Research out from web security firm High-Tech Bridge should worry anyone who uses a mobile cryptocurrency app on their Android device: Nearly all of them contain some form of security-compromising vulnerability.
With the continuing surge in Bitcoin value, it's no surprise that cryptocurrency apps would become targets for hackers—Bitcoins are now worth upwards of $10,000 a piece, and its growth isn't stopping. Yes, it might be a bubble. It's a valuable one though, especially for those who simply want to steal and dump coins to make a quick profit.
If you're using a popular cryptocurrency app for Android, there's a near guarantee that it's vulnerable to at least one of the Open Web Application Security Project's (OWASP) mobile top 10 vulnerabilities.
More crypto value, more crypto problems
To be clear, the fact that these apps contain vulnerabilities doesn't mean that they've been exploited, but considering the soaring value and media popularity of Bitcoin and other cryptocurrencies, it's increasingly likely that they will be.
In order to find vulnerabilities in Android cryptocurrency apps, High-Tech Bridge used its Mobile X-Ray tool to scan APKs for OWASP and other vulnerabilities. The tests focused on the 30 most popular cryptocurrency apps with more than 500,000 installs, 30 with up to 500,000, and 30 with up to 100,000.
What it found was startling to say the least. Of the apps with more than 500,000 downloads, 94% contained at least three medium-risk vulnerabilities, 94% lacked any back-end hardening or protection, and 94% were still using either the 21-year old SSL 3.0 or the 18-year old TLS 1.0 crypto protocols.
Moving down the list, the less popular apps were no less filled with dangerous security practices. In total, not a single app had protections against reverse engineering, 84% contained at least two high-risk vulnerabilities, 61% were transmitting unencrypted data over HTTP, and 47% were vulnerable to man-in-the-middle attacks.
The three most popular OWASP vulnerabilities were consistent across the three installation tiers too:
- Improper platform usage, which covers misuse of a platform feature (like Android intents, TouchID, or keychains) or failure to use platform security controls
- Insecure data storage, which also covers unintended data leakage
- Insufficient cryptography, which covers any use of cryptography that wasn't done correctly (including any SSL and TLS issues)
What developers should be doing differently
High-Tech Bridge CEO Ilia Kolochenko didn't pull any punches in his conclusions drawn from the research: The fault lies with poor agile development practices.
"'Agile' development usually (implies) no framework to assure secure design, secure coding and hardening techniques or application security testing," Kolochenko said in the report.
So what is a Bitcoin app developer to do to protect their reputation, their finances, and their users? Include security as part of the development process from the very beginning—something that TechRepublic has reported on before.
SEE: What is blockchain? Understanding the technology and the revolution (free PDF) (TechRepublic)
Kolochenko recommends implementing General Data Protection Requirements (GDPR), which only apply by law to countries in the EU, early on in the development process to be sure apps meet modern security requirements. The GDPR may not matter to developers in other parts of the world, but it's a thorough regulation that makes a valuable security and privacy guideline for those in other nations.
Any app that deals with confidential user data, whether for cryptocurrency or anything else, needs to be secured against every possible compromise. While that's surely a daunting task, designing from the ground up with user privacy and data security as a focus is a good start.
- Malware-laden apps in Google Play store mine cryptocurrency from mobile victims (TechRepublic)
- JPMorgan calls Bitcoin 'fraud' only for use by criminals and North Koreans (ZDNet)
- Blockchain: The smart person's guide (TechRepublic)
- Ethereum user accidentally exploits major vulnerability, locks wallets (ZDNet)
- Quick glossary: Blockchain (Tech Pro Research)
Brandon Vigliarolo has nothing to disclose. He does not hold investments in the technology companies he covers.
Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.