Cheetah Mobile Blockchain Research Lab found that Bitcoin Wallet stores mnemonic phrases in plain text format within the “/data/data/com.bitcoin.mwallet” file of the phone’s operating system, which can be easily hacked. They also discovered major security vulnerabilities in Jaxx’s data backup mechanisms; private keys stored on Jaxx version can be stolen with very little effort by gaining access to and decrypting Jaxx’s private key data files.
“If a wallet isn’t designed properly, users face the possibility of their private keys being lost or stolen,” said Wei Li, senior researcher at the Cheetah Mobile Blockchain Research Lab. “We believe it’s important to issue this warning so that users can understand the risks of using certain wallets and protect their digital assets.”
Bitcoin Wallet and Jaxx Blockchain Wallet vulnerabilities explained:
|Product name||Bitcoin Wallet|
|Installs||500,000 - 1,000,000|
|Vulnerable file MD5||3FFB26365DD0F6231A373A5F17B51922|
Bitcoin wallet stores mnemonic phrases in plain text format on the phone’s operating system. This is a very unsafe practice as operating systems are extremely complex and full of security vulnerabilities that can easily be exploited. For example, certain apps are able to bypass security barriers and gain ROOT access to a phone’s operating system. If a user installs one of these apps, hackers can access Bitcoin Wallet’s mnemonic phrases.
Hackers don’t even need ROOT access to exploit operating system vulnerabilities and access Bitcoin Wallet’s mnemonic phrases and private keys. By simply connecting the charging port of their mobile phone to a hacker-controlled device, users have put their assets at risk of being stolen.
Jaxx Blockchain Wallet
|Product name||Jaxx Blockchain Wallet|
|Installs||100,000 - 500,000|
|Vulnerable File MD5||E661651173E149250553E219CABB0596|
Stealing digital assets stored on Jaxx requires a simple two-step process of acquiring private key data files and decrypting them. There are two ways that hackers can acquire Jaxx’s private key data files:
1. If hackers gets a hold of a user’s phone, they can use Android’s backup mechanisms such as adb backup command or the BackupManagerService API to save the user’s private key files onto an unsecure device, such as a PC. This vulnerability exists because Jaxx’s development team neglected to turn off the “android:allowBackup” attribute on the app’s back end.
Decrypting the private key data files is the second step. Jaxx private key data files are encrypted using an AES encryption algorithm. If the length of the secret key satisfies certain conditions and the algorithm is executed properly, then an AES-encrypted file is essentially unbreakable. However, the Jaxx team has made a major mistake by hard coding the encryption algorithm directly into the app’s code, rather than randomly generating it according to safe practices.
Once hackers get a hold of encrypted private key data files, along with their corresponding AES encryption parameters, they can easily decrypt the files and steal all of the private keys stored in a wallet. Since Jaxx’s security system wasn’t designed using proper security protocols, its users are at serious risk of a data breach.
For users that have their digital assets stored in either of these wallets, Cheetah Mobile Blockchain Research Lab recommends that they immediately transfer them to a secure wallet such as SafeWallet, developed by Cheetah Mobile. SafeWallet possesses an innovative three-tiered security defense system and easy-to-use interface that allows users to safely and conveniently secure and manage their cryptocurrency assets.
Cheetah Mobile Blockchain Research Lab has notified both Jaxx and Bitcoin Wallet of its findings.
For detailed information on the current state of mobile wallet security, read our 2018 Cryptocurrency Wallet Security White Paper.
About Cheetah Mobile
Cheetah Mobile is a leading mobile internet company with strong global vision. It has attracted hundreds of millions of monthly active users through its mobile utilities products such as Clean Master and Cheetah Keyboard, casual games such as Piano Tiles 2, and its live streaming product Live.me. The Company provides its advertising customers, which include direct advertisers and mobile advertising networks through which advertisers place their advertisements, with direct access to highly targeted mobile users and global promotional channels. Cheetah Mobile is committed to leveraging its cutting-edge artificial intelligence technologies to power its products and make the world smarter. It has been listed on the New York Stock Exchange since May 2014.