Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Announcements (Altcoins)
Re: [ANN] MangoCoinz Official ANN Thread - Mine cryptocurrencies on you smart phone
by
blackwat3er
on 30/01/2015, 19:15:59 UTC
Quote from: cromwell600 on January 30, 2015, 10:13:47 AM
Since everyone is talking about source and security lately, let me share my opinions. I'm an Android app and system developer and just recently started looking into cryptocurrencies.

So here are my findings about this coin:
- Reverse-engineering the apk was trivial, devs didn't even use ProGuard to make it harder to read. This is not a problem actually, because even if the app is obfuscated, it's not much harder to understand.
- The coin is centralized and all data is probably stored in a database without a blockchain and proof-of-anything. This system can be hacked, devs can do bad things (though they seem to be honest).
- Even if you don't have the source, there are a lot of ways to cheat the system on Android.
- Coding a desktop implementation based on the reverse-engineered apk is trivial, one can sync without using an Android device at all. Add proxies and bots to this and you can easily "mine" hundreds of coins per day. You can also signout anyone just by knowing the username. It might be possible to sync an arbitary amount of coins to any username too, this depends on how much checking is implemented. I guess it could work since if one used random device data, the system would think the user started using another device (too).
- The app uploads the following information about a device: device model and name, IMEI number and if the device is rooted. All of them can be faked on a rooted device. I understand that IMEI is used for checking multi-account usage on one device, but not in plaintext, it should be hashed and only that value sent to the server. What if the server is hacked, IMEI numbers are stolen and sold on the black market? I personally wouldn't be happy.
- Up until v0.5.0b, only salted password hashes were sent to the server, providing a secure authentication. The salt was generated by the device randomly upon signup. Since v0.5.1 update, passwords are sent directly to the server without hashing. This causes a security risk as devs can now save passwords in plaintext, which is problematic if you use the same password elsewhere, let's say for your e-mail account, not to mention they know your e-mail address too.
- Probably this was introduced to ease server load as there's no need for another API call to get the salt.
- Fortunately, communication between the device and the server is done through the secure HTTPS protocol. However, the server uses a self-signed certificate (trusted certificates are not free) and the app is coded not to reject unauthorized certificates for this very reason. This makes it possible to successfully execute a man-in-the-middle attack and steal passwords which aren't sent hashed anymore. This kind of attack is very common on public Wi-Fi access points, such as a coffee shop, airport, etc.

By all this said, please do not think I'm against this coin or anything. People just have to know the truth. Even if it might have sounded harsh at places, I appreciate developers' work, because this really is a unique idea. Unfortunately without a real blockchain and proof-of-anything system there's no way to properly secure the system. You can make it harder to cheat, but not impossible.

thanks for sharing this info but you are quite a bit late, i have already discussed this with the Srele and provided further information on how to fix some of these issues
a few of the recent updates were to fix issues regarding aforementioned information that i reported to them in private along with proof of concept showing how easily abused most of this is/was

as for proguard it is easily defeated if you know what youre doing and it will not stop a knowledgable individual from reversing the apk and further enumerating the requests the app makes

id like to point out "Since v0.5.1 update, passwords are sent directly to the server without hashing. This causes a security risk as devs can now save passwords in plaintext"
before v0.5.1 passwords were sent to the server hashed with a salt easily obtained via an unauthenticated request to the api which one could easily do from the browser

arbitrary account creation + sync of coins was possible, probably still is
quite a few other issues still exist such as the possibility to log out active users with nothing but a single http request

i understand youre trying to help but youre about 2 weeks late on reporting the very same issues i have reported to them in private and worked with them to attempt to fix.
there are still a plethora of issues that exist and probably will

you may also want to note, you should have brought up any concerns you may have had with them in private because posting this information to a public outlet such as this can and will entice others to attemtp to investigate and possibly even attempt to carry out attacks against them and abuse their service.

full disclosure is not the right course of action because by doing so you have enabled anyone interested whom has the knowledge to research further and carry out an attack on their services.