Cryptostake, a non-custodial and high-reward staking service for proof-of-stake blockchains like Ethereum, Polkadot, and Cosmos, entrusted Hacken with performing an independent security assessment of their mobile applications. Specifically, non-custodial wallets for iOS and Android.
As a result of Hacken’s most thorough mobile penetration testing, Cryptostake Wallets received a maximum 10/10 score. Let’s take a closer look.
Penetration Testing Overview
Cryptostake’s non-custodial mobile app gives users complete control over their private keys, necessitating robust security measures to protect against breaches. Recognizing the critical importance of safeguarding user autonomy and asset security, Cryptostake approached Hacken for a thorough security assessment. In our assessment, we employed active exploitation techniques to benchmark security against industry best practices and evaluate apps’ robustness.
The penetration test, conducted over a month from September 23 to October 23, 2023, followed a gray box methodology. This approach included intelligence gathering, service detection, vulnerability analysis, and business logic flow assessments. The assessment was comprehensive, mapping the application’s code against industry standards and employing international methodologies like OWASP.
The primary objectives were to identify technical and functional vulnerabilities, estimate their severity, model probable attack vectors, and provide a prioritized list of recommendations.
Key Findings and Impact Analysis
We identified no critical, high, or medium-severity issues threatening the system. The only vulnerabilities that were found were low severity and exclusively for Android. The iOS app contained no issues. The Cryptostake team has since taken the Android app offline to introduce the recommended fixes.
Low-level security issues, classified with a CVSS score of 0.1 to 3.9, represent vulnerabilities that are easier to exploit due to low exploitation difficulty but grant only minimal access privileges to attackers. Their impact on system security is relatively lower because the level of access they provide is restricted.
The Cryptostake Android app’s low-level security issues included vulnerabilities that allow operation on rooted and jailbroken devices, bypassing of password brute-forcing protection, biometric access bypass, issues with invalidation upon biometric enrollment, allowance of third-party keyboards, potential exposure of sensitive data through screenshots, and insufficient logout procedures, alongside cryptography issues related to hardcoded values.
Here’s a more detailed breakdown:
The app could be launched on rooted or jailbroken devices, posing a risk to sensitive user data. To mitigate this, Hacken recommended implementing root and jailbreak detection using tools like Google’s SafetyNet Attestation API and specialized libraries or custom checks.
Time-based brute-force protection was bypassable by changing the system time, which could allow unlimited login attempts. The recommendation was to rely on an independent and secure time source for enforcing time-based restrictions.
Biometric authentication was found to be event-bound and bypassable, risking sensitive information leaks. Enhanced security was advised by incorporating cryptography into the biometric authentication workflow, using CryptoObject for cryptographic operations, and special flags like kSecAccessControlTouchIDAny to protect keychain items.
Insufficient logout controls meant sessions were not properly invalidated, which could lead to unauthorized access. Proper session management with session invalidation or expiration upon logout was recommended.
The application’s code contained development comments indicating missing security functionality and potential weaknesses. Removing all development information and debugging messages from the production app before deployment was suggested.
The app supported an outdated SDK version with multiple unfixed vulnerabilities. It was advised to set a minimum SDK version that restricts the app to devices with security patches or that are still supported.
Third-party keyboards allowed within the app could potentially leak personally identifiable information. It was recommended to use the native keyboard for entering sensitive data and to inform users about possible risks.
iOS’s feature of taking screenshots when an app goes into the background could expose sensitive data. Blurring the screen during app switching was suggested as a countermeasure.
The hardcoded salt in password hashing made creating rainbow tables for brute-force attacks possible. Using robust hashing algorithms like scrypt, bcrypt, or PBKDF2 was recommended instead of hardcoded crypto primitives.
The security assessment concluded with Hacken rating Cryptostake Wallets a perfect 10 out of 10. This high score reflects system robustness and resilience.
The assessment found only low severity and informational issues, indicating no direct path for an external attacker to compromise the system fully. Moreover, Cryptostake has taken the Android app offline for upgrades, while no issues were found for the iOS app.
This finding is crucial for Cryptostake’s users, who engage in self-custodial crypto staking, which requires high trust in the platform’s security capabilities.
Cryptostake’s proactive approach in engaging with Hacken for thorough mobile penetration testing underscores its commitment to providing a secure and reliable staking service for its users. Given a recent high-profile Ledger hack, regular assessments of crypto wallets’ security are vital in a landscape where threats are constantly evolving, ensuring that platforms like Cryptostake can continue to offer safe and uninterrupted services to their users.
Want to improve your security?
share via social
Subscribe to our research
Enter your email address to subscribe to Hacken Reseach and receive
notifications of new posts by email
Radix is a layer-1 network for Web3 and DeFi decentralized applications (dApps) and users. It seeks to create a scalable, secure-by-design, and composable DeFi platform through its Radix Engine application layer and its Cerberus consensus layer.
The Radix Engine has undergone a comprehensive security audit by Hacken, receiving the highest possible score 10/10.
Soul Society, a Web3 social service and our latest client, has recently embraced the innovative concept of Growth-Type Soul-Bound Tokens (SBTs). These tokens are a unique blend of technology and user engagement, allowing people to participate in various activities and acquire rewards and SBTs that define their digital identities. Each user can own multiple SBTs,