Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Announcements (Altcoins)
Re: [ANN] MangoCoinz Official ANN Thread - Mine cryptocurrencies on you smart phone
by
cromwell600
on 30/01/2015, 10:13:47 UTC
Since everyone is talking about source and security lately, let me share my opinions. I'm an Android app and system developer and just recently started looking into cryptocurrencies.

So here are my findings about this coin:
- Reverse-engineering the apk was trivial, devs didn't even use ProGuard to make it harder to read. This is not a problem actually, because even if the app is obfuscated, it's not much harder to understand.
- The coin is centralized and all data is probably stored in a database without a blockchain and proof-of-anything. This system can be hacked, devs can do bad things (though they seem to be honest).
- Even if you don't have the source, there are a lot of ways to cheat the system on Android.
- Coding a desktop implementation based on the reverse-engineered apk is trivial, one can sync without using an Android device at all. Add proxies and bots to this and you can easily "mine" hundreds of coins per day. You can also signout anyone just by knowing the username. It might be possible to sync an arbitary amount of coins to any username too, this depends on how much checking is implemented. I guess it could work since if one used random device data, the system would think the user started using another device (too).
- The app uploads the following information about a device: device model and name, IMEI number and if the device is rooted. All of them can be faked on a rooted device. I understand that IMEI is used for checking multi-account usage on one device, but not in plaintext, it should be hashed and only that value sent to the server. What if the server is hacked, IMEI numbers are stolen and sold on the black market? I personally wouldn't be happy.
- Up until v0.5.0b, only salted password hashes were sent to the server, providing a secure authentication. The salt was generated by the device randomly upon signup. Since v0.5.1 update, passwords are sent directly to the server without hashing. This causes a security risk as devs can now save passwords in plaintext, which is problematic if you use the same password elsewhere, let's say for your e-mail account, not to mention they know your e-mail address too.
- Probably this was introduced to ease server load as there's no need for another API call to get the salt.
- Fortunately, communication between the device and the server is done through the secure HTTPS protocol. However, the server uses a self-signed certificate (trusted certificates are not free) and the app is coded not to reject unauthorized certificates for this very reason. This makes it possible to successfully execute a man-in-the-middle attack and steal passwords which aren't sent hashed anymore. This kind of attack is very common on public Wi-Fi access points, such as a coffee shop, airport, etc.

By all this said, please do not think I'm against this coin or anything. People just have to know the truth. Even if it might have sounded harsh at places, I appreciate developers' work, because this really is a unique idea. Unfortunately without a real blockchain and proof-of-anything system there's no way to properly secure the system. You can make it harder to cheat, but not impossible.