A computer science engineer at Michigan State University gives advice to the millions of bitcoin owners who use smartphone apps to manage their cryptocurrency: Don’t do it. Or at least be careful. Researchers at Moscow State University are developing a mobile application that will serve as protection for popular but vulnerable wallet applications used to manage cryptocurrencies.
“More and more people are using Bitcoin wallet applications on their smartphones,” said Guan-Hua Tu, associate professor at the MSU College of Engineering who works in the Faculty of Computer Science and Engineering. “But there are vulnerabilities in these applications.”
Smartphone wallet apps make it easy to buy and trade cryptocurrency, a relatively new digital currency that’s hard to understand in almost every way except for one thing: it’s very valuable. Bitcoin was the most valuable cryptocurrency at the time of writing, with a single Bitcoin worth over $ 55,000.
But Tu and his team are discovering vulnerabilities that could jeopardize a user’s money and personal information. The good news is that the team is also helping users better protect themselves by raising awareness of these security issues and developing an application that addresses these vulnerabilities.
Researchers have demonstrated this application – Bitcoin Security Rectifier – in a paper published for the Computing Machinery Association’s conference on data and application security and privacy. In terms of raising awareness, Tu wants to help wallet users understand that these applications can make them vulnerable by violating one of the central tenets of Bitcoin, so-called decentralization.
Bitcoin is a currency that is not tied to a central bank or government. There is also no central computer server that stores all the information about bitcoin accounts, such as who owns how much.
“There are some applications that violate this principle of decentralization,” Tu said. “Applications are developed by third parties. And they can let their wallet app connect to their proprietary server, which then connects to Bitcoin. “
Basically, Bitcoin Security Rectifier can introduce an intermediary that Bitcoin does not use by design. Users are often unaware of this, and application developers do not necessarily provide information.
“More than 90% of users do not know if their wallet violates this principle of decentralized design based on the results of user research,” Tu said. And if an application violates this principle, it can pose a huge security threat to the user. For example, it could open the door for an unscrupulous app developer to simply take away a user’s bitcoin.
Tu said the best way to stay safe is not to use a smartphone wallet app developed by untrustworthy developers. Instead, it encourages users to manage their bitcoins using a computer, not a smartphone, and resources that can be found on the official Bitcoin website, bitcoin.org. For example, a site can help users make informed decisions about wallet apps.
But even wallets developed by reputable sources may not be completely secure, and this is where the new app comes in.
Most smartphone software is written in the Java programming language. Bitcoin wallet applications use a Java code library known as bitcoinj, pronounced “bitcoin jay”. The library itself has vulnerabilities that can be attacked by cybercriminals, as the team demonstrated in their recent article.
These attacks can have a wide variety of consequences, including the compromise of a user’s personal information. For example, they can help an attacker identify all bitcoin addresses that wallet users have used to send or receive bitcoins. Attacks can also send a lot of unwanted data to the user, draining batteries and potentially leading to high phone bills.
The Tu app is designed to run concurrently on the same phone as the wallet, where it monitors for signs of such intrusions. According to Tu, the app warns users that an attack is occurring and provides remedies based on the type of attack. For example, an app can add “noise” to outgoing bitcoin messages to prevent a thief from getting accurate information.
“The goal is that you can download our tool and get rid of these attacks,” Tu said.
The team is currently developing an app for Android phones and plans to make it available for download on the Google Play store in the coming months. There is currently no timetable for the iPhone app due to additional iOS-related issues and limitations, Tu said.
Meanwhile, Tu stressed that the best way to protect yourself from the insecurity of a smartphone’s Bitcoin wallet is simply not to use it if the developer is not trusted.
“The main point I want to share is that if you are not familiar with your smartphone wallet applications, it is best not to use them, as any developer – malicious or conscientious – can upload their wallet applications to Google Play or Apple App. Shop, “he said.
Professor Li Xiao of Moscow State University and Ph.D. also participated in this project. students Yiwen Hu and Xihan Wang, all from the Faculty of Computer Science and Engineering. This work was funded in part by the National Science Foundation.
Disclaimer: AAAS and EurekAlert! are not responsible for the accuracy of the news bulletins posted on EurekAlert! by participating organizations or to use any information through the EurekAlert system.