Apps relative to crypto are very recent.
We wanted to study those Apps to make an smart article about technical stacks & good practices.
This article is the last of this serie :
The security score is actually evaluated by checking 3 things :
- detect “risky” files inside the app bundle (something human readable that might contains important informations)
- detect bad security configuration
- detect api keys/token easy to hijack
|MetaMask - Blockchain Wallet||4.40|
|Coinbase: Buy Bitcoin & Ether||4.40|
|Crypto.com - Buy Bitcoin, ETH||4.10|
|FTX (anciennement Blockfolio)||3.40|
|ZenGo: Crypto & Bitcoin Wallet||2.80|
|Binance: Buy Bitcoin & Crypto||2.10|
A risk for you?
- The risk can be detected for the End User, for example, if the security layer is removed of the HTTP exchange.
- The risk can be on the Company side, for example, if some secrets are easy to discover just using the app binary like i did.
Risks due to the App configuration
Each Apps can adapt a very important security layer between the App and internet.
In this section, we scan the Apps NSAppTransportSecurity configuration.
Only 2 Apps don’t modify this security layer
- MetaMask - Blockchain Wallet
- Crypto.com - Buy Bitcoin, ETH
The others Apps are reducing the App security using some parameters
- NSAllowsArbitraryLoads : A Boolean value indicating whether App Transport Security restrictions are disabled for all network connections.
- NSAllowsLocalNetworking : A Boolean value indicating whether to allow loading of local resources.
- NSAllowsArbitraryLoadsInWebContent : A Boolean value indicating whether all App Transport Security restrictions are disabled for requests made from web views.
- NSExceptionAllowsInsecureHTTPLoads : A Boolean value indicating whether to allow insecure HTTP loads.
Some places inside the App are protected and not easy to read (for exemple the executable element of the App).
In a lot of Apps, we can detect some important keys/values not stored at the right place.
Only 3 Apps are not storing critical value in a low security environement
- MetaMask - Blockchain Wallet
- FTX (anciennement Blockfolio)
An package App is not so complicatd to get and to inspect.
The packaging is not a good protection because an App package is just a zip file 🤯.
AppScan analyse the entire content of the package :
- Main bundle,
- Each bundles,
- Each librairies, frameworks,
- All files in the App.
The idea is to detect files that can contains infomrations in a more or less readable format.
All those files with extensions has been detected in the Apps.
- .cer, .der, those files are certificates, probably to if the server is really the real server
- .xml, .yml, data files, fully readdable, we can get lot of informations exploring them
- .json, fully readdable, we can get lot of informations exploring them
- .xcconfig, really not a normal place in an App … it’s a configuration file for Xcode
- .md, .txt, text files … sometimes readMe, release notes, etc
- .js, yes, some JS files can be very interesting and contains lot of data.
- MetaMask is over the other, we only detect some .cer & .der files which can be usefull for security validation
- Lot of Apps are exposing apiKeys & critical tokens inside readable sources (Info.plist for example)
- Too much Apps are updating the NSAppTransportSecurity … this parameter reduce the App security
- I would consider Apps to be more secure because alternatives create more data inside “readable” format (.json, .txt, .js, .yml). Those files can contains important data.