Solar Security Assesses the Safety of Mobile Cryptocurrency Wallets

Experts from Solar Security have evaluated the security of popular mobile applications designed for cryptocurrency transactions. The study was based on reports automatically generated using the Solar inCode solution, which employs static, dynamic, and interactive code analysis methods and can assess the security level of applications without access to their source code.

Research Overview

The experts examined ten of the most popular mobile wallet applications, each in two versions—for iOS and Android operating systems. Blockchain, Coinbase, Coins.ph, and Xapo for Android have each been downloaded over a million times, making them the most downloaded apps in their category. Copay, Mycelium, and Luno have been downloaded from Google Play over 500,000 times. In addition to these clear leaders, the study also included Airbitz, BitPay, and Bread wallets, which have not reached half a million downloads but are actively recommended by users on specialized forums and by IT publication editors.

Key Findings

The research showed that the average security level of Android and iOS applications is roughly equal and above the industry average. However, it’s important to note that the security level can vary even between different versions of the same app on different platforms. For example, Mycelium for Android contains significantly more known potential vulnerabilities than Mycelium for iOS, while BitPay and Copay are better used on Android devices.

The top three most secure wallets for Android were Bread, BitPay/Copay, and Luno. Among iOS apps, the leaders were Bread, Mycelium, and Blockchain. The lowest overall score was recorded by the Xapo app. The only wallet to show excellent results in both comparisons was Bread.

Common Vulnerabilities

Among the most frequently found vulnerabilities in wallets, researchers highlighted insecure SSL implementation. This allows an attacker to provide a self-signed certificate and carry out a Man-in-the-Middle attack. This vulnerability is easy to exploit, for example, when a victim uses public Wi-Fi.

The second most common issue was the use of weak encryption and hashing algorithms. For instance, hash functions like MD2, MD5, and SHA1 have known vulnerabilities. Finding collisions for MD2 and MD5 does not require significant resources; a similar task has even been solved for the more robust SHA1. If these functions are used to store sensitive information (such as passwords), its confidentiality can be compromised.

Successful exploitation of these vulnerabilities can lead to the compromise of logins, passwords, and all traffic passing through the application. In practice, this puts users at risk of wallet hacking and cryptocurrency theft.

Expert Recommendations

Solar Security analysts note that not all identified vulnerabilities are equally easy to exploit. However, in the experts’ opinion, applications dealing with currencies cannot afford to ignore any potential issues.