Security concerns

Communication and storage

All communication between your application and UNLOQ as well as the communication between your user's devices and UNLOQ uses and enforces TLS. On top of TLS, communication between your user's devices and UNLOQ servers is fully encrypted with AES-256, and uses RSA-2048 for the key exchange mechanism at pairing time.

The UNLOQ app installed on all your user's device will periodically change its authorisation keys and invalidate all previous used keys, to minimize key sniffing. All data stored on the UNLOQ mobile app and any of your custom mobile app is always stored in an encrypted state (using AES-256), while the encryption key is dynamically constructed on application startup, based on a derivative state of the user's PIN number.

Chunks of the user's personal encryption key is stored in an encrypted state, while not even us have access to the raw text of the key.

Our back-end hosting

UNLOQ uses a combination of cloud hosting providers, including Amazon Web Services, Google Cloud Platform and Bahnhof. Our partners are ISO 27001 certified and highlight security concerns. Communication between all our micro-services and storage solutions use TLS. Access to compute resources is restricted to authorised personnel only.