We're Hiring!

Security Threats to Mobile Crypto Apps and How to Protect Them

Crypto coins on a phone with open Bianance app

The last year has not been great for crypto. Most crypto currencies, including Bitcoin, experienced significant loss of value, and we saw high profile exchanges like FTX collapse.  In addition, hackers were actively stealing crypto currency. The blockchain company Chainalysis calculated that $3.8bn was stolen by hackers in 2022.

Despite all this bad news, it looks like cryptocurrency is here to stay. There are thousands of  companies who have “crypto”  as a key element of their business according to Crunchbase. It's also true that most of these have deployed mobile apps and unfortunately we know that mobile apps, by their very nature, present multiple attack surfaces to hackers. It seems that crypto has attracted the attention of hackers as a particularly attractive target. 

What are the risks for crypto and what steps should crypto companies take to protect their mobile apps in particular from hackers? 

Aren’t Crypto Apps just Finance Apps?

Finance apps are of course already a target for hackers because they present the opportunity to directly divert funds and steal money. But there are some reasons why crypto apps are even more exposed than, for example, a banking app. The stakes are even higher because of the emerging nature of the business of crypto.

Why Security is Even More Critical for Crypto Apps 

Why are crypto apps even more exposed than traditional finance apps? The risks posed by cryptocurrency apps and wallets being hacked can vary, but here are some specific risks:

  • Loss of Funds: If a cryptocurrency app or wallet is hacked, there is a significant risk of losing the funds stored within it. Hackers can gain unauthorized access to your wallet's private keys or seed phrases, allowing them to transfer your cryptocurrencies to their own wallets.
  • Irreversibility of Transactions: Cryptocurrency transactions are typically irreversible. Once a hacker transfers your funds out of your compromised wallet, it can be challenging or impossible to recover them. Unlike traditional financial systems, there is no central authority or regulatory body to reverse or refund fraudulent transactions.
  • Privacy Breach: Cryptocurrency wallets often contain sensitive information, such as transaction history and wallet addresses. If a wallet or app is hacked, your private information may be exposed, compromising your privacy and potentially leading to identity theft or targeted phishing attacks.
  • Malicious Code Execution: Hackers may inject malicious code into cryptocurrency apps or wallets, allowing them to gain control over your device or manipulate the transactions you make. This can lead to unauthorized transfers, account takeovers, or other forms of fraudulent activity.
  • Phishing and Social Engineering Attacks: Hackers may create fake cryptocurrency apps or wallets that mimic legitimate ones to deceive users into entering their private keys or seed phrases. This information can then be used to access and steal your funds. Additionally, hackers might employ social engineering techniques, such as sending phishing emails or messages, to trick users into revealing their wallet credentials.
  • Exchange Account Compromise: Some cryptocurrency wallets are integrated with cryptocurrency exchanges. If a hacker gains access to your wallet, they may also attempt to compromise your linked exchange account, potentially leading to further financial losses.
  • Vulnerabilities in the App or Wallet Software: Cryptocurrency apps and wallets may have vulnerabilities in their software code that can be exploited by hackers. These vulnerabilities can range from insecure encryption methods to software bugs, making it easier for attackers to compromise the wallet and gain unauthorized access.

Consumers Beware 

To mitigate these risks, it is crucial for individuals accessing crypto apps to adopt strong basic security practices, such as using reputable and regularly updated wallet apps, enabling two-factor authentication, keeping the software you use up to date, using hardware wallets for enhanced security, and always being on alert to any phishing attempts and suspicious links or downloads.

But App Owners Must Prioritize Security

The companies who deploy crypto apps also have a responsibility to protect the apps they create and they need to worry about the very specific attack surfaces presented by mobile apps.  The good news is that there are ways that these attack surfaces can be protected effectively. 

  • App and Device Attestation: As mentioned, one of the critical attack surfaces employed by hackers is to clone or copy apps in order to imitate genuine apps, either to directly steal user authentication data or to extract information from backend systems by mimicking genuine apps. The core functionality of Approov makes sure that only a genuine app is accessing  APIs and backend systems and any attempted access by modified apps, scripts and bots are blocked. This disables one of the key attack methods used by hackers.
  • Man-in-the-Middle Attacks: A major threat for mobile apps is MitM attacks since these can be carried out by hacking the mobile device the app is running on. A hacker intercepts the traffic in the communication channel and can inject new commands. Approov implements dynamic certificate pinning, which secures the communications channel completely, but does it in a way that service continuity can always be ensured, even when certificates are updated. 
  • Hacking the client environment: Another hacker technique is to interfere with the mobile client environment to interfere with the operation of the app to steal data or change the logic. Jailbroken iOS devices or rooted Android devices pose considerable risk, as enhanced privileges allow more advanced hacking tools to run that compromise your app. There are a wide range of reverse engineering and function hooking tools available for both iOS and Android. You must get visibility and control of the client. environment to protect against such attacks. Approov, for example, detects if your app is running on jailbroken or rooted devices, detecting Frida, Xposed, Cydia, as well as being able to see if debuggers, emulators or cloners are running on the device.
  • Runtime Secrets Management: Mobile crypto apps need to access public and private APIs to do their job and will need to use API keys to access these APIs. If you carelessly expose these API keys, hackers will ruthlessly exploit them to imitate your app and access the APIs for nefarious purposes. You must therefore endeavor to keep  API keys and other secrets out of your mobile code. Fortunately there are ways to have these delivered securely and just-in-time to the app when needed, and only if the app passes attestation tests. For example, Approov securely  manages API keys for you and delivers them to your app only when needed and only when safe. Dynamic Security Policy Management: Security may need tuning but that shouldn't be hard to manage : You will need tools that provide the devops team with run  time visibility and dynamic control over security policies. As an example,  Approov supports the devops team with the implementation of highly granular security policies which can be updated instantly over-the-air.
  • API Data Breach Mitigation: Finally if hackers do get their hands on your keys and secrets (eg. from a cloud repository),  your APIs can be exposed to attack. You need a mitigation plan for if (or when) this happens so that your service is not interrupted as you rotate keys. Approov allows you to rotate keys and certificates without having to update deployed apps. You can be confident that no matter what happens you can keep your apps running and secure. 

Final Thoughts

In the ever-evolving landscape of cybersecurity, safeguarding crypto apps and ensuring the protection of sensitive data has become a top priority. The combination of runtime secrets protection, Runtime Application Self-Protection (RASP), dynamic certificate pinning, and app attestation offers a powerful arsenal of tools for fortifying crypto apps against malicious threats and unauthorized access to APIs. Putting in place these protections will deliver a comprehensive defense strategy, and create  a formidable fortress against cyber threats.

By embracing these cutting-edge security practices, crypto app developers demonstrate their commitment to safeguarding user assets, instilling confidence among customers, and upholding the integrity of the entire crypto ecosystem. In a world where digital trust is paramount, adopting these advanced security measures is not just an option; it's a necessity to thrive in the competitive and high-stakes landscape of crypto applications. Together, let's fortify the foundations of trust, security, and resilience, ensuring that crypto apps remain safe havens for users' digital assets.

 

George McGregor

- VP Marketing, Approov
George is based in the Bay Area and has an extensive background in cyber-security, cloud services and communications software. Before joining Approov he held leadership positions in Imperva, Citrix, Juniper Networks and HP.