In this blog post, I’ll discuss the security implications of crypto wallets and offer some tips to mobile developers on how to secure crypto wallets and protect their users’ crypto.
There’s no denying that the crypto market is on fire. Whether you consider it to be ‘all-hype’ or ‘the future of money’, one thing is clear — lots of people are using crypto wallets and other forms of e-wallets to store, trade, and transact with digital currencies. This trend is clearly shown in the chart below which shows the explosive growth of crypto wallet users worldwide.
No matter how you slice it, where there’s money (be it virtual, real, or ‘doge’), there will also be crime, fraud, theft, trickery and deceit. I know, it’s a cold world..Keep reading to understand the potential security risks involved in using crypto wallets and also how to keep your crypto wallets, eWallets and cryptocurrency safe and secure.
What are e-Wallets and Crypto Wallets?
An e-Wallet is a digital financial instrument that allows a customer to use a mobile app and/or device to make payments for goods and services using some form of stored digital currency. Digital currency can be things like frequent flier miles, loyalty points, a linked credit card or even cash. Apple Pay, Google Pay, and Samsung Pay are all examples of e-Wallets.
A crypto wallet is a specific type of e-wallet that is used to store, trade or transact using a cryptocurrency (like bitcoin or Ethereum). There are many different types of crypto wallets. Examples of some of the most popular crypto wallets are Coinbase, Robinhood, ZenGo, and Crypto.com. There are 2 main types of electronic crypto wallets — hosted wallets or non-custodial wallets. With a hosted wallet, a third party keeps your crypto for you, similar to how a bank keeps your money in a checking or savings account. With a non-custodial crypto wallet, the customer takes on more control over the account via the possession of a private key that provides full access and control over the account and funds at any time. With Non-custodial accounts, the private key (including where and how it is stored) is the sole responsibility of the customer (these are the types of wallets where you hear horror stories in the news of people who have forgotten or lost their private key and as a result lost millions of dollars of cryptocurrency).
From a security perspective, both hosted and non-custodial crypto wallets can be hacked if an attacker gains control over the account either by stealing or learning the private key (in the case of non-custodial accounts) or by tricking the hosting provider that they are the legitimate account holder (via phishing, masquerading or good old fashion account takeovers).
Consider the security breach at Mt. Gox, a leading Bitcoin exchange that filed for bankruptcy in after $450 million worth of Bitcoins were stolen directly from Mt. Gox cryptocurrency wallets.
While there are many methods and techniques hackers use to steal cryptocurrency, mobile applications are one of the weakest links in the attack chain. Even when social engineering and phishing are used as a primary attack technique used to trick or lure the unsuspecting user to reveal sensitive information, mobile applications are often exploited in a blended attack scenario. For example, an attacker may use a phishing technique or classical social engineering to lure a user to download a fake app that masquerades as a crypto wallet but actually contains malicious code inside. Once the unsuspecting user runs the app, the malware inside the app becomes active and monitors the user’s activity, records their keystrokes via keylogger, or phones home for additional exploit code.
In the case of non-custodial accounts, where the private key is heavily sought after, hackers have been known to target the mobile clipboard using specially crafted malware that abuses legitimate Android methods for reading information that has been copied to the clipboard. In this case, they are betting that the mobile user will eventually use the “copy/paste” feature to copy their private key from wherever they have it stored so that they can access their non-custodial account to get access to cryptocurrency. It’s probably a pretty safe bet that many users are going to copy the private key somewhere, due to the difficulty of memorizing a private key string that looks like this:
Another popular attack method for stealing crypto keys is through the use of hacking 2FA codes, which are often required as an additional security measure to access hosted crypto wallets. I’ve written about this topic in past blogs where I discussed how malware is often programmed to steal MFA and 2FA codes — same concept here. The malware can masquerade as a legitimate Android app like Microsoft Word or Adobe Flash, which it uses to trick users into granting permissions that the malware then abuses in a number of ways. Once installed, it quietly records keystrokes and notifications while scanning for bank account apps to monitor.
And let’s not forget overlay attacks, which have become a standard method used to attack mobile banking apps around the world. Crypto hackers are learning the use of overlay attacks in tricking users to transmit sensitive information (such as crypto keys or passwords), or to enable permissions or intents that are harmful to the user (such as allowing the crypto hacker to elevate privileges, log keystrokes, or plant backdoors).
Best Practices to Secure Crypto Wallets
Below is a set of recommended security best practices that I have provided to Appdome customers as a baseline for securing crypto wallets. Not every feature will be required for every app or use case. Instead, mobile developers can use this set of features as ‘mobile app security building blocks’ that they can combine in order to implement a robust security model in their crypto wallet apps:
- App Shielding — anti-debugging, anti-tampering and anti-reversing, checksum validation, and prevents binary patching, app re-signing, and other forms of tampering. This is one of the building blocks required to prevent the distribution of fake apps or clones.
- Code Obfuscation — Prevents malicious reverse engineering of the app’s source code and logical structure.
- Mobile Data Encryption — uses AES-256 to dynamically encrypt all the data stored in the application sandbox and throughout the code in preferences, strings, resources, strings.xml values and java class dex files.
- Jailbreak and Root Prevention — this prevents an iOS app from running on a jailbroken device and an Android app on a rooted device.
- Secure Communications — including Man-in-the-middle attack prevention, certificate pinning, certificate validation, and malicious proxy prevention. These features prevent the crypto wallet app from connecting to untrusted servers and protect the app against Man-in-the-Middle attacks, such as when an attacker redirects traffic to their own malicious proxy by swapping out the digital certificate stored inside the app’s trust store.
- Keylogger Prevention — Auto-detect approved keyboards and stop the use of custom keyboards that may include keylogger software used to exfiltrate keystroke information.
- Detect Accessibility Abuse — Detects any application installed on the device that has too many accessibility services permissions. This privilege escalation is common with all Trojans and RATs, which are often used to assist in the stealing of crypto keys.
- Block Android Debug Bridge — Automatically detects Android Debug Bridge (ADB) and prevents the use of ADB for malicious reverse-engineering, debugging, remote shell, etc.
- Block Overlay Attacks — Detect and prevent malicious screen overlays, where a fake screen is placed over the real screen and the user is tricked into performing a harmful action (eg: revealing crypto keys, passwords, secrets) or inadvertently granting permissions to malware.
- Block Magisk Manager — Identifies and blocks the use of Magisk Manager, an advanced root bypass, root hiding framework.
- Block Frida Toolkits — Automatically detect and block dynamic binary instrumentation, method hooking, and malicious code or memory injection that attackers carry out using Frida or Frida-based toolkits.
Drop me a line and I’d be happy to explain (or demonstrate) how to implement any of the above features in any iOS or Android app.