Our safety features at a glance
Simple Login Experience
When using the Tapkey app, our users have the choice between username/password based login or well-established virtual identities like the Google account or Apple ID, giving all the world-class protection already built into these technologies.
Delegated Authentication
When integrating our patented technology into custom apps, customers can connect their own standards-based OAuth identity providers with Tapkey. Thus they can offer all the security and flexibility they need.
Tapkey Lock Control Protocol
Tapkey is reviewed and continuously improved by trusted experts. The Tapkey Lock Control Protocol is our application layer protocol used for communication between locks and external devices, like smartphones or NFC transponders.
Protected, Digital Keys
Individual keys for each device, no reuse of keys, limited validity and extensive revocation mechanisms: that’s what we do to keep your keys secure.
Stable & Scalable Backend Infrastructure
Our highly scalable cloud infrastructure is hosted in European data centers with high security standards. We are continually implementing state-of-the-art protection measures against attacks and have monitoring for early detection of problems in place.
How we protect your data
Tapkey boasts several layers of security. We’re using SSL/TLS encryption protocols for data transfer, while permissions are stored in the Tapkey Trust Service to ensure utmost security.
Tapkey and Security at a Glance
Always Up-to-Date
Although we try to build a high quality and secure product, we know that nothing is perfect. If you find a security problem in one of our products, please let us know! We follow a responsible disclosure policy. Hence, we like to work together with external security researchers that have found flaws in our products to resolve them and publish information about the vulnerabilities to protect our customers. If you want to report a vulnerability, please contact us at security@tapkey.com.
Tapkey’s production systems are not affected by CVE-2021-44228.
CVE-2021-44228 is related to a critical vulnerability of Apache’s Log4j logging component that could allow attackers to execute arbitrary code on affected systems.
Tapkey’s production systems are not affected by CVE-2021-44228. The Tapkey Trust Service doesn’t use Log4j in any way and therefore isn’t affected by the vulnerability. The Tapkey Mobile SDK and the Tapkey App do use the Java language but don’t use Log4j. Moreover, the targeted operating systems (Android and iOS) don’t support JNDI, which would be required to exploit the vulnerability. The Tapkey Lock SDK isn’t affected, because it doesn’t use Log4j or the JVM in any way. That said, we did identify one non-production component that references a vulnerable version of Log4j. We do host some example code for Java developers on GitHub, which can be found here. The code uses spring-boot in a version that references a vulnerable version of Log4j. This sample code isn’t directly affected by the vulnerability by default, because even though it references Log4j, it is not configured to use it. However, we updated the sample to make sure a fixed version of Log4j is being referenced. Customers that use our Java example code as a basis for their own components are suggested to update their code accordingly.
Our constant commitment to maintain the highest security levels for our systems is in our company’s DNA and at the heart of everything we do. We’re therefore particularly delighted that this has also been recognised by external experts. Tapkey is officially SySS Security Approved!
We at Tapkey are often asked by our customers whether Tapkey is affected by the demonstrated kinds of attacks on the Bluetooth technology standard. The short answer: It is not and has never been.