Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Crypto wallets security: for developers

Dee939e8aa52d13793b2f0c5e463777b?s=47 Julia Potapenko
February 22, 2022
0
280

Crypto wallets security: for developers

Dee939e8aa52d13793b2f0c5e463777b?s=128

Julia Potapenko

February 22, 2022
Tweet

More Decks by Julia Potapenko

See All by Julia Potapenko
React Native Security
Dee939e8aa52d13793b2f0c5e463777b?s=48 julep
0
230
Why can't developers make it secure?
Dee939e8aa52d13793b2f0c5e463777b?s=48 julep
0
190
Encryption Export Regulations. Why should mobile developers care?
Dee939e8aa52d13793b2f0c5e463777b?s=48 julep
0
110
The Art of Secure Architecture
Dee939e8aa52d13793b2f0c5e463777b?s=48 julep
0
130
Common iOS Vulnerabilities and How to Fix Them
Dee939e8aa52d13793b2f0c5e463777b?s=48 julep
1
1.6k
React Native Security
Dee939e8aa52d13793b2f0c5e463777b?s=48 julep
0
180
Secure Authentication. Are you sure you do it right?
Dee939e8aa52d13793b2f0c5e463777b?s=48 julep
1
510
Making Authentication More Secure
Dee939e8aa52d13793b2f0c5e463777b?s=48 julep
0
250
Touch ID and Face ID. Is It Secure?
Dee939e8aa52d13793b2f0c5e463777b?s=48 julep
1
390

Featured

See All Featured
We Have a Design System, Now What?
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
35
2.9k
Why You Should Never Use an ORM
88bc30284c6a424b63a92aad27d0ba36?s=48 jnunemaker
PRO
47
7.4k
Facilitating Awesome Meetings
245cee81a9c424266e5e401d844ea881?s=48 lara
29
4k
Art Directing for the Web. Five minutes with CSS Template Areas
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
196
9.4k
Raft: Consensus for Rubyists
B6a8f005f39d23ffc930508ac9da68b9?s=48 vanstee
126
5.4k
Rails Girls Zürich Keynote
24fc194843a71f10949be18d5a692682?s=48 gr2m
86
12k
Building Adaptive Systems
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
25
1.1k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
104
16k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
651dcfe41723207fbb0aa044a4f7c07f?s=48 dotmariusz
100
5.9k
Practical Orchestrator
168ccec72eee0530b818d44f3fedaacf?s=48 shlominoach
178
8.6k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
237
19k
VelocityConf: Rendering Performance Case Studies
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
316
22k

Transcript

  1. Crypto Wallets Security for developers Julia Potapenko

  2. Security Software Engineer Julia Potapenko @julepka We help companies to

    protect their sensitive and valuable data. OWASP Zhytomyr Leader. Contributor to OWASP security standards and guides. Women Who Code Kyiv Director

  3. OWASP Open Web Application Security Project A nonpro f it

    foundation that works to improve the security of software OWASP Top 10 OWASP ASVS OWASP WSTG OWASP MASVS/MSTG https://owasp.org/www-project-mobile-security-testing-guide/ https://owasp.org/www-project-application-security-veri f ication-standard/ https://owasp.org/www-project-web-security-testing-guide/ https://owasp.org/www-project-top-ten/

  4. Today we will talks about #cryptocurrency_wallets #sensitive_assets #authentication #local_storage #platform

    #cryptography #dependencies_management

  5. How does it work? Your account = your seed /

    private key Loosing seed / private key = loosing the account Wallet gives access to several accounts The main challenge is to secure seed / private keys

  6. Cryptocurrency wallet types Custodial third-party storage Non-custodial user-controled

  7. Cryptocurrency wallet types Custodial third-party storage Non-custodial user-controled Hot online

    Cold of f line

  8. https://www.wired.com/story/hack-binance-cryptocurrency-exchange/ Why should devs care?

  9. https://www.wired.com/story/hack-binance-cryptocurrency-exchange/ https://www.bbc.com/news/technology-59549606 Why should devs care?

  10. https://www.theverge.com/2022/1/24/22898712/crypto- hardware-wallet-hacking-lost-bitcoin-ethereum-nft https://www.wired.com/story/hack-binance-cryptocurrency-exchange/ https://www.bbc.com/news/technology-59549606 Why should devs care?

  11. https://www.theverge.com/2022/1/24/22898712/crypto- hardware-wallet-hacking-lost-bitcoin-ethereum-nft https://www.wired.com/story/hack-binance-cryptocurrency-exchange/ https://www.bbc.com/news/technology-59549606 https://www.theverge.com/2021/11/4/22763015/cryptocurrency- fake-wallet-phishing-scam-google-ads-phantom-metamask Why should devs care?

  12. https://www.theverge.com/2022/1/24/22898712/crypto- hardware-wallet-hacking-lost-bitcoin-ethereum-nft https://www.wired.com/story/hack-binance-cryptocurrency-exchange/ https://www.bbc.com/news/technology-59549606 https://www.theverge.com/2021/11/4/22763015/cryptocurrency- fake-wallet-phishing-scam-google-ads-phantom-metamask Why should devs care?

    It is not about blockchain security. It is about application security and user education

  13. Cryptocurrency wallet types Custodial third-party storage Non-custodial user-controled Hot online

    Cold of f line

  14. Coinbase wallet example

  15. Similar to banking apps, cryptocurrency wallets operate user funds, meaning

    security baseline should be nearly the same.

