22. March 2019

Why the neon app is a fortress

When it comes to money, security is key. That’s why we conducted an extensive security test at neon at the end of February. We contracted an external company to try and infiltrate neon like hackers would. And before you worry about the result: hackers can’t get their hands on your money, and they can’t access your data either. 

(Incidentally: do you want to know more about phishing, how it works, what we do for you and how you can protect yourself? Then take a look here. Or would you like to know more about two-factor authentication and deposit protection? You can read more about these topics here.)

First, let’s go back a few steps:

How does this kind of security test even work?

A penetration test (known as a pentest) involves replicating a hacker scenario. It’s much more than just an automatic scan – experts attempt to take apart the neon app and access information. They try to transfer money out of an account, find sensitive information or use their own login to switch to another account and access its data. This is a two-phase process: a black-box phase followed by a grey-box phase. After that, the back-end is analysed in a white-box phase: this covers all the technical scaffolding behind the app that you as the user never see.

Phase 1: black-box process

This is relevant to you because it most closely resembles what happens if your phone is lost or stolen. The software engineers take apart and analyse the app in the same way an external hacker would, searching for potential vulnerabilities they can exploit in the web services, the authentication system or even in the server configuration itself. If they don’t get anywhere, i.e. they can’t infiltrate the app, things move to the second phase.

Phase 2: grey-box process

In this scenario, we give the hackers a bit more information: the fundamentals of how the app is built, for example, or a list of all available endpoints (an interface where data can be transferred). They then use this knowledge to try and access data or money again.

Both the black-box and grey-box processes involve attempting to access money or data at a range of locations: the hackers look at communication channels, ports, protocols, encryption, authentication and more. In a further step, they use reverse engineering to reconstruct the app’s code. This helps to see whether there is any protection against reverse engineering, jailbreak or similar processes, and to remove any vulnerabilities in the encryption.

Phase 3: white-box analysis of the back-end

The experts also look at all the back-end infrastructure. We use a white-box process for this, which means we show them the technical infrastructure that powers all our neon operations. Don’t worry – the hackers don’t see any personal information! The focus is on how the whole thing is built.

The results

So what did we learn? In short, the hackers weren’t able to penetrate anything: our infrastructure withstood this intensive test without any issues. And what does this mean for you? Well, that neon is secure, and that we take the security of your money and your data seriously. The same is true for transparency: we want to use blog posts like this one to show what’s going on behind the pretty face of the neon app. So you don’t just have to take our word for it – you can understand and follow all the processes.

By the way, your money is also safe from a legal viewpoint. Thanks to our partnership with Hypothekarbank Lenzburg, your account is subject to the same regulations (enforced by Finma) as every other Swiss bank account. You also benefit from deposit protection (up to CHF 100,000) – another way that your money is safe!

Give us feedback