Why Mobile App Security Matters to Crypto Digital Wallet Developers
Willie Sutton reportedly was once asked why he robbed banks. “Because that’s where the money is!” was his supposed answer. In a little over 10 years since the unassuming launch of Bitcoin in 2009, cryptocurrencies have become mainstream currencies. So now threat actors also target digital wallets because, using Willie’s words, that’s where the cryptocurrencies are.
Global brands like Walmart, Home Depot, and Starbucks accept payments with cryptos. Financial services corporations like Visa and Mastercard are about to manage digital payments with cryptocurrencies. Recently, Google signed a partnership with Coinbase, one of the biggest cryptocurrency trading platforms, to allow its cloud services customers to pay with cryptocurrencies in 2023. With great growth, come opportunities and threats.
In this blog, you will learn more about the rising adoption of digital wallets, their usage with cryptocurrencies, and the need for mobile app security on crypto digital wallets.
Digital wallets explained
In 2011, the Mobey Forum, a group of like-minded individuals from banks and solution providers that discuss the future of financial services, provided the following visionary definition: "A Mobile Wallet is functionality on a mobile device that can securely interact with digitized valuables".
Today digital wallets are key mobile apps that are integral to our life. According to Forbes, 32% of mobile users have 3 or more digital wallets on their phones, including Apple Pay(R) and Google Pay(R). Millennials and Gen Z are even more active, with up to 9 mobile wallets. The 2021 FIS Global Payments Report (GPR) forecasts that by 2024 digital wallet payment volume will increase by an additional 38.2% over 2020 levels to account for 40.5%.
Digital wallets on mobile phones are used to store our credit card credentials, bank account details, and even digital passports and driving licenses. We “open” our mobile wallet for digital payments, manage our financial life, and certify our identities, for instance, at the airport or to access online public services. Due to their widespread adoption banks, financial institutions, and other fintech companies continue to add functionalities to enhance digital wallet services, spanning from managing any kind of tickets and service cards up to monitoring our carbon footprint while buying services and goods.
With cryptocurrencies specifically, a digital wallet consists of a set of public addresses and private keys. Public addresses are like bank account numbers. Anyone can deposit cryptocurrency in a public address like anyone can wire money to a bank account. On the other hand, cryptos cannot be withdrawn from an address without the corresponding private key as “real money” can’t be withdrawn from an ATM if you don’t have your card with you. This is distinct from the blockchain or ledger, which is used to keep track of all transactions and holdings for a specific currency.
Frequent security threats faced by mobile digital wallets
The private key in a crypto digital wallet represents the final control and ownership of cryptocurrency. It is crucial to keep it secure by preventing it from being lost or compromised as we should with our physical Visa, Mastercard, or Amex card. If attackers are able to steal or spoof private keys, they can steal crypto funds by withdrawing them from victims’ wallets or executing other fraudulent transactions.
There is also the constant threat of attackers trying to steal personal, identifiable information (PII) or user credentials. They can be traded on the Dark Web or used to perform further sophisticated and targeted attacks to get access to a digital wallet. Once released for general use, app publishers don’t have much control over the user's device.
Attackers regularly attempt to take advantage of rooted mobile devices to access information that they would not typically get access to. Or exploit vulnerabilities inadvertently left in the software by developers.
Common attacks against mobile crypto digital wallets
Threat actors can steal private keys by lifting data from the phone’s memory. This could be done using Malware unintentionally installed on a mobile device through a phishing attack or downloading unrelated software. The Malware could have a keylogging capability or overlay other attacks to target digital wallet apps and steal private keys.
Threat actors may use modified apps. These may look exactly like the real ones but have had some of their functionality changed. For example, substituting the attacker’s wallet for that of the intended recipient in a financial transaction.
Mobile apps have server access keys. As a recent report showed, often the access credentials are stored as easily readable strings within the mobile app. If even the keys are encrypted, if the code is not obfuscated, attackers can use decompilers, debuggers, and other tools to reverse engineer the mobile, in order to detect when the keys are decrypted add steal them.
Another attack is credential harvesting. Threat actors could modify the legit digital wallet app by injecting malicious code that sends data to the attacker during customer onboarding. Then the app is repackaged and distributed on the web to harvest PII of real users on a large scale.
Spoofing is also a threat. A modified app could accept identification data like passport images from external, untrusted sources. Moreover, a threat actor can modify the app to enable the upload of fake images by directly accessing the server API whose keys have not been properly obfuscated in the app code. Then a cybercriminal could use a digital wallet to make cryptocurrency transactions hiding his/her identity to overcome local authorities’ regulations or to trade illegal goods and services with a further layer of anonymity.
How mobile app developers can protect crypto digital wallets from attackers
When bad actors steal cryptocurrency or personal data, or when an app vulnerability is discovered by a security researcher, the negative press often dramatically hits the app publisher by causing customer churn and, possibly, further financial losses due to legal actions or fines from regulatory bodies.
The theft of cryptocurrency funds, PII, or app vulnerabilities often generates significant media attention, loss of customer trust, and possible legal and regulatory action. There are definite actions that app developers can take to mitigate the threat. Mobile app security should be a focus throughout the development process.
To start with, you cannot develop a plan if you don’t understand the potential threat landscape. Just as developers create a software architecture prior to software development, they also need to design a threat model and security architecture as part of their software architecture. There are two key aspects to mobile app security. There are potential vulnerabilities present in the software which might be directly exploitable by an attacker. Another threat is whether an attacker might be able to gain critical insights into the operation of an app using reverse engineering.
AppSweep is a mobile app security testing tool that can detect vulnerabilities in an app before attackers can. Developers can routinely scan the software implementing or accessing the digital wallets for vulnerabilities and remediate them before releasing the app in the market.
Guardsquare’s DexGuard and iXGuard solutions fortify digital wallet apps with multiple layers of obfuscation and runtime application self-protection checks (RASP). Obfuscation makes it harder for attackers to perform static analysis to find, for instance, keys that would give them access to server endpoints. RASP checks allow developers to protect their apps from dynamic analysis, used to tamper with digital wallets while they are running. This mitigates the risk of lifting data from memory or phone storage.
Finally, when the mobile app implementing the digital wallet is released to the market, ThreatCast, is analogous to crash and performance monitoring tools and enables developers to gain insights into the runtime environments of their apps. Developers get real-time information that can be used to detect potential threats and areas of the code being targeted, which can be further leveraged to determine areas that may have vulnerabilities and require mitigation. You can scan your mobile app code for vulnerabilities for free using AppSweep.
Please reach out to us to further discuss how Guardsquare can help secure your digital wallet.