Security Assurance Through Certifications and Penetration Tests

Daniel Wong, Head of Product Security

Here at V-Key, we like to tell people that V-OS is the world’s first virtual secure element. It is patented, and is the best of a new breed of solutions designed to enable and secure a digital world where the mobile phone is often the primary interactive channel. Call it what you will – military, government, banking grade – we aspire to the highest grade of security for all our customers. In fact, V-OS has been architected and designed to minimally meet FIPS 140-2 Level 3 requirements.

However, claims remain as claims until they are independently certified or tested. It was with this mindset that led us to embark on a series of certifications and penetration tests to provide the security assurance that our customers may need.

Since 2014, our product suite was accredited by the Info-communications Media Development Authority of Singapore (IMDA) under the Accreditation@IMDA scheme. Besides performing security and functionality tests and source code scanning, the accreditation process also involved the evaluation of our financial sustainability and the ability of our operations team and processes to support the product. For buyers from Singapore government agencies and large enterprises, the accreditation process provides an independent third-party evaluation of the security and reliability of our claimed product core functionalities and our ability to deliver.

In 2016, we obtained FIPS 140-2 Level 1 certification. This ensures not only the correctness of the cryptographic algorithms implemented but also design assurance that the cryptographic module is properly tested, configured, delivered, installed, developed and documented. This is the highest certification available without a separate Common Criteria certification. We are in the process of working with an evaluator to validate V-OS against FIPS 140-2 Level 3 requirements and Common Criteria requirements of the General Purpose Operating System Protection Profile. This is expected to be completed by the middle of this year. To give even more assurance to our customers, we also intend to evaluate V-OS against the more stringent requirements of CC EAL 4+ by defining the world’s first Protection Profile for Virtual Secure Elements.

On a separate track, we have also subjected V-OS to multiple penetration tests by Ant Financial (Alipay) in China, the Singapore Government in Singapore, and renowned penetration testers engaged by banks and partners worldwide. All these tests prove that attackers are unable to reverse engineer or break into V-OS to extract the keys or misuse its functions even after 2-3 weeks for each test, while some of our competitors had their software tokens broken into within a few days. In addition, the Chinese WooYun security team (comprising 15 top security experts) spent 30 days performing a comprehensive security penetration test against the combined V-Tap solution – we were awarded a full 5-star security rating. V-OS protections are layered like an onion. While some of the stronger penetration testers were able to bypass some of our protection mechanisms, none were able to even get near to extracting any protected secrets within the app, or to clone the app to run on a different device. As most of the penetration tests were commissioned by our customers, the penetration test reports cannot be shared. However, we are always open to work with any penetration tester engaged by clients to test our product.

At V-Key, we are continuously trying to attain higher levels of security assurance for our products, so as to give our customers the peace of mind. Besides subjecting our products to formal certifications such as Accreditation@IMDA, FIPS 140-2, and Common Criteria, we also engage renowned penetration testing teams to test our products. These activities lead us to continuously refine the security of our products to be always ahead of adversaries.