Tangem Mobile Wallet Passes Independent Security Audit by Cure53

AI summary

We're proud to share the results of an independent security audit of the Tangem Mobile Wallet. The audit was carried out by Cure53, a Berlin-based security firm known for some of the most thorough software security reviews in the industry.

This is the latest in a series of independent audits Tangem has commissioned over the years, following earlier firmware reviews by Kudelski Security in 2018 and Riscure in 2023. Each audit examines a different aspect of what makes Tangem secure. This one focused on the new Tangem Mobile wallet.

What was tested

Cure53 reviewed the source code and security of the Tangem Android and iOS SDKs. An SDK, or Software Development Kit, is the underlying code that powers how the Tangem app works on your phone. It handles how the app communicates with your wallet card, how your keys are managed, and how cryptographic operations are performed.

The audit covered four areas:

• Security testing of the Android SDK
• Security testing of the iOS SDK
• Cryptography review of the Android SDK
• Cryptography review of the iOS SDK

Six senior security researchers from Cure53 worked on the project for 23 days. Tangem provided full access to source code, app builds, and technical documentation. This type of review is called a "white-box" audit, meaning the testers could see everything, not just what's visible from the outside.

What the audit revealed

Cure53 confirmed that the Tangem Mobile SDK meets the security requirements for a production-ready application. In plain terms, the app is safe to use.

Cure53 also noted that both the Android and iOS versions showed a consistent level of security quality. The two apps were built with clear attention to the security features each platform offers natively. That kind of consistency matters; it means security wasn't treated differently depending on which phone you use.

The auditors did offer one key recommendation: keep running audits regularly. As the app adds new features and the SDK grows, periodic reviews will be important to make sure nothing new introduces risk. We take that advice seriously.

Who is Cure53?

Cure53 is an independent IT security firm based in Berlin. They specialize in penetration testing, source code audits, and cryptography reviews. Their client list includes some of the most security-sensitive software in the world: browsers, password managers, VPN clients, and cryptographic tools used by millions of people. Their published audit reports are freely available, and their reputation in the security community is built on technical credibility rather than marketing.

Why auditing the Mobile Wallet matters

Most people think of the Tangem crypto wallet security in terms of the physical device. But the app on your phone is just as important. It's the interface you use every day for both Mobile and Hardware wallet, i.e., it's also where your card/ring communicates with the app.

That's why auditing the mobile SDK is not optional for a wallet that takes security seriously. An independent review by a firm like Cure53 gives us something that internal testing alone cannot: a credible, outside opinion from people with no stake in the outcome.

What's next?

Tangem's hardware wallet firmware has now been audited twice by independent security firms. The mobile wallet has now been audited as well. As we build and improve the Tangem ecosystem, we will keep commissioning independent security reviews and publish their results.

The full summary report from Cure53 is publicly available here.