  16. Similar to banking apps, cryptocurrency wallets operate user funds, meaning

    security baseline should be nearly the same. Threat vectors considerations • Authentication • Local storage • Platform trust • Cryptography • Communication • User education • Supply chain

  17. User Authentication LOCAL VS REMOTE If the app provides users

    access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. No sensitive data should be stored locally on the mobile device. Instead, data should be retrieved from a remote endpoint when needed and only be kept in memory. If sensitive data is still required to be stored locally, it should be encrypted using a key derived from hardware backed storage which requires authentication. – OWASP MASVS 4.1, 2.11, 2.12

  18. User Authentication LOCAL VS REMOTE If the app provides users

    access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. No sensitive data should be stored locally on the mobile device. Instead, data should be retrieved from a remote endpoint when needed and only be kept in memory. If sensitive data is still required to be stored locally, it should be encrypted using a key derived from hardware backed storage which requires authentication. – OWASP MASVS 4.1, 2.11, 2.12 But what about deanonymisation? Non-custodial wallets are usually fat clients

  19. Password policy Password rotation when leaked Defences against brute-force attacks

    Step-up authentication Biometry veri f ication User Authentication

  20. Know your platform What kind of storage should be used

    to deliver the best security guarantees?

  21. Know your platform What kind of storage should be used

    to deliver the best security guarantees? Is it a f ile? Can you steal it? Can other apps access it? What about integrity? And Encryption?

  22. Know your platform What kind of storage should be used

    to deliver the best security guarantees? Is it a f ile? Can you steal it? Can other apps access it? What about integrity? And Encryption? It is a developer’s responsibility to know how the storage works on the platform you use.

  23. 000003.log is a storage f ile of web-extension. You can

    copy it from one browser and paste into another. Know your platform

  24. Objection tool that allows to access Keychain of the device,

    no jailbreak required Know your platform

  25. Cryptography How to encrypt the data with a password?

  26. Cryptography How to encrypt the data with a password? You

    decided to pick AES. You need a key length of 256 bits but the password is shorter. You use a hash function SHA256.

  27. Cryptography How to encrypt the data with a password? You

    decided to pick AES. You need a key length of 256 bits but the password is shorter. You use a hash function SHA256. KDF (Key Derivation Function)

  28. Cryptography How to encrypt the data with a password? You

    decided to pick AES. You need a key length of 256 bits but the password is shorter. You use a hash function SHA256. KDF (Key Derivation Function) Your pick PBKDF2. You need to specify number of rounds for it. Similar to some example in the Internet you pick 2 000.

  29. Cryptography How to encrypt the data with a password? You

    decided to pick AES. You need a key length of 256 bits but the password is shorter. You use a hash function SHA256. KDF (Key Derivation Function) Your pick PBKDF2. You need to specify number of rounds for it. Similar to some example in the Internet you pick 2 000. 310 000

  30. Cryptography How to encrypt the data with a password? You

    decided to pick AES. You need a key length of 256 bits but the password is shorter. You use a hash function SHA256. KDF (Key Derivation Function) Your pick PBKDF2. You need to specify number of rounds for it. Similar to some example in the Internet you pick 2 000. 310 000 CBC or GCM mode? Random IV? … ? ? ?

  31. Cryptography How to encrypt the data with a password? You

    decided to pick AES. You need a key length of 256 bits but the password is shorter. You use a hash function SHA256. KDF (Key Derivation Function) Your pick PBKDF2. You need to specify number of rounds for it. Similar to some example in the Internet you pick 2 000. 310 000 CBC or GCM mode? Random IV? … ? ? ? Don’t roll your own crypto Use Themis https://github.com/cossacklabs/themis Use libsodium

  32. Cryptography Comes from mvayngrib/react-native-crypto library… that uses react-native-randombytes library… that

    uses Stanford Javascript Crypto Library (SJCL) for synchronous random values generation. React Native mobile app example

  33. Cryptography Comes from mvayngrib/react-native-crypto library… that uses react-native-randombytes library… that

    uses Stanford Javascript Crypto Library (SJCL) for synchronous random values generation. SJCL random values generator relies on mouse movements and keyboard listeners. React Native mobile app example

  34. Supply chain

  35. Supply chain

  36. Supply chain

  37. Supply chain

  38. Supply chain

  39. How to identify a good library Looks alive Built for

    required platform Easy to use, hard to misuse Covered with tests Documentation Secure Performance Licence

  40. https://snyk.io/advisor/npm-package/ react-native-sensitive-info How to identify a good library

  41. Useful tools Automate and add to PRs SonarQube Snyk Dependabot

  42. Useful tools Automate and add to PRs SonarQube Snyk Dependabot

    SAST (Static Application Security Testing): https://owasp.org/www-community/ Source_Code_Analysis_Tools DAST (Dynamic Application Security Testing): https://owasp.org/www-community/ Vulnerability_Scanning_Tools

  43. User is a single point of failure Non-custodial wallets security

    is the user responsibility.

  44. Useful links [Article] Crypto wallets security as seen by security

    engineers: https://www.cossacklabs.com/blog/crypto-wallets-security/ [Article] Security of React Native libraries: the bad, the worse and the ugly: https://www.cossacklabs.com/blog/react-native-libraries-security/ [Article] React Native security: things to keep in mind: https://www.cossacklabs.com/blog/react-native-app-security/ [Slides] Why can’t developers make it secure: https://speakerdeck.com/julep/why-cant-developers-make-it-secure

  45. Thank you! Follow me on Twitter @julepka