Security

Privacy-First Architecture. Client-Side Security.

Core Security Principle

Your exchange API keys NEVER leave your mobile device. Our servers cannot and will never access your exchange credentials or execute trades/withdrawals on your behalf.

Client-Side Security Architecture

My Bitcoin DCA is built on a client-side security model where sensitive credentials never reach our servers. Here's how it works:

Secure Storage on Device

Your exchange API keys are stored exclusively in your mobile device using Expo SecureStore (iOS Keychain / Android Keystore) with hardware-backed encryption.

Step 1

Static IP & Address Whitelist

You configure a static IP whitelist on your exchange. API keys can only be used from your whitelisted IP address. Our servers are excluded, providing an additional layer of protection. When using App Withdrawal Mode, also whitelist your hardware wallet address on your exchange to ensure funds can only be withdrawn to your verified address.

Step 2

Direct Execution

All trades and withdrawals execute directly from your mobile device to your exchange. The server only receives confirmation reports after you've completed operations.

Step 3

Non-Custodial Security

Even if our servers are compromised, attackers cannot access your API keys, execute trades, or withdraw your funds. You maintain complete control.

Result

Multi-Layer Security

Device-Only Key Storage

API keys stored exclusively on your mobile device using OS-level encryption (SecureStore)

Static IP Whitelist

exchange API keys protected by static IP whitelist. Our servers excluded from access.

Short-Lived Tokens

JWT access tokens expire in 15 minutes. Refresh tokens rotate on use.

Rate Limiting

Redis-backed rate limiting prevents brute-force attacks and API abuse.

Biometric Auth

Support for Face ID, Touch ID, and fingerprint authentication on mobile.

Automated Scanning

Semgrep security analysis on every commit detects vulnerabilities automatically.

Flexible Withdrawal Options

Choose App Withdrawal Mode (one-click with API permissions) or Manual Mode (copy-paste instructions, no withdrawal permissions). You control your security level.

Data Encryption

In Transit

All communications use HTTPS/TLS 1.2+
WebSocket connections over WSS (encrypted)
Certificate pinning for API calls
No unencrypted data transmission

At Rest

Passwords hashed with bcrypt (10 rounds)
API keys stored in OS-level secure storage
MongoDB encryption at rest
Redis cache encryption support

Authentication & Access Control

JWT Token-Based Authentication

Short-lived access tokens (15 minutes)

Secure refresh tokens (7 days, httpOnly cookies)

Refresh token rotation on use

Token invalidation on logout

Password Requirements

Minimum 12 characters
At least one uppercase letter
At least one lowercase letter
At least one number
At least one special character

Additional Protection

Passcode lock on mobile app (4-6 digits)
Biometric authentication support (Face ID / Touch ID / Fingerprint)
Session management with Redis-backed storage
Automatic logout after extended inactivity

Rate Limiting & Abuse Prevention

We implement multi-tier rate limiting to protect against brute-force attacks, credential stuffing, and API abuse:

Endpoint TypeRate LimitWindowAuthentication (login, register)5 requests15 minutesAPI Endpoints (general)100 requests15 minutesRead Operations (data fetching)300 requests15 minutes

Rate limits are user-based and IP-based, backed by Redis for distributed enforcement across multiple server instances.

Input Validation & Sanitization

Protection Against Common Attacks

XSS Prevention

xss-clean middleware strips malicious scripts

NoSQL Injection

express-mongo-sanitize prevents MongoDB injection

CSRF Protection

SameSite cookies and token validation

HTTP Security Headers (Helmet.js)

Content-Security-Policy: Restricts resource loading
X-Frame-Options: Prevents clickjacking
X-Content-Type-Options: Prevents MIME sniffing
Strict-Transport-Security: Enforces HTTPS
X-DNS-Prefetch-Control: Controls DNS prefetching

Automated Security Scanning

Semgrep Security Analysis

We use Semgrep for automated static code analysis to detect security vulnerabilities. Our custom rules verify:

No hardcoded API keys or secrets in code
API keys never transmitted to backend
Proper encryption and hashing practices
Secure credential storage patterns
Prevention of common OWASP Top 10 vulnerabilities

CI/CD Integration: Semgrep runs automatically on every commit and pull request via GitHub Actions, blocking merges if security issues are detected.

Dependency Security

Regular dependency updates for security patches
Automated vulnerability scanning with npm audit
Dependabot alerts for vulnerable dependencies
Minimal dependency footprint to reduce attack surface

Security Best Practices for Users

Transparent & Auditable

Our codebase is publicly available for inspection. Security researchers, developers, and users can verify our security claims.

View Source Code on GitHub

We welcome security audits and responsible vulnerability disclosures.

Responsible Vulnerability Disclosure

We encourage security researchers to report vulnerabilities responsibly. If you discover a security issue:

Report privately: Email support@mybitcoindca.com with details (do not disclose publicly yet)
We acknowledge: We'll respond within 48 hours to confirm receipt
We fix: We'll work to patch the vulnerability as quickly as possible
Coordinated disclosure: Once fixed, we'll coordinate public disclosure and credit you (if desired)

Scope: Include all components (backend, frontend, mobile app) and dependencies. We appreciate detailed reproduction steps and impact assessments.

Security Contact

For security inquiries, vulnerability reports, or general security questions:

Email: support@mybitcoindca.com

GitHub Security: Report via GitHub Security Advisories

Back to Home