Wei Li, senior researcher at the Cheetah Mobile Blockchain Research Lab, has issued the following warning about popular cryptocurrency wallets:
As the sole proof of your digital assets, it’s imperative that private keys are stored securely. Therefore, the only true test of a cryptocurrency wallet is its ability to keep your private keys safe. Cheetah Mobile’s Blockchain Research Lab recently released its 2018 Cryptocurrency Wallet Security White Paper. In it, we analyzed the security threats related to private key storage on mobile cryptocurrency wallets.
Main Wallet Security Research
If a wallet isn’t designed properly, users face the possibility of their private keys being lost or stolen. That means their digital assets are at risk and could be easily stolen or otherwise lost. In our research, we discovered that two popular mobile wallets, Bitcoin Wallet and Jaxx Blockchain Wallet, both possess huge security vulnerabilities.
Bitcoin Wallet is a popular digital wallet, with more than 500,000 installs and a strong reputation. However, as we took a closer look, we found that Bitcoin Wallet’s mnemonic phrases are stored in plain text format within the /data/data/com.bitcoin.mwallet file of the phone’s operating system.
This means that Bitcoin Wallet completely relinquishes the job of protecting your digital assets to your device’s operating system. We all know that operating systems are extremely complicated and are full of security vulnerabilities. All it takes is exploiting one of these vulnerabilities for a hacker to steal your Bitcoin Wallet mnemonic phrases and private keys. For example, if your phone has an app installed that exploits a security vulnerability to gain ROOT access to your operating system, this app can immediately gain access to your mnemonic phrases, allowing hackers to steal your digital assets. Moreover, this can all be done behind the scenes without users ever knowing.
What is even scarier, hackers are able to exploit the system to access Bitcoin Wallet’s mnemonic phrases and private keys via the device’s operating system, quickly taking your assets even if none of your apps have ROOT access. They just need to connect the charging port of your mobile handset to a hacker-controlled charging device to do so. This entire process only takes a few minutes. Private keys that are stored on a user’s device must be securely encrypted. Even though it is one of the world’s most popular digital wallets, Bitcoin Wallet still does not properly store users’ private keys and has already exposed more than 500,000 users to security risks.
Jaxx is another well-known mobile cryptocurrency wallet, with a large number of features, including support for multiple types of currency, and a recently-added digital currency exchange platform, which allows users to convert between Bitcoin, Ether and ERC20 tokens within the wallet.
Examining Jaxx’s data backup mechanisms, we discovered major security vulnerabilities, even more serious than those found in Bitcoin Wallet. In fact, private keys stored in Jaxx can be stolen by hackers with very little effort.
All it takes is two steps to access private keys stored on Jaxx wallets:
- Get a hold of your private key data files
- Decrypt your private key data files
Jaxx Explained Vulnerabilities Step by Step
Step 1: Gain access to data files where the private keys are stored
There are two ways that hackers could get a hold of Jaxx’s private key data files:
- If a hacker gets a hold of your phone, he/she can use your Android system’s backup mechanisms such as adb backup command or the BackupManagerService API to save your private key files onto an unsecure device, such as a PC. The reason for this vulnerability is because Jaxx’s development team neglected to turn off the “android:allowBackup” attribute on the app’s back end. If this attribute is turned off, no backup of the application can ever be performed.
- Hackers can also exploit vulnerabilities in your operating system to bypass security barriers and gain access to your encrypted private key files.
Step 2: Decrypt the private key data files
Jaxx private key data files are encrypted using an AES encryption algorithm. If the length of the secret key satisfies certain conditions and the algorithm is executed properly, then an AES-encrypted file is essentially unbreakable. However, the Jaxx team has made a major mistake in how they executed the AES encryption by hard coding the encryption algorithm directly into the app’s code, rather than randomly generating it according to safe practices.
Encrypted Private Keys in Danger
Once a hacker gets a hold of your encrypted private key data files, as well as their corresponding AES encryption parameters, they can easily exploit the AES encryption to decrypt your files and steal all the private keys stored in your wallet. Since Jaxx’s security system wasn’t designed using proper security protocols, its users are at serious risk of a data breach.
We believe that the Bitcoin Wallet and Jaxx teams can quickly fix the security vulnerabilities pointed out in this article, but because so many private keys are currently at risk of being stolen, we encourage all users to immediately create addresses on a secure enhanced wallet, such as the security-focused SafeWallet released by Cheetah Mobile; transfer their assets to those new addresses; and cancel their old addresses completely. Only by taking these steps will they be able to ensure the safety of their assets.
For detailed information on the current state of mobile wallet security, read our 2018 Cryptocurrency Wallet Security White Paper.
The views expressed in this article belong to the author alone. Bitcoin Chaser is committed to publishing a rebuttal or update from both Jaxx and Bitcoin Wallet if either chooses to send us one.