Crypto Apps - Benchmark - Part 4 - Security

30 Aug 2022

Apps relative to crypto are very recent. We wanted to study those Apps to make an smart article about technical stacks & good practices.

This article is the last of this serie :

App Security

The security score is actually evaluated by checking 3 things :

  • detect “risky” files inside the app bundle (something human readable that might contains important informations)
  • detect bad security configuration
  • detect api keys/token easy to hijack
App Security Score
MetaMask - Blockchain Wallet 4.40
Coinbase: Buy Bitcoin & Ether 4.40
Crypto.com - Buy Bitcoin, ETH 4.10
CoinMarketCap 3.80
eToro Money 3.40
FTX (anciennement Blockfolio) 3.40
ZenGo: Crypto & Bitcoin Wallet 2.80
Binance: Buy Bitcoin & Crypto 2.10

A risk for you?

  • The risk can be detected for the End User, for example, if the security layer is removed of the HTTP exchange.
  • The risk can be on the Company side, for example, if some secrets are easy to discover just using the app binary like i did.

Risks due to the App configuration

Each Apps can adapt a very important security layer between the App and internet. In this section, we scan the Apps NSAppTransportSecurity configuration.

Only 2 Apps don’t modify this security layer

  • MetaMask - Blockchain Wallet
  • Crypto.com - Buy Bitcoin, ETH

The others Apps are reducing the App security using some parameters

  • NSAllowsArbitraryLoads : A Boolean value indicating whether App Transport Security restrictions are disabled for all network connections.
  • NSAllowsLocalNetworking : A Boolean value indicating whether to allow loading of local resources.
  • NSAllowsArbitraryLoadsInWebContent : A Boolean value indicating whether all App Transport Security restrictions are disabled for requests made from web views.
  • NSExceptionAllowsInsecureHTTPLoads : A Boolean value indicating whether to allow insecure HTTP loads.

Risky keys/values

Some places inside the App are protected and not easy to read (for exemple the executable element of the App). In a lot of Apps, we can detect some important keys/values not stored at the right place.

Only 3 Apps are not storing critical value in a low security environement

  • MetaMask - Blockchain Wallet
  • CoinMarketCap
  • FTX (anciennement Blockfolio)

Risky files

An package App is not so complicatd to get and to inspect. The packaging is not a good protection because an App package is just a zip file 🤯. AppScan analyse the entire content of the package :

  • Main bundle,
  • Each bundles,
  • Each librairies, frameworks,
  • All files in the App.

The idea is to detect files that can contains infomrations in a more or less readable format. All those files with extensions has been detected in the Apps.

  • .cer, .der, those files are certificates, probably to if the server is really the real server
  • .xml, .yml, data files, fully readdable, we can get lot of informations exploring them
  • .json, fully readdable, we can get lot of informations exploring them
  • .xcconfig, really not a normal place in an App … it’s a configuration file for Xcode
  • .md, .txt, text files … sometimes readMe, release notes, etc
  • .js, yes, some JS files can be very interesting and contains lot of data.

Conclusion

  • MetaMask is over the other, we only detect some .cer & .der files which can be usefull for security validation
  • Lot of Apps are exposing apiKeys & critical tokens inside readable sources (Info.plist for example)
  • Too much Apps are updating the NSAppTransportSecurity … this parameter reduce the App security
  • I would consider Apps to be more secure because alternatives create more data inside “readable” format (.json, .txt, .js, .yml). Those files can contains important data.