By Ashish Rajendra Sai
Article: “Privacy and Security Analysis of Cryptocurrency Mobile Applications”
Authors: Ashish Rajendra Sai, Jim Buckley, Andrew Le Gear
Affiliation: Irish Software Research Centre & Horizon Globex
Article Category: Security
Why this article? : In this week’s installment, we take a look at the active research on blockchain here at Horizon Globex. Unlike traditional financial services computing applications, blockchain applications have a reputation for shunning regulatory requirements. This can be problematic as consumer-end applications serve as an entry point for most day to day users of cryptocurrencies.
One such crucial deployment platform for cryptocurrencies is the mobile applications domain. These mobile applications serve numerous purposes, such as cryptocurrency wallets and exchanges. Most of the reported cryptocurrency attacks are primarily targeted at these user-end applications; thus it is crucial that these applications are assessed for common security vulnerabilities.
In this article, we examine the prominent android cryptocurrency application designed for common security vulnerabilities. We review the top 50 most downloaded cryptocurrency applications on Google Play store for the presence of vulnerabilities outlined in OWASP mobile top 10.
We report that the security provisions of cryptocurrencies are similar to those of regulated banking applications.
Paper Overview: The paper takes a closer look at the security provisions of cryptocurrency mobile applications by designing a static code analyzer to review the source code for common security threats. The threat identification process is executed on all 50 shortlisted cryptocurrency applications followed by the review of the top 10 most downloaded banking and trading applications.
By reviewing the top 10 most downloaded traditional banking and trading applications, we establish a baseline to compare the cryptocurrency applications. As the static code analysis process is limited by the way the code is written, it may return false positives. To limit the false positives, we review six applications manually. The manual review allows us to examine if the statically identified threats actually pose any risks. The manual investigation is referred to as phase 2 of the study in the text.
Methodology: The study selects the top 50 most downloaded cryptocurrency applications to test for the presence of OWASP mobile vulnerabilities. These applications are decompiled into source code by using a decompiler. After the decompilations, a static code analyzer is used to identify these security threats. Along with static code analysis, we also sniff the network traffic from the application to identify unencrypted secret information such as session tokens. The static and network analysis is referred to as Phase 1 in the study.
OWASP mobile top 10 identify weak hashing algorithms as a potential security threat. We argue that a weak hashing algorithm may not be an issue if it is not used in a security-critical component such as authentication or critical generations. To improve the accuracy of our results from static analysis, we perform a manual investigation of a subset of the application. In the manual investigation, we identify the security issues in safety-critical components.
Phase 1 and 2 of the study gives an insight into the state of security provisions of the cryptocurrency applications. In order to compare them with traditional trading and banking systems, we perform similar tests on the top 10 most downloaded trading and banking applications.
Results: The distinction between cryptocurrency safety regulations and applications for banking and trading as assessed by the study’s Phase 1 is small.
The privacy assessment based on consent revealed that 8 percent of verified cryptocurrency apps had one more harmful permissions as opposed to no malicious petition for approval from banking apps.
Phase 1 outcomes indicate that applications for cryptocurrency and banking provide the same standard of safety, but banking applications appear to provide greater norms of user privacy than applications for cryptocurrency.
Implications for the greater blockchain community:
The results from our study suggest that cryptocurrency applications provide a good level of security in the applications but lack behind in terms of privacy provisions.
Do you think the cryptocurrency community should establish a guideline or standard for building high-quality mobile applications that provide an adequate level of security and privacy provisions?
Check in each Wednesday for digestible insights surrounding the most influential research publications in the crypto/blockchain domain.