Re: [ANN] MangoCoinz Official ANN Thread - Mine cryptocurrencies on you smart phone
Since everyone is talking about source and security lately, let me share my opinions. I'm an Android app and system developer and just recently started looking into cryptocurrencies.
So here are my findings about this coin:
- Reverse-engineering the apk was trivial, devs didn't even use ProGuard to make it harder to read. This is not a problem actually, because even if the app is obfuscated, it's not much harder to understand.
- The coin is centralized and all data is probably stored in a database without a blockchain and proof-of-anything. This system can be hacked, devs can do bad things (though they seem to be honest).
- Even if you don't have the source, there are a lot of ways to cheat the system on Android.
- Coding a desktop implementation based on the reverse-engineered apk is trivial, one can sync without using an Android device at all. Add proxies and bots to this and you can easily "mine" hundreds of coins per day. You can also signout anyone just by knowing the username. It might be possible to sync an arbitary amount of coins to any username too, this depends on how much checking is implemented. I guess it could work since if one used random device data, the system would think the user started using another device (too).
- The app uploads the following information about a device: device model and name, IMEI number and if the device is rooted. All of them can be faked on a rooted device. I understand that IMEI is used for checking multi-account usage on one device, but not in plaintext, it should be hashed and only that value sent to the server. What if the server is hacked, IMEI numbers are stolen and sold on the black market? I personally wouldn't be happy.
- Up until v0.5.0b, only salted password hashes were sent to the server, providing a secure authentication. The salt was generated by the device randomly upon signup. Since v0.5.1 update, passwords are sent directly to the server without hashing. This causes a security risk as devs can now save passwords in plaintext, which is problematic if you use the same password elsewhere, let's say for your e-mail account, not to mention they know your e-mail address too.
- Probably this was introduced to ease server load as there's no need for another API call to get the salt.
- Fortunately, communication between the device and the server is done through the secure HTTPS protocol. However, the server uses a self-signed certificate (trusted certificates are not free) and the app is coded not to reject unauthorized certificates for this very reason. This makes it possible to successfully execute a man-in-the-middle attack and steal passwords which aren't sent hashed anymore. This kind of attack is very common on public Wi-Fi access points, such as a coffee shop, airport, etc.
By all this said, please do not think I'm against this coin or anything. People just have to know the truth. Even if it might have sounded harsh at places, I appreciate developers' work, because this really is a unique idea. Unfortunately without a real blockchain and proof-of-anything system there's no way to properly secure the system. You can make it harder to cheat, but not impossible.
So here are my findings about this coin:
- Reverse-engineering the apk was trivial, devs didn't even use ProGuard to make it harder to read. This is not a problem actually, because even if the app is obfuscated, it's not much harder to understand.
- The coin is centralized and all data is probably stored in a database without a blockchain and proof-of-anything. This system can be hacked, devs can do bad things (though they seem to be honest).
- Even if you don't have the source, there are a lot of ways to cheat the system on Android.
- Coding a desktop implementation based on the reverse-engineered apk is trivial, one can sync without using an Android device at all. Add proxies and bots to this and you can easily "mine" hundreds of coins per day. You can also signout anyone just by knowing the username. It might be possible to sync an arbitary amount of coins to any username too, this depends on how much checking is implemented. I guess it could work since if one used random device data, the system would think the user started using another device (too).
- The app uploads the following information about a device: device model and name, IMEI number and if the device is rooted. All of them can be faked on a rooted device. I understand that IMEI is used for checking multi-account usage on one device, but not in plaintext, it should be hashed and only that value sent to the server. What if the server is hacked, IMEI numbers are stolen and sold on the black market? I personally wouldn't be happy.
- Up until v0.5.0b, only salted password hashes were sent to the server, providing a secure authentication. The salt was generated by the device randomly upon signup. Since v0.5.1 update, passwords are sent directly to the server without hashing. This causes a security risk as devs can now save passwords in plaintext, which is problematic if you use the same password elsewhere, let's say for your e-mail account, not to mention they know your e-mail address too.
- Probably this was introduced to ease server load as there's no need for another API call to get the salt.
- Fortunately, communication between the device and the server is done through the secure HTTPS protocol. However, the server uses a self-signed certificate (trusted certificates are not free) and the app is coded not to reject unauthorized certificates for this very reason. This makes it possible to successfully execute a man-in-the-middle attack and steal passwords which aren't sent hashed anymore. This kind of attack is very common on public Wi-Fi access points, such as a coffee shop, airport, etc.
By all this said, please do not think I'm against this coin or anything. People just have to know the truth. Even if it might have sounded harsh at places, I appreciate developers' work, because this really is a unique idea. Unfortunately without a real blockchain and proof-of-anything system there's no way to properly secure the system. You can make it harder to cheat, but not impossible.
Hey cromwell600,
Good job!
-Yes, .apk files are easy to open, and in the next update we are going to have ProGuard.
-Yes the coin is centralized, but there is a blockchain and there is proof of how many coins someone has. We have security in place, and everyday we are thinking of ways of improving it. I don't like doing bad things, I would rather be honest.
-We thought up a way of authenticating API request and it will be implemented in the next update so to mitigate the risk of bots.
-Yes the app gets some info about the device, but not much.
-Yes, we changed some things from v0.5.0b to v0.5.1. The password is hashed server side, and the password is sent via a secure connection (HTTPS).
-This was not introduced to ease the server load, but to improve security. We now use an even better salting method.
-As for the self signed certificate, it will be changed to a signed (payed) certificate hopefully by the end of next week (or even earlier). The new certificate that is signed by a trusted source will stop a MITM (Man In The Middle) attack.
The iPhone version of the app will be in the works hopefully by the end of next week, and we plan on making it even more secure
If you have any suggestions, please tell us by sending us an email to mangocoinz@gmail.com
Best regards, Srele from MangoCoinz.