Why Mobile App Security Matters to Crypto Digital Wallet Developers

Willie Sutton reportedly was once asked why he robbed banks. “Because that’s where the money is!” was his supposed answer. In a little over 10 years since the unassuming launch of Bitcoin in 2009, cryptocurrencies have become mainstream currencies. So now threat actors also target digital wallets because, using Willie’s words, that’s where the cryptocurrencies are.

Global brands like Walmart, Home Depot, and Starbucks accept payments with cryptos. Financial services corporations like Visa and Mastercard are about to manage digital payments with cryptocurrencies. Recently, Google signed a partnership with Coinbase, one of the biggest cryptocurrency trading platforms, to allow its cloud services customers to pay with cryptocurrencies in 2023. With great growth, come opportunities and threats.

In this blog, you will learn more about the rising adoption of digital wallets, their usage with cryptocurrencies, and the need for mobile app security on crypto digital wallets.

Digital wallets explained

In 2011, the Mobey Forum, a group of like-minded individuals from banks and solution providers discussing the future of financial services, provided the following visionary definition: "A Mobile Wallet is functionality on a mobile device that can securely interact with digitized valuables."

Today, digital wallets are key mobile apps that are integral to our daily lives. Millennials and Gen Z are even more active, with up to nine mobile wallets.

Digital wallets on mobile phones are used to store our credit card credentials, bank account details, and even digital passports and driving licenses. We “open” our mobile wallet for digital payments, manage our financial life, and certify our identities, for instance, at the airport or to access online public services. Due to their widespread adoption, banks, financial institutions, and other fintech companies continue to add functionalities to enhance digital wallet services, spanning from managing any kind of tickets and service cards up to monitoring our carbon footprint while buying services and goods.

With cryptocurrencies specifically, a digital wallet consists of a set of public addresses and private keys. Public addresses are like bank account numbers. Anyone can deposit cryptocurrency in a public address like anyone can wire money to a bank account. On the other hand, cryptos cannot be withdrawn from an address without the corresponding private key as “real money” can’t be withdrawn from an ATM if you don’t have your card with you. This is distinct from the blockchain or ledger, which is used to keep track of all transactions and holdings for a specific currency.

Frequent security threats faced by mobile digital wallets

The private key in a crypto digital wallet represents the final control and ownership of cryptocurrency. It is crucial to keep it secure by preventing it from being lost or compromised as we should with our physical Visa, Mastercard, or Amex card. If attackers are able to steal or spoof private keys, they can steal crypto funds by withdrawing them from victims’ wallets or executing other fraudulent transactions.

There is also the constant threat of attackers trying to steal personal, identifiable information (PII) or user credentials. They can be traded on the Dark Web or used to perform further sophisticated and targeted attacks to get access to a digital wallet. Once released for general use, app publishers don’t have much control over the user's device.

Attackers regularly attempt to take advantage of rooted mobile devices to access information that they would not typically get access to. Or exploit vulnerabilities inadvertently left in the software by developers.

Common attacks against mobile crypto digital wallets

Threat actors can steal private keys by lifting data from the phone’s memory. This could be done using Malware unintentionally installed on a mobile device through a phishing attack or downloading unrelated software. The Malware could have a keylogging capability or overlay other attacks to target digital wallet apps and steal private keys.

Threat actors may use modified apps. These may look exactly like the real ones but have had some of their functionality changed. For example, substituting the attacker’s wallet for that of the intended recipient in a financial transaction.

Mobile apps have server access keys. As a recent report showed, often the access credentials are stored as easily readable strings within the mobile app. If even the keys are encrypted, if the code is not obfuscated, attackers can use decompilers, debuggers, and other tools to reverse engineer the mobile, in order to detect when the keys are decrypted add steal them.

Another attack is credential harvesting. Threat actors could modify the legit digital wallet app by injecting malicious code that sends data to the attacker during customer onboarding. Then the app is repackaged and distributed on the web to harvest PII of real users on a large scale.

Spoofing is also a threat. A modified app could accept identification data like passport images from external, untrusted sources. Moreover, a threat actor can modify the app to enable the upload of fake images by directly accessing the server API whose keys have not been properly obfuscated in the app code. Then a cybercriminal could use a digital wallet to make cryptocurrency transactions hiding his/her identity to overcome local authorities’ regulations or to trade illegal goods and services with a further layer of anonymity.

Recommendations for security professionals & mobile app developers

The theft of cryptocurrency funds, PII by bad actors or the discovery of app vulnerabilities by a security researcher can generate significant media attention, loss of customer trust, and possible legal and regulatory action. There are actions that app developers can take to mitigate this threat. Mobile app security should be a focus throughout the development process.

To start, developers must understand the potential threat landscape in order to build the best security strategy. Just as they create a software architecture prior to development, they also need to design a threat model and security architecture as part of their software planning process. There are two key aspects to mobile app security: potential vulnerabilities present in the software that might be directly exploitable by an attacker and whether an attacker might be able to gain critical insights into the operation of an app using reverse engineering. To address both vulnerabilities and preventing reverse engineering, developers should:

• Build continuous testing into their development process. Utilize mobile app security testing tools to detect vulnerabilities in an app before attackers can. Routinely scan the software implementing or accessing the digital wallets for vulnerabilities and remediate them before releasing the app in the market.
  
  
• Implement obfuscation and runtime application self-protection (RASP). To fortify digital wallet apps, use multiple layers of code obfuscation and runtime application self-protection checks. Obfuscation makes it harder for attackers to perform static analysis to find, for instance, keys that would give them access to server endpoints. RASP checks allow developers to protect their apps from dynamic analysis, which attackers use to tamper with digital wallets while they are running. This mitigates the risk of lifting data from memory or phone storage.
  
  
• Integrate threat monitoring and feedback mechanisms: When the mobile app implementing the digital wallet is released to the market, integrate monitoring and feedback tools that provide real-time insights into the runtime environment of the app. These tools act as a kind of security feedback loop, analogous to crash and performance monitoring tools, and can help developers detect potential threats and the areas of code being targeted. This information can be used to pinpoint vulnerabilities and determine required mitigations.

Do you want to learn more about testing, protecting and monitoring your mobile crypto wallets? Connect with a Guardsquare expert today.