EAST LANSING, Mich. — As more businesses around the world begin accepting bitcoin as currency, consumers are constantly on the lookout for more convenient ways of managing their digital cash. Although bitcoin “wallet” apps might make the process easy, researchers at Michigan State University have some advise: don’t use them. Their study finds smartphone wallet apps are extremely susceptible to data breaches and tampering by malicious developers.
“More and more people are using bitcoin wallet apps on their smartphones,” says Guan-Hua Tu, an assistant professor in MSU’s College of Engineering, in a university release. “But these applications have vulnerabilities.”
Researchers say smartphone wallets makes trading cryptocurrency very easy for users, even though the inner workings of creating digital currency is quite complicated. That also makes it extremely valuable, with just one bitcoin now worth around $55,000.
However, study authors have discovered flaws in these apps which put a user’s private information and their money at risk.
Violating the decentralization principle
One of the main issues researchers uncovered is that many apps are violating one of Bitcoin’s core principles — decentralization. What separates digital currency from money is it doesn’t have ties to any banks or governments. Bitcoin does not have a central computer server storing everyone’s account information and balances.
“There are some apps that violate this decentralized principle,” Tu explains. “The apps are developed by third parties. And, they can let their wallet app connect with their proprietary server that then connects to Bitcoin.”
Researchers add this means a wallet app introduces a “middleman” that Bitcoin normally doesn’t need. Moreover, users are usually unaware of this and app developers don’t always inform users about it.
“More than 90% of users are unaware of whether their wallet is violating this decentralized design principle based on the results of a user study,” Tu continues.
When apps violate the decentralization principle, it opens the door for dishonest developers to take their customer’s bitcoin.
Avoid apps, use a computer
Study authors find the safest way to avoid untrustworthy apps is to avoid them altogether. Tu recommends bitcoin users manage their funds on a computer rather than a smartphone. If you do plan to use a wallet app, the team suggests using the resources on Bitcoin’s official website, bitcoin.org. The website can provide more information about which wallet apps cryptocurrencies consider trustworthy.
Unfortunately, even a trusted app is not completely safe from tampering. Researchers explain that most smartphone apps are written in a programming language called Java. Even Bitcoin wallet apps use a version of Java code, bitcoinj (pronounced “bitcoin-jay”). However, this library of code has weaknesses cybercriminals can exploit.
The study finds hackers can intercept information coming or going to a wallet app which is using public Wi-Fi. This is something Tu urges people not to do when using their wallets. Study authors add these attacks can affect your account in multiple ways.
For example, hackers can find out all the addresses a user sends or receives money from. Cybercriminals can even fill a user’s phone with unwanted data to drain their batteries and run up their phone bills. To combat this, the MSU team have developed their own app to warn smartphone wallet users about potential breaches.
Protecting vulnerable wallet apps
The Spartan app runs at the same time as a user’s wallet app, monitoring for security breaches. If one occurs, the app alerts users and provides solutions based on the type of attack in progress. Tu says this app can add “noise” to outgoing Bitcoin messages which prevents thieves from getting accurate information from the user.
“The goal is that you’ll be able to download our tool and be free from these attacks,” the assistant professor adds.
Right now, researchers are developing the app for Android phones, with plans to have it available in a few months. There is no current timetable for a release on iPhones because of technical challenges and restrictions using iOS.
For now, Tu recommends people dealing in cryptocurrency only use wallet apps from developers they trust.
“The main thing that I want to share is that if you do not know your smartphone wallet applications well, it is better not to use them since any developer — malicious or benign — can upload their wallet apps to Google Play or Apple App Store,” the study author concludes.
Researchers presented their findings at the Association for Computing Machinery’s Conference on Data and Application Security and Privacy.