At Cheetah Mobile, we take security very seriously. As cryptocurrencies become more popular and mainstream, we want consumers to be aware of the security risks, and to be adequately prepared to address them. In that vein, our Blockchain Research Lab recently released its 2018 Cryptocurrency Wallet Security White Paper, where we looked at the most popular mobile cryptocurrency wallets and assessed the security threats relating to their storage of private keys.
This is important because private keys are what allow people to see and carry out transactions involving cryptocurrencies; they act, in essence, as proof of your digital assets. As a result, it's incredibly important that these keys are stored securely in a cryptocurrency wallet with multiple safeguards to protect your information. If a wallet has not been designed with security in mind, it leaves users' private information and investments at risk of being lost or stolen.
In the course of our research, we found that two of the most popular mobile wallets, Bitcoin Wallet and Jaxx Blockchain Wallet, had significant security vulnerabilities that put users at risk.
Let's first take a closer look at the former. Bitcoin Wallet is relatively popular amongst the cryptocurrency community, with almost 2 million wallets created thus far and a fairly solid reputation. But, as we took a deeper dive into the underpinnings of the wallet itself, we were surprised to discover that the mnemonic phrases (lists of words that store the information needed to access a cryptocurrency wallet) were being stored in a plain text format, within the /data/data/com.bitcoin.mwallet file of the phone's operating system.
What does this mean? It essentially means that the wallet doesn't protect your digital assets itself; it passes the buck to your phone's operating system - which, as many of us are aware, aren't exactly the most secure places on Earth. If a hacker really wanted to get to your bitcoin, all they'd have to do is to take advantage of one of those vulnerabilities to find a way in and steal your private keys and mnemonic phrases. And given how many apps we tend to have on our phones, all it takes is one bad download for someone to get access to your information, perhaps without you ever finding out.
Even more frightening, hackers might be able to access your mnemonic phrases and private keys on Bitcoin Wallet without having to go through one of your apps. Instead, all they'd have to do is connect the charging port of your mobile phone to a charging device controlled by them. You could lose all of your assets in the course of only a few minutes.
Needless to say, this is a security risk that users both current and future should be aware of - and one that the developers of Bitcoin Wallet should be taking care to correct as soon as possible.
Jaxx Wallet is another popular mobile cryptocurrency wallet. Unlike Bitcoin Wallet, Jaxx offers a number of different features, including a digital currency exchange which facilitates conversions between several types of cryptocurrencies, as well as the ability to manage several different types of currency.
We took another deep dive to examine whether Jaxx's security measures were more or less vulnerable than those of Bitcoin Wallet. Looking at their mechanisms for data backup, we found major vulnerabilities, vulnerabilities of a more serious nature than those discovered in Bitcoin Wallet. Hackers looking to steal private keys can do so in two easy steps: 1) find the private key data files, and 2) decrypt them.
For whatever reason, Jaxx's development team did not turn off the option to save backups of the app (and the files stored on it) on its backend. This means that, should a hacker manage to get access to your phone (and your phone is an Android), they can use the phone's data backup mechanisms to save any private key files onto another device. And, as with Bitcoin Wallet, they could also exploit the existing vulnerabilities in your phone's operating system to circumvent any security obstacles and obtain access to your private key.
The other mistake made by the Jaxx team was to hard code the encryption algorithm for the private key files directly into the app's code, instead of allowing it to be randomly generated. If someone is able to get access to your encrypted data files as well as the parameters used to encrypt them, it becomes a fairly easy matter for them to decrypt that information, and uncover the private keys stored within the wallet. As a result, anyone who uses Jaxx's mobile wallet is seriously vulnerable to their information being hacked.
What this shows is that even the most popular, most widely-used mobile wallets put their users' information at risk. That being said, the concerns we've highlighted here can easily be fixed by the Bitcoin Wallet and Jaxx teams. Nevertheless, users who are concerned that their information might soon be stolen might do well to cancel their current addresses and create new ones on a different, more secure wallet, while transferring their assets there. After all, it's better to be safe than sorry.
If you're interested in finding out more on the current state of mobile wallet security, read our 2018 Cryptocurrency Wallet Security White Paper.