90% of Crypto Mobile Apps ‘In Trouble’

A catchy title, no denying that. It actually comes from Alyssa Hertig’s article that was published today on CoinDesk. The article is citing a report published by High-Tech Bridge, a SF-based security firm. Ilia Kolochenko, CEO of High-Tech Bridge, goes as far as claiming that vulnerabilities detected by Mobile X-Ray, their automated online security analyzer, could result in permanent loss of funds in an affected wallet app. We though it was a good idea to give Mobile X-Ray a go, and so we did.

It only took a few seconds for MXR to analyze Coinomi Wallet’s APK. We went through the report with mixed feelings. Seriously? Coinomi has so many vulnerabilities? That was until we took a closer look.

The report

Mobile X-Ray’s findings are in bold and below them are our technical comments:


USAGE OF INTENT FILTER [M1] [CWE-927] [SAST]HIGH
This is used for opening links like “bitcoin:1XXXXXXXXXXXXXXXXXXXX” or by other applications to request payments. The URI passed is untrusted and handled in the same way as the QR code scans.

WEAK HASHING ALGORITHMS [M5] [CWE-916] [SAST]MEDIUM
Almost all the instances are the java hashCode() that is mainly used for sorting or inserting to HashMaps. There are 2 cases where it flags “SHA-1” usage, one for the Bitcoin SHA1 opcode handling and in the other case the websocket handshake where is uses that function.

HARDCODED ENCRYPTION KEYS [M5] [CWE-798] [SAST]MEDIUM
Incorrectly flags user provided keys as hardcoded

USAGE OF WEAK INITIALIZATION VECTOR [M5] [CWE-329] [SAST]MEDIUM
Incorrectly flags Curve25519 constants as encryption initialization vectors

PREDICTABLE RANDOM NUMBER GENERATOR [M5] [CWE-338] [SAST]MEDIUM
Flags non-security code as using weak random generator

WEAK ENCRYPTION [M5] [CWE-327] [SAST]MEDIUM
Flags “AES/ECB/NoPadding” as insecure but it is used in a standard https://github.com/bitcoin/bips/blob/master/bip-0038.mediawiki

USAGE OF UNENCRYPTED HTTP PROTOCOL [M3] [CWE-319] [SAST]MEDIUM
The passed URL string is always HTTPS, so it doesn’t apply in our case

HARDCODED DATA [M2] [CWE-200] [SAST]LOW
Not a vulnerability

MISSING TAPJACKING PROTECTION [M1] [CWE-451] [SAST]LOW
Correct, can be implemented

TEMPORARY FILE CREATION [SAST]WARNING
Not a vulnerability

OBJECT DESERIALIZATION FOUND [M7] [CWE-502] [SAST]WARNING
Not a vulnerability

USAGE OF IMPLICIT INTENT [M1] [CWE-927] [SAST]WARNING
False positives, all the flagged intents are used for setResult()

JS ENABLED IN A WEBVIEW [M10] [CWE-749] [SAST]WARNING
This is correct, however we only use whitelisted html/javascript files

DYNAMIC LOAD OF CODE [M7] [CWE-94] [SAST]WARNING
Used by third party libraries

NETWORK SECURITY CONFIGURATION IS NOT PRESENT [SAST]WARNING
Security hardening, can be implemented

MISSING ANTI-EMULATION [SAST]WARNING
Security hardening, can be implemented

JS CORS ENABLED IN WEBVIEW [M10] [CWE-749] [SAST]WARNING
This is correct, however we only use whitelisted html/javascript files


So what does this all mean?

It only means one thing: your wallet’s security is our number one concern and despite the disturbing at first sight results on this report, your funds are 100% safe with Coinomi.

Mobile X-Ray actually pointed out a few minor improvements that can harden even more Coinomi’s already robust and battle-tested shields against hackers, so thanks for that. It’s worth mentioning at this point that Coinomi’s first version was released in 2014 and no wallet has been hacked or otherwise compromised ever since. Coinomi is a security-first wallet after all.

So aren’t 90% of Crypto Mobile Apps ‘In Trouble’?

We can’t speak for other crypto mobile apps, however Coinomi Wallet certainly isn’t and since you’re reading this, nor are you :)