by Jamie Holmes
According to recent research from High-Tech Bridge, almost the entirety of cryptocurrency wallets hosted on Android are vulnerable and pose a serious risk to the safety of user funds and wallets. TechRepublic reported the security concerns on December 1 but without recourse to the developers to hear their side. Are the claims justified?
Moving from Problems to Options
Hig-Tech Bridge offers personalized reports for the cryptocurrency android apps, and BTCMANAGER also ran stories on three of the more popular crypto wallets. Accordingly, there have been problems noted with Coinbase, Mycelium, and the Monerujo wallets. However, the report indicated that attackers have yet to exploit these vulnerabilities at present.
Using their Mobile X-ray tool, the High-Tech Bridge team suggested that, of the apps with more than 500,000 downloads, 94 percent contained at least three medium-risk vulnerabilities or did not have any back-end hardening or protection. ‘Man in the middle’ attacks were also highlighted as a major problem for crypto wallets.
Maintaining a close eye on the security of a user’s crypto revolve around a handful of principles. Cold storage offers a straightforward solution by merely taking cryptocurrencies offline. But, as this can be inconvenient for transactions, mobile wallets are also necessary. When selecting a mobile application, be sure that the developers have a good reputation and offer open source software. Freewallet, for example, is a terrific example of a scam from which to stay far away.
Tip of the Iceberg?
Kolochenko, CEO of High-tech Bridge, stated, “Unfortunately, I am not surprised with the outcomes of the research. For many years, cybersecurity companies and independent experts were notifying mobile app developers about the risks of ‘agile’ development that usually imply no framework to assure secure design, secure coding, and hardening techniques or application security testing.”
“However, this is just the tip of the iceberg. A mobile app usually contains much less exploitable vulnerabilities than its backend. Weakness in a mobile application may lead to a breach of the mobile device or its data, while a vulnerable API on the backend – may allow attackers to steal the integrity of users’ data.”
When reaching out to mobile wallet developers, however, the claims were suggested to have been blown out of proportion. Upon showing m2049r, the creator of monerujo, the report’s details about supposed vulnerabilities regarding the Android monero wallet, in particular, he replied:
“This report is pathetic. The issues addressed are irrelevant in the context of monerujo, except maybe where we should be storing wallet files – this has been openly discussed on Reddit and GitHub with valid arguments for both sides (note that the PC clients store wallet files in the same way as monerujo). It is best not to rely on automatically generated code analysis. So, the concerns – as they are presented – are not justified.”
Mycelium and Coinbase were also contacted for comment but have not replied at the time of writing.
Not All Good News
It seems that with the rise of the crypto sector, more and more negative news hits the wires as if to sway the people away from unraveling the illusion of money.
In recent days we have witnessed an attempt to intensify the regulatory measures placed on cryptocurrencies in the EU, UK, and US as well as ivory tower economists calling for bitcoin to be outlawed. Couple this with the claims that “nearly 100 percent of Android apps contain serious vulnerabilities that could compromise user security and wallets,” bitcoin, and cryptocurrencies at large, still have some way to go before becoming a pillar of faith in the digital era.