SwissBorg app found to be highly secure in penetration test

At SwissBorg, the security of our community’s wealth and data is our top priority. This is why we asked one of Switzerland’s most reputable information security providers to run penetration tests on the SwissBorg app.

We decided to check the health of our app with this test which is much like a medical stress test in a medical check-up. A team of experienced auditors was tasked with finding weaknesses in our security, and after their eight-day audit they concluded that “the SwissBorg mobile applications have a high security level”.

Read the full report here.

SwissBorg's approach to security

The SwissBorg app leverages the capabilities of modern smartphones by creating a cryptographic private key that is generated in a phone's secure enclave. This allows us to have much more sophisticated security than traditional apps or web apps.

A common question we get relating to security is about two-factor authentication (2FA). Many of us have a 2FA app (eg: Google Authenticator) on the same phone as the one we use for the SwissBorg app. As such, if an attacker gained access to a user's phone and the passcode required to unlock it, the attacker would also be able to look for the user's 2FA code to access their apps. Because of this, all adding 2FA would achieve is creating a false sense of security for our users, rather than making the app more secure.

We’ll consider adding a 2FA capability for advanced users who would use two phones or a special app like 1Password in the future, but we’ll first work on improving the security for everyone.

Penetration test results

Penetration testing, also known as pen testing, is a simulated cyber attack on a system to check for vulnerabilities. When it comes to the SwissBorg app, the auditors were testing how easy it would be for our users’ accounts to be abused by attackers.

The auditors performed eight days of penetration tests on both the iOS and Android versions of the SwissBorg app.

We are proud to share that the SwissBorg app passed the penetration tests with flying colours! No high or critical vulnerabilities were found, and they concluded that protected devices (meaning, devices protected with a passcode or TouchID) were not compromised in any of the main security objectives.

For the more technically minded, these objectives included:

• Executing arbitrary code within the app
• Accessing/modifying files within the app from another app
• Executing arbitrary commands on the back-end
• Hijacking application execution flows
• Bypassing local authentication and accessing a user’s account
• Extracting sensitive information on a compromised smartphone

There were four minor vulnerabilities that were found, two of which our tech team has already addressed. 

The remaining two vulnerabilities only apply in cases where an attacker has unrestricted access to a user’s phone (meaning, they have physically taken the phone and bypassed the device’s security). With this in mind, it is highly unlikely that they will be exploited. However, as part of our commitment to ensure our app is as secure as possible, our engineering team will be addressing these vulnerabilities by adding a server-side validation for PINs to the app. 

How users can improve their security

While the SwissBorg app was found to be highly secure, there are several steps users can take to increase the security of their wealth and data. These include:

1. Secure your device with a passcode or TouchID to prevent unauthorised access of your apps.
2. Don’t click on links in emails from anybody you don’t trust. Also, double-check the sender’s email address to make sure the email is actually coming from whom it says it’s from.
3. Never share your personal information. When you are contacted by someone whether it’s over the phone, by email, or on social media, do not provide them with your Private Key, Recovery Phrase, banking and credit card information, your birthdate, and Social Security/Social Insurance numbers.
4. If you are contacted by someone with an offer that sounds too good to be true, it probably is. If you are pressured to act immediately, take the time to discuss the opportunity with a family member, friend, or financial advisor.