"Crypto wallets security. For developers", Julia Potapenko
0 likes193 views
The document discusses cryptocurrency wallet security, emphasizing the importance of protecting sensitive data and user education. It outlines various wallet types, authentication methods, and security best practices for developers to implement. Additionally, it highlights the critical role of application security over blockchain security and offers helpful resources for improving wallet security.
![Useful links
[Article] Crypto wallets security as seen by security engineers:
https://www.cossacklabs.com/blog/crypto-wallets-security/
[Article] Security of React Native libraries: the bad, the worse and the ugly:
https://www.cossacklabs.com/blog/react-native-libraries-security/
[Article] React Native security: things to keep in mind:
https://www.cossacklabs.com/blog/react-native-app-security/
[Slides] Why can’t developers make it secure:
https://speakerdeck.com/julep/why-cant-developers-make-it-secure](https://image.slidesharecdn.com/2022-02-22fwdays-cryptowalletssecurity-220223144835/95/Crypto-wallets-security-For-developers-Julia-Potapenko-44-638.jpg)
"Crypto wallets security. For developers", Julia Potapenko
- 1. Crypto Wallets Security for developers Julia Potapenko
- 2. Security Software Engineer Julia Potapenko @julepka We help companies to protect their sensitive and valuable data. OWASP Zhytomyr Leader. Contributor to OWASP security standards and guides. Women Who Code Kyiv Director
- 3. OWASP Open Web Application Security Project A nonpro f it foundation that works to improve the security of software OWASP Top 10 OWASP ASVS OWASP WSTG OWASP MASVS/MSTG https://owasp.org/www-project-mobile-security-testing-guide/ https://owasp.org/www-project-application-security-veri f ication-standard/ https://owasp.org/www-project-web-security-testing-guide/ https://owasp.org/www-project-top-ten/
- 4. Today we will talks about #cryptocurrency_wallets #sensitive_assets #authentication #local_storage #platform #cryptography #dependencies_management
- 5. How does it work? Your account = your seed / private key Loosing seed / private key = loosing the account Wallet gives access to several accounts The main challenge is to secure seed / private keys
- 6. Cryptocurrency wallet types Custodial third-party storage Non-custodial user-controled
- 7. Cryptocurrency wallet types Custodial third-party storage Non-custodial user-controled Hot online Cold of f line
- 8. https://www.wired.com/story/hack-binance-cryptocurrency-exchange/ Why should devs care?
- 12. https://www.theverge.com/2022/1/24/22898712/crypto- hardware-wallet-hacking-lost-bitcoin-ethereum-nft https://www.wired.com/story/hack-binance-cryptocurrency-exchange/ https://www.bbc.com/news/technology-59549606 https://www.theverge.com/2021/11/4/22763015/cryptocurrency- fake-wallet-phishing-scam-google-ads-phantom-metamask Why should devs care? It is not about blockchain security. It is about application security and user education
- 13. Cryptocurrency wallet types Custodial third-party storage Non-custodial user-controled Hot online Cold of f line
- 15. Similar to banking apps, cryptocurrency wallets operate user funds, meaning security baseline should be nearly the same.
- 16. Similar to banking apps, cryptocurrency wallets operate user funds, meaning security baseline should be nearly the same. Threat vectors considerations • Authentication • Local storage • Platform trust • Cryptography • Communication • User education • Supply chain
- 17. User Authentication LOCAL VS REMOTE If the app provides users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. No sensitive data should be stored locally on the mobile device. Instead, data should be retrieved from a remote endpoint when needed and only be kept in memory. If sensitive data is still required to be stored locally, it should be encrypted using a key derived from hardware backed storage which requires authentication. – OWASP MASVS 4.1, 2.11, 2.12
- 18. User Authentication LOCAL VS REMOTE If the app provides users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. No sensitive data should be stored locally on the mobile device. Instead, data should be retrieved from a remote endpoint when needed and only be kept in memory. If sensitive data is still required to be stored locally, it should be encrypted using a key derived from hardware backed storage which requires authentication. – OWASP MASVS 4.1, 2.11, 2.12 But what about deanonymisation? Non-custodial wallets are usually fat clients
- 19. Password policy Password rotation when leaked Defences against brute-force attacks Step-up authentication Biometry veri f ication User Authentication
- 20. Know your platform What kind of storage should be used to deliver the best security guarantees?
