July 31, 2018
As a universal cryptocurrency wallet application, Infinito Wallet’s security is crucial. In addition to regular extensive internal security audits, in ensuring the highest possible standards the Infinito team invited SmartDec, a professional third-party security auditor, to carry out an independent audit for the universal wallet application.
The external audit, conducted by SmartDec, took place earlier this year and was completed by the first quarter of 2018. SmartDec is an esteemed security auditor that analyzes the source and executable codes of software application. Read the full Infinito Wallet security audit by SmartDec here.
Any issues found were promptly resolved by the diligent Infinito technical team who is working on remaining minor issues. Despite these issues, your assets are safe- hackers can exploit these vulnerabilities ONLY by having physical access to your device, being able to bypass your phone’s own password protection, AND somehow obtaining your wallet’s password. This is certainly not an easy task.
To ensure transparency, the Infinito team has listed remaining minor issues. All minor issues can be seen below. The technical team is working 24/7 on these and they will update the Infinito Wallet community about these fixes soon.
Read more about how Infinito Wallet protects your cryptocurrency assets here!
Unencrypted Storage for Non-Sensitive Information (public address, contact book)
Possible scenario: An unauthorized person with physical access to your device might connect your phone to their computer to substitute the public addresses in your contact list for their own, allowing them to receive all funds sent out from your wallet. It is important to note that your passphrase and private keys are still fully encrypted in your storage.
Recommendation: Infinito recommends that you protect your device from physical unauthorized access and always double-check the contact recipient address before sending funds. You should also set a device password as the foremost barrier to protect your phone.
Unlimited Password Entry Attempts
Possible scenario: Infinito Wallet currently does not have any password entry limits. Therefore, an unauthorized person with physical access to your device is free to guess your password with.
Recommendation: Infinito recommends you protect your device from physical unauthorized access and set a complex password for your Wallet.
Lack of Protection against Unauthorized Access to The Mobile Device
Possible scenario: An unauthorized person with physical access to your jailbroken (iOS) or rooted (Android) device might install backdoor malware, then later return the device to you. When you use your phone, consequently, sensitive information might be leaked.
Recommendation: Infinito recommends you protect your device from physical unauthorized access and research/understand the security risks associated with rooting/jailbreaking your device. The team strongly advises against using rooted/jailbroken devices to host your Infinito Wallet.
iOS Background Mode Screen Caching
Possible scenario: When Infinito Wallet is on any screen displaying your passphrase and your iOS device goes into background mode; the full Infinito Wallet passphrase screen is in the background. Therefore, an unauthorized person with physical access to your device might be able to capture this screenshot and obtain your wallet passphrase. As almost all users tend to complete wallet creation/passphrase backup in one go, this is a highly unlikely scenario.
Recommendation: Infinito recommends you protect your device from physical unauthorized access and NEVER leave Infinito Wallet on any screen displaying your wallet passphrase.
Lack of Authentication After Background Mode on iOS
Possible scenario: After logging in to your app with Touch ID/password and switching to another app, an unauthorized person with physical access to your iOS device might reopen the app and use it.
Recommendation: Infinito Wallet has several existing security options to reduce this risk. Users can enable options for the app to require password/Touch ID input upon access whether on start-up, re-open from the background, or re-open upon unlocking the screen. However, the best way to secure your wallet and device, still, is to protect your phone from physical unauthorized access.
Please refer to SmartDec’s blog post to read about the collaboration. It can be viewed here.
Infinito Wallet’s third party approach is unique and advanced amongst to its competitors. Infinito Wallet’s extensive security audit with SmartDec exemplifies its commitment to deliver the best-in-class mobile cryptocurrency universal wallet to users. The team aims to be as consistent and transparent with its development progress as possible by becoming 100% open-source by the end of this year while reserving a significant amount of its development budget for community bounty programs and frequent third-party external audits.
Read more about Infinito Wallet!
Infinity Blockchain Labs (IBL) is a visionary R&D company committed to advancing society with next-generation solutions. We are currently the blockchain ecosystem leader in Vietnam with a global reach. Our mission is to be the R&D engine that transforms future technology into practical applications for business and everyday life. Named one of the top ten blockchain technology solution providers in 2018 by APAC CIO Outlook, our 200+ employees at IBL aspire to empower Vietnam to become the global leader in blockchain research and development.
We always welcome talents, communities, and business partners to collaborate with us across all of our activities. Please drop a message to email@example.com and sign up for our Newsletter list to receive our frequent reports with the most updated news. Make sure to follow us on social media too!
See the original Infinito Wallet article here!