A brute force attack on Liquidity.network android wallet

Andy Octavian
Mar 19 · 2 min read

Security is a BIG field and I don’t claim I know it all. If you find mistakes or missjugements in this post, fell free to comment on them.

Security Audit https://liquidity.network/ Mobile Wallet

“Security First Based on cutting-edge research ?” it’s written on their website. Let’s put that to a test

This was a black box audit

This type of test aims to simulate the real-world scenario of external attackers targeting and attempting to compromise your systems.

App version & date

  • Version: v0.1.18 (as taken now, 14 March 2019 from Google Play Store)

Impacted devices: all android versions

Requirements:

  • root access IS NOT REQUIRED for this vulnerability to work
  • physical access to the device is needed

Vulnerability #1: Finding the pin code

The app makes it easy to brute force the pin

The application exits on 3 wrong entered PIN, making it cumbersome to guess it, but this can be circumvented by forcefully restarting the app. There is not protection upon re-trying pins if the app is restarted, and the state of the “wrong pin counts” is not stored on disk / network etc.

You can see a proof-of-concept here

https://drive.google.com/file/d/1bevhrBOYQmxLTA-Te4SV1Kb_9ZiNrXVy/view?usp=sharing

Test data: pin 000050

Starting from 000000 to 000050 took about 5 minutes

Exercise for my readers, how much time does it need for a worse-case scenario ?

Suggested Fixes: the standard thing that many other banking/wallets apps do, is reset the application after x (for example 10) numbers of wrong PIN. This also should not be stored on the devices since the attacker can overwrite this.

If this is not a solution, waiting 1 minute between 3 wrong attempts is also viable. Again, this should work even if the app is forcefully closed and opened

Vulnerability #2: Root Access

There’s no protection upon running the app on devices with rooted access. I guess it was the decision of developers that people can do whatever they want with their phone, but the general trend with crypto/banking apps is to stop the user from accessing the app if the device is founded rooted.

Other thoughts:

Is this a secure app to keep my crypto ?

For those of you who ask this question the answer is “I don’t know without further investigation”.

If the app will go open source, I can see what does the traffic contains towards their server. Since a certificate binding is in place, it cannot be seen.

“Can they steal my money ?” Without looking into the source files we can’t be sure.

There’s also a big warning when you open that app saying they are not liable of anything if things go wrong with the app :)

Guess you should take it into consideration

I want to thank liquidity.network for allowing me to publish this and I wish them good luck with improving the security of their systems.

Update:

seems like this vulnerability still exists in the new version of the application. While they were informed on them, it seems like they decided it’s not in their priorities.

Conclusion: stay away from this project.

Andy Octavian

Written by

Crypto / Security… mostly