- 21. Know your platform What kind of storage should be used to deliver the best security guarantees? Is it a f ile? Can you steal it? Can other apps access it? What about integrity? And Encryption?
- 22. Know your platform What kind of storage should be used to deliver the best security guarantees? Is it a f ile? Can you steal it? Can other apps access it? What about integrity? And Encryption? It is a developer’s responsibility to know how the storage works on the platform you use.
- 23. 000003.log is a storage f ile of web-extension. You can copy it from one browser and paste into another. Know your platform
- 24. Objection tool that allows to access Keychain of the device, no jailbreak required Know your platform
- 25. Cryptography How to encrypt the data with a password?
- 26. Cryptography How to encrypt the data with a password? You decided to pick AES. You need a key length of 256 bits but the password is shorter. You use a hash function SHA256.
- 27. Cryptography How to encrypt the data with a password? You decided to pick AES. You need a key length of 256 bits but the password is shorter. You use a hash function SHA256. KDF (Key Derivation Function)
- 28. Cryptography How to encrypt the data with a password? You decided to pick AES. You need a key length of 256 bits but the password is shorter. You use a hash function SHA256. KDF (Key Derivation Function) Your pick PBKDF2. You need to specify number of rounds for it. Similar to some example in the Internet you pick 2 000.
- 29. Cryptography How to encrypt the data with a password? You decided to pick AES. You need a key length of 256 bits but the password is shorter. You use a hash function SHA256. KDF (Key Derivation Function) Your pick PBKDF2. You need to specify number of rounds for it. Similar to some example in the Internet you pick 2 000. 310 000
- 30. Cryptography How to encrypt the data with a password? You decided to pick AES. You need a key length of 256 bits but the password is shorter. You use a hash function SHA256. KDF (Key Derivation Function) Your pick PBKDF2. You need to specify number of rounds for it. Similar to some example in the Internet you pick 2 000. 310 000 CBC or GCM mode? Random IV? … ? ? ?
- 31. Cryptography How to encrypt the data with a password? You decided to pick AES. You need a key length of 256 bits but the password is shorter. You use a hash function SHA256. KDF (Key Derivation Function) Your pick PBKDF2. You need to specify number of rounds for it. Similar to some example in the Internet you pick 2 000. 310 000 CBC or GCM mode? Random IV? … ? ? ? Don’t roll your own crypto Use Themis https://github.com/cossacklabs/themis Use libsodium
- 32. Cryptography Comes from mvayngrib/react-native-crypto library… that uses react-native-randombytes library… that uses Stanford Javascript Crypto Library (SJCL) for synchronous random values generation. React Native mobile app example
- 33. Cryptography Comes from mvayngrib/react-native-crypto library… that uses react-native-randombytes library… that uses Stanford Javascript Crypto Library (SJCL) for synchronous random values generation. SJCL random values generator relies on mouse movements and keyboard listeners. React Native mobile app example
- 34. Supply chain
- 35. Supply chain
- 36. Supply chain
- 37. Supply chain
- 38. Supply chain
- 39. How to identify a good library Looks alive Built for required platform Easy to use, hard to misuse Covered with tests Documentation Secure Performance Licence
- 40. https://snyk.io/advisor/npm-package/ react-native-sensitive-info How to identify a good library
- 41. Useful tools Automate and add to PRs SonarQube Snyk Dependabot
- 42. Useful tools Automate and add to PRs SonarQube Snyk Dependabot SAST (Static Application Security Testing): https://owasp.org/www-community/ Source_Code_Analysis_Tools DAST (Dynamic Application Security Testing): https://owasp.org/www-community/ Vulnerability_Scanning_Tools
- 43. User is a single point of failure Non-custodial wallets security is the user responsibility.
- 44. Useful links [Article] Crypto wallets security as seen by security engineers: https://www.cossacklabs.com/blog/crypto-wallets-security/ [Article] Security of React Native libraries: the bad, the worse and the ugly: https://www.cossacklabs.com/blog/react-native-libraries-security/ [Article] React Native security: things to keep in mind: https://www.cossacklabs.com/blog/react-native-app-security/ [Slides] Why can’t developers make it secure: https://speakerdeck.com/julep/why-cant-developers-make-it-secure
- 45. Thank you! Follow me on Twitter @julepka