton VPN as our network’s exit nodes is “clean” IP addresses. Since our proxy servers are hosted by cloud providers, many popular websites—such as Reddit and YouTube—typically block or restrict traffic originating from datacenter IPs. By routing traffic through Proton VPN exit nodes, we’ve successfully restored reliable access to these websites. We plan to continue our collaboration with Proton VPN as we scale our service.

No-Logs, Bandwidth Reporting#

The Mysk Private Proxy Network strictly adheres to a no-log policy. We do not log any personally identifiable information, IP addresses, browsing history, or DNS requests. Bandwidth usage is monitored solely for quality assurance and abuse prevention. To further enhance privacy, all reported bandwidth is rounded down to the nearest 50 MB increment, minimizing the granularity of information contained in usage reports.

Trade-offs and Future Improvements#

For Psylo 1.0, we’ve had to take many technical decisions to balance usability, privacy, and technical feasibility. Below we want to address 2 main trade-offs we’ve identified in this initial release:

Sharing Subscription ID with Apple#

A notable trade-off involves the randomized subscription ID and sharing it with Apple. Although not ideal, we believed this was an acceptable trade-off for the following reasons:

  • Users can easily share Psylo subscriptions across multiple devices linked to one Apple account or restore subscriptions seamlessly after app reinstalls. Psylo automatically restores subscriptions without additional authentication.
  • Even in scenarios involving data breaches or court orders compelling disclosure, information would remain limited to approximate bandwidth usage (rounded to the nearest 50 MB).

In the future, we aim to eliminate sharing subscription IDs with Apple entirely by introducing a “subscription restore token” system, where users securely store tokens in their preferred password managers. This approach would place more burden on users, but would eliminate the need to share the randomized subscription ID with anyone, including Apple.

Bandwidth Caps#

As highlighted in our announcement post, Psylo sets a conservative 50 GB/month bandwidth cap per user to safeguard network integrity from potential abuse. However, we intend to increase or eliminate these limits entirely as we get a better understanding of how our system performs in production. Our long-term goal is to remove bandwidth caps and eliminate bandwidth tracking completely.

Questions? Comments?#

We hope this provided insight into Psylo and the Mysk Private Proxy Network. If you’d like to learn more or have more questions, reach out to us via our social media:

Download Psylo Today!#

Psylo is available for iOS and iPadOS through monthly or annual subscriptions, with a free 7-day trial offering full access to all features. Use the discount code PSYLOPARTY for 30% off your annual subscription.

Download on the App Store