Security is a “minimum standard” for crypto wallet apps that’s worth fighting for
By Jan Sysmans (pictured), Mobile App Security Evangelist at Appdome.
As Australia shapes its digital asset regulations, app developers should take the opportunity to examine their security capabilities and user protections ahead of time.
The path to regulating – and legitimising – digital asset platforms and crypto wallet apps in Australia has been a long one.
Recently, though, a key milestone was reached, with the Government making recommendations on a regulated path forward. This includes “minimum standards … to ensure the security of customer assets and ensure platform entitlements survive in the event of a platform collapse.”
New entrants to the Australian financial sector will be aware that “minimum standards” is a familiar refrain whenever outside innovation appears.
It is often argued, by those already in the sector, that the price of entry for new players should be linked to their ability to meet the same exacting high standards as existing larger, regulated entities already operating.
Security is a minimum standard that is typically seen as non-negotiable.
It was raised as a topic when Australia embraced open banking. Suddenly, data that had previously only been stored on bank systems could be transferred, with customer consent, to much smaller fintechs. Non-uniformity of data security standards on the fintech side was frequently raised as a concern by data holders as open banking regulations were formed.
It’s a similar story with the rise of crypto and digital assets. Incumbents are as protective of customer funds as they are of customer data. Some have placed limits on fiat transfers to crypto asset platforms and apps ahead of the space being regulated, with security and fraud risk cited as key reasons for the limitations being applied.
Banks are not wrong in advocating for customer protections and security, particularly when it comes to crypto wallet apps. Adoption of these apps has exploded as new investors are drawn to cryptocurrency and new cryptocurrencies and tokens are launched. Fraud and attacks on crypto wallet apps have ‘followed the money’ in that sense.
Crypto wallet app developers are advised to take steps now to promote customer and fund security, de-risking their platforms, alleviating outside concerns about security, and preparing them for the “minimum standards” that Australian regulation will bring.
It is often not the crypto wallet app itself that poses a security issue, but instead that the customer unknowingly downloads a malicious app or software onto their device. Sharkbot, Xenomorph, Octo and Sova are just some mobile malware variants that target cryptocurrency wallet applications, performing transactions, stealing passphrases and more.
No crypto wallet app offers better protection by default in this regard. While there are many crypto wallet app types – hot, cold, custodial and non-custodial – from a cyber security perspective, the risk of each is the same. Eventually, the wallet has to connect to something to perform transactions. Inside (or as part of) a transaction, the passphrase or keys have to be used and, if malware is on the connected (mobile) device, that malware can access these keys, passwords or passphrases.
Unencrypted data in memory or in the application sandbox or SD card, in preference areas like NSUserDefaults, or in external areas such as clipboard, give hackers the ability to harvest that data for their own malicious purposes.
Crypto wallet app makers should employ data-at-rest encryption as the minimum way of protecting locally stored data, no matter where the data resides i.e., internal to the app itself, in preference areas, or clipboards.
Dynamic attacks against crypto wallet apps
Because of the transactional dependency between the mobile client and blockchain in crypto wallet apps, the integrity of the platform used to run the crypto client wallet app is extremely important in protecting crypto wallet users.
For example, standard jailbreak and rooting methods, and powerful jailbreak and root hiding tools like Liberty Lite and Magisk, can be used alone or in combination with malware to interfere, harvest or listen to events between the app and external services. Even pen testing tools like, Frida and DBIs, can be used to instrument, hook, and invoke functionalities in a crypto app for all sorts of malicious purposes, including gaining access to the blockchain address of the client app, passphrases, impersonating the client app, etc.
Crypto wallet makers should prevent crypto wallet apps from running on a jailbroken or rooted device; block dynamic hacking and pentesting tools; and use comprehensive code obfuscation to make it harder for the attacker to research the app in the first place.
Preventing MiTM attacks
People can have crypto wallets that are a part of centralised or decentralised exchanges. Communication between client and “server”, or P2P introduces threats, such as man-in-the-middle threats, TCP Reset attacks, trojan attacks and other threats.
The data-in-transit used by crypto apps is critical to the value of the cryptocurrency in the client wallet app – everything from transactions, transaction amount, passphrases, etc. all get included in this communication.
To protect these communications, it is highly recommended to enforce SSL/TLS for all communications to/from crypto wallet apps, including minimum TLS version, enforcing cipher suites and other measures. Developers of crypto wallet apps should also consider employing a holistic Man-in-the-Middle defensive mechanism for their apps.