Mobile Threat Monday: The Good and Bad of Android Bitcoin Apps
Bitcoins, the cryptocurrency burst onto the scene in 2009 and has continued to grab headlines. This digital currency has attracted a lot of attention, for good and bad reasons, mostly because of the currency's speculation value and its anonymous nature. This week, Appthority takes a look at the state of Bitcoin on Android, focusing on two apps currently available in the Google Play store.
Bitcoin on AndroidWriting for Appthority, Chief Architect and Co-Founder Kevin Watkins explained that Android Bitcoin apps are both better and worse than you might expect. These apps fell into two broad categories: wallets, for accessing your bitcoins, and mining apps, which purport to earn you bitcoins.
Watkins found that the wallet applications on Google Play were derived from the Bitcoin wallet source code available on Github. 'For the most part, there was little in the way of risky behaviors, likely due to the scrutiny and transparency of the app,' said Watkins. Score one for open-source development!
However, Watkins also said that all the mining apps Appthority tested 'failed to function entirely.' Though bitcoin transactions can be as seamless as cash, earning bitcoins is a bit more complicated.
'The landscape of Bitcoin apps on Google Play can be confusing, with the quality of bitcoin apps running the gamut from poor to excellent,' Watkins told SecurityWatch. 'The Appthority Service discovered sketchy apps, apps that didn't work at all, and some apps that were junk apps existing only to serve up adware.'
Coinbase - Bitcoin WalletThe Coinbase app says that it lets you 'securely buy, use, and accept bitcoin.' The app also says that it uses 'bank level security' and also features for sending bit coins but QR code and NFC without transaction fees.
Appthority noted that Coinbase has a few things going for it. The app did indeed secure logins with an encrypted connection, for example. When you login, the app creates a token with a two-hour time limit and a refresh token for further use. But while the tokens are encrypted in transit, they're both stored in plain-text on your Android.
Secure storage seemed to be an issue for the app, as Appthorty discovered that Coinbase stored other sensitive information without encryption. For example, an optional PIN used to secure the app is stored on the device with neither obfuscation or encryption.
'While this level of security is better than most, it's typical for banking apps to have a much smaller expiration window for tokens and some sort of obfuscation for the oauth tokens,' Watkins told SecurityWatch. 'Otherwise, if the mobile device gets compromised, the tokens can be obtained and used to login and make transactions as the user without user and password authentication.'
Bitcoin TapperWhile Coinbase is a tool to manage cryptocash, Bitcoin Tapper claimed to actually earn you money. 'Earn FREE Bitcoins by tapping on the Bitcoin every day,' crows the app's description in Google Play. In my experience, any time the word 'free' is in all-caps, it's a sign something strange is going on.
Appthority's analysis revealed that actually earning bitcoins was a little more difficult. Users can tap to earn a fractional bitcoin-0.000085, in fact-once every 24 hours. Even if you keep at it for a long time, the app throws another curve ball by only allowing your to 'payout' when you read 0.02 bitcoins. That could take an awful long time. About 235 days, to be exact.
Bitcoin Tapper does seem to be earning money, but not for the would-be Android bitcoin barons. Appthority concludes that the app is little more than a 'spam app that uses the bitcoin name and branding to serve up ads.' This might explain why the app requires access to information that has nothing to do with bitcoins, like your current location.
Staying Safe With BitcoinsBitcoins are a fascinating, if challenging subject, and on Android the situation is no different. While some apps deliver on their promises, others are simply trading on the 'something-for-nothing' speculation hype around Bitcoin. And even good apps may not be following best practices for securing financial transactions. 'Bitcoin apps are, for all intents and purposes, financial apps,' said Watkins. 'And should be held to similar standards as banking and other financial services related mobile apps.'
Android users need to employ the same skepticism for bitcoin apps as they should for other popular applications. Be wary of apps requesting excessive permissions that aren't needed to function, and be especially skeptical of anyone offering something for nothing, or saying 'free' in all caps.
Post a Comment for "Mobile Threat Monday: The Good and Bad of Android Bitcoin Apps"