Decentralized Cryptocurrency Wallet Audit (Part 2)

iBitcome
iBitcome
Sep 6, 2018 · 5 min read

Protocol interaction security detection

• Create transaction security detection

When a user sends a transaction, if both parties’ account does not have a secondary verification, it is easy for hackers to replace the recipient’s account information without the user knowing, resulting in loss of money for the user. One way to solve this is to use technical means to test and verify that the wallet APP has this risk.

• Transaction signature security detection

After a transaction is sent, the formal signature transaction process is sent. If the relevant agreement policy is not designed strictly, the user property can be lost. One way to audit this is to do a reverse analysis of the transaction process logic code to see if there are related security risks.

• Transaction completed confirmation test

After the transaction is completed, if the transaction content is not confirmed, it will result in the user clearly understanding the information but the relevant information cannot be recorded on the APP, and the personal transaction record cannot be queried. Analyze this process to see if there are related security risks.

• Balance inquiry security detection

When the wallet APP performs the balance inquiry, whether it is from the currency official server or the wallet manufacturer server, the integrity verification should be strictly performed on the data returned to the client, otherwise the user APP data can receive false and abnormal information. Confirm this process to see if there are security risks.

Data storage security detection

• Seed phrase creation safety inspection

When a new user uses the wallet APP, a seed phrase is generated that will request the user to record it. Whether the process has a detection for screenshot, screen recording, etc. if the security check is not performed, the core information of the wallet can be leaked, and the user will loses its fund.

• Seed phrase storage security detection

After the seed phrase is generated, if it is saved locally and stored in plaintext when it is saved locally, it can allow hackers to attack and obtain the user seed phrase information. If it is encrypted storage, but the security of the encryption algorithm is not high, which can allow hackers to reverse analysis the algorithm and restore the encrypted data to plaintext, resulting in the leakage of the user’s seed phrase information. Simulate hacker attacks to detect whether there are security risks in related processes.

• Private key generation security detection

The wallet APP is in the process of generating a new user’s private key. If the related algorithm can be reversely analyzed, the hacker can simulate the generated private key, and the user’s funds will be lost. The correlation algorithm will be analyzed in reverse to confirm whether there is such a security risk.

• Private key storage security detection

After the private key is generated, it will be stored locally and stored in plain text when it is saved locally. This will can cause the hacker to attack and obtain the private key information of the user. If it is encrypted storage, the security of the encryption algorithm is not high, which will cause the hacker to reverse the analysis algorithm and restore the encrypted data to the plaintext, resulting in the leakage of the user’s private key information. Simulate hacker attacks to detect whether there are security risks in related processes.

• Authorized password storage security detection

After the user enters the authorization password, if it is stored locally, it can cause the hacker to attack and obtain the private key information of the user. If it is encrypted storage, the security of the encryption algorithm is not high, which can cause the hacker to reversely analyze the algorithm and restore the encrypted data to the plaintext, causing the user to authorize the password to be leaked. The counter attack app analyzes the relevant algorithm to confirm whether there is such a security risk.

• Keystore file to create security detection

Is the generation of keystore file algorithm process safe and irreversible. If it is not secure, it can cause the hacker to recover the authorization password and the user private key. Analyze whether the generation of keystore file algorithm process is safe and reliable.

• Keystore file to create security detection

If the keystore file is stored in the APP in plain text, it can cause the hacker to get the keystore file then brute force attack to obtain the authorization password and private key information. If the storage location of the keystore file is not secure, for example, it is stored in the storage area, it can cause the malicious application to delete the keystore and the user cannot use the wallet normally. Analyze the keystore storage process for this security risk.

• PIN code creation security detection

Whether the wallet has a security detection when creating a PIN code, such as screenshot, screen recording, etc. If the security check is not performed, there is a risk of leaking the wallet PIN code information.

• PIN code storage security detection

If the PIN code is stored in the app or stored locally using the wrong encryption algorithm, it can result in the PIN being obtained by the hacker. It is detected whether the PIN code storage uses a hash and an encrypted storage to store the PIN code.

• Local storage data sensitivity detection

When storing data locally, whether sensitive information is stored locally, if some user-sensitive information is stored locally, it is easy for the attacker to perform reverse analysis, and we can reverse-analyze it to see if there is sensitive information stored locally.

Functional design for safety detection

• Import wallet function security detection

The function of importing the wallet is to restore the private key stored by the previous user in the system directly. If the recovery process is monitored, and the related functions are not strictly designed, it may result in hacking during this process. Simulate hacker attacks and perform related verification.

• Transaction password security detection

If the strength of the transaction password is not detected, it can cause hackers to guess the password and directly conduct the transaction; the transaction password is stored in plaintext locally, and the local storage encryption is not strict, which can cause the hacker to reversely analyze it and obtain the transaction password. Simulate a hacker attack to verify the existence of this threat.

• User input security detection

If user inputs the data, if the function design is not strict, it will be intercepted by the hacker; if a third-party keyboard is used, and the user input logic is not verified, it will easy for the hacker to obtain the sensitive information. Simulate hacker attacks, check whether the related processes are strict, and verify whether the security risks exist.

• Transfer address security check

After a user enters the transfer address or scans the QR code transfer address, if there is no detection for tampered address, the user’s fund can be lost. Simulate hacker attacks and see if there are security risks in related processes.

• Seed phrase, private key network storage security detection

The seed phrase and private key should be prohibited from being transmitted back to the APP vendor through the network to prevent user’s data and funds from the server being stolen by a hacker. If there is a related backhaul data operation, the user data and fund will be stolen easily. Reversely analyze related network protocols to see if there are related security risks.

• Certificate verification detection in https communication

In the data network interactive communication, if https is used, and the certificate is not strictly verified, it can cause a middleman to attack, the hacker replacing the data, so that the user receives false information on the APP. Simulate hacker attacks and verify this process to determine if there are related security risks.

iBitcome

Written by

iBitcome

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade