A Michigan State University computer engineer has advice for the millions of bitcoin owners who use smartphone apps to manage their cryptocurrency: don’t. Or at least, be careful. MSU researchers are developing a mobile app that will serve as protection for popular but vulnerable “wallet” apps used to manage cryptocurrency.
“More and more people are using Bitcoin wallet apps on their smartphones,” said Guan-Hua Tu, an assistant professor at MSU’s College of Engineering who works in the Department of Computer Science and Engineering. “But these applications have vulnerabilities.”
Smartphone wallet apps make it easy to buy and trade cryptocurrency, a relatively new digital currency that can be difficult to understand in almost every way except one – it’s very clearly valuable. Bitcoin was the most valuable cryptocurrency at the time of writing, with bitcoin worth over $ 55,000.
But Tu and her team uncover vulnerabilities that can put a user’s money and personal information at risk. The good news is that the team is also helping users protect themselves better by educating them about these security issues and developing an app that fixes these vulnerabilities.
Researchers introduced this application – the Bitcoin Security Rectifier – in an article published for the Association for Computing Machinery conference on data and application security and privacy. In terms of awareness, You want to help wallet users understand that these apps can make them vulnerable by violating one of the core principles of Bitcoin, which is called decentralization.
Bitcoin is a currency that is not linked to any central bank or government. There is also no central computer server that stores all information about Bitcoin accounts, such as who owns how much.
“Some apps violate this decentralized principle,” Tu said. “The apps are developed by third parties. And, they can let their wallet app connect to their proprietary server which then connects to Bitcoin.”
In essence, Bitcoin Security Rectifier can introduce an intermediary that Bitcoin by design omits. Users often do not know it, and application developers are not necessarily willing to provide the information.
“More than 90% of users don’t know if their wallet violates this decentralized design principle based on the results of a user study,” Tu said. And if an application violates this principle, it can represent a huge security risk for the user. For example, it can open the door for an unscrupulous app developer to simply take a user’s bitcoin.
Tu said the best way for users to protect themselves is not to use a smartphone wallet app developed by untrusted developers. Rather, it encourages users to manage their bitcoin using a computer – not a smartphone – and resources available on Bitcoin’s official website, bitcoin.org. For example, the site can help users make informed decisions about wallet applications.
But even wallets developed by reputable sources may not be completely safe, which is where the new app comes in.
Most smartphone programs are written in a programming language called Java. Bitcoin wallet apps use a library of Java code known as bitcoinj, pronounced “bitcoin jay”. The library itself has vulnerabilities that cybercriminals could attack, as the team demonstrated in their recent article.
These attacks can have various consequences, including the compromise of a user’s personal information. For example, they can help an attacker infer all of the Bitcoin addresses that wallet users used to send or receive Bitcoin. Attacks can also send tons of unwanted data to a user, draining batteries, and potentially leading to heavy phone bills.
Tu’s app is designed to run on the same phone as a wallet at the same time, where it watches for signs of such intrusions. The app alerts users when an attack occurs and provides solutions based on the type of attack, Tu said. For example, the app can add “noise” to outgoing Bitcoin messages to prevent a thief from obtaining accurate information.
“The goal is for you to be able to download our tool and be safe from these attacks,” Tu said.
The team is currently developing the app for Android phones and plans to download it from the Google Play App Store in the coming months. There is currently no timeline for an iPhone app due to the additional challenges and restrictions posed by iOS, Tu said.
In the meantime, however, Tu has pointed out that the best way for users to protect themselves from the insecurities of a bitcoin smartphone wallet is to simply not use one, unless the developer is trustworthy.
“The main thing I want to share is that if you are not familiar with your smartphone wallet apps, you better not use them because any developer – malicious or benign – can download their wallet apps from Google Play or Apple. App Store, ”he says.
Professor Li Xiao from MSU as well as a doctorate also collaborated on this project. students Yiwen Hu and Sihan Wang, all from the Department of Computer Science and Engineering. This work was funded in part by the National Science Foundation.
Warning: AAAS and EurekAlert! are not responsible for the accuracy of any press releases posted on EurekAlert! by contributing institutions or for the use of any information via the EurekAlert system.