DEV Community

Cover image for Improving security & cryptography in popular cryptocurrency wallets
Cossack Labs
Cossack Labs

Posted on

Improving security & cryptography in popular cryptocurrency wallets

Lots of people apply the idea that “blockchain is secure” by default to every project that has “blockchain” in its description. But in tech, you know it’s not so simple.

From a security perspective, we often see weak points requiring special attention in cryptocurrency ecosystems and their wallets (read our blog post Crypto wallets security as seen by security engineers to 🐬 deep dive into the topic). When working with large blockchain foundations, we ensure that their ecosystem (wallets, backends, APIs, protocols) are secure.

▶️ Have a look at a real-life example.

Say, there’s a blockchain foundation with a non-custodial cryptocurrency wallet available for millions of users as mobile applications and a web extension.

The users, regulators, investors, etc. expect that the cryptocurrency wallet gives the same level of security guarantees as modern financial or banking apps.

💡 Since this is a non-custodial cryptocurrency wallet, special attention should be paid to protecting data on the client side and its communication with a blockchain.

This comes with the requests for:
✔️ advanced level of protection,
✔️ encryption for data at rest (non-custodial wallets store private keys and mnemonics),
✔️ platform-specific security controls for all the supported platforms,
✔️ building app security into UX.

▶️ Now this looks like a job for us.

So, we roll up our sleeves and, using the superpower :) of our mobile apps security, security and cryptography engineering services, and a cryptographic library Themis, we:

🎯 assess risks and do threat modelling for the apps and backend ecosystem.
🎯 conduct a deep cryptography audit of the wallet: web extension (Chrome, Firefox, Chromium) and mobile apps (iOS, Android).
🎯 provide cryptographic enhancements and dozens of application security improvements aligned with the “defense in depth” approach.
🎯 analyze the development process and advise SSDLC improvements (from further automation in CI/CD pipeline to formalizing a security roadmap).

Read the detail behind every stage in our case study Filling cryptography and security gaps in cryptocurrency wallets🐬 to learn how these efforts resulted in web extension and mobile apps synced in their security guarantees and providing defence in depth protection for the users’ data. 🔐

GitHub logo cossacklabs / themis

Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people

Themis provides strong, usable cryptography for busy people

GitHub release Platforms Coverage Status
Themis Core Integration testing Code style Circle CI Bitrise

General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), Android (Java, Kotlin), React Native (iOS, Android), desktop Java, С/С++, Node.js, Python, Ruby, PHP, Go, Rust, WASM.

Perfect fit for multi-platform apps. Hides cryptographic details. Made by cryptographers for developers 🧡

What Themis is

Themis is an open-source high-level cryptographic services library for securing data during authentication, storage, messaging, network exchange, etc. Themis solves 90% of typical data protection use cases that are common for most apps.

Themis helps to build both simple and complex cryptographic features easily, quickly, and securely. Themis allows developers to focus on the main thing: developing their applications.

Use cases that Themis solves

  • Encrypt stored secrets in your apps and backend: API keys, session tokens, files.

  • Encrypt sensitive data fields before storing in database ("application-side field-level encryption").

  • Support searchable encryption, data tokenisation…

Discussion (0)