Security is a BIG field and I don’t claim I know it all. If you find mistakes or missjugements in this post, fell free to comment on them.
Security Audit https://liquidity.network/ Mobile Wallet
“Security First Based on cutting-edge research ?” it’s written on their website. Let’s put that to a test
This was a black box audit
This type of test aims to simulate the real-world scenario of external attackers targeting and attempting to compromise your systems.
App version & date
- Version: v0.1.18 (as taken now, 14 March 2019 from Google Play Store)
Impacted devices: all android versions
- root access IS NOT REQUIRED for this vulnerability to work
- physical access to the device is needed
Vulnerability #1: Finding the pin code
The app makes it easy to brute force the pin
The application exits on 3 wrong entered PIN, making it cumbersome to guess it, but this can be circumvented by forcefully restarting the app. There is not protection upon re-trying pins if the app is restarted, and the state of the “wrong pin counts” is not stored on disk / network etc.
You can see a proof-of-concept here
Test data: pin 000050
Starting from 000000 to 000050 took about 5 minutes
Exercise for my readers, how much time does it need for a worse-case scenario ?
Suggested Fixes: the standard thing that many other banking/wallets apps do, is reset the application after x (for example 10) numbers of wrong PIN. This also should not be stored on the devices since the attacker can overwrite this.
If this is not a solution, waiting 1 minute between 3 wrong attempts is also viable. Again, this should work even if the app is forcefully closed and opened
Vulnerability #2: Root Access
There’s no protection upon running the app on devices with rooted access. I guess it was the decision of developers that people can do whatever they want with their phone, but the general trend with crypto/banking apps is to stop the user from accessing the app if the device is founded rooted.
Is this a secure app to keep my crypto ?
For those of you who ask this question the answer is “I don’t know without further investigation”.
If the app will go open source, I can see what does the traffic contains towards their server. Since a certificate binding is in place, it cannot be seen.
“Can they steal my money ?” Without looking into the source files we can’t be sure.
There’s also a big warning when you open that app saying they are not liable of anything if things go wrong with the app :)
Guess you should take it into consideration
I want to thank liquidity.network for allowing me to publish this and I wish them good luck with improving the security of their systems.
seems like this vulnerability still exists in the new version of the application. While they were informed on them, it seems like they decided it’s not in their priorities.
Conclusion: stay away from this project.