Transform your $HAI holdings into Hacken shareholder status. Only 100 slots available. > Learn more and join the waitlist here.
Cryptostake, a non-custodial and high-reward staking service for proof-of-stake blockchains like Ethereum, Polkadot, and Cosmos, entrusted Hacken with performing an independent security assessment of their mobile applications. Specifically, non-custodial wallets for iOS and Android.
As a result of Hacken’s most thorough mobile penetration testing, Cryptostake Wallets received a maximum 10/10 score. Let’s take a closer look.
Cryptostake’s non-custodial mobile app gives users complete control over their private keys, necessitating robust security measures to protect against breaches. Recognizing the critical importance of safeguarding user autonomy and asset security, Cryptostake approached Hacken for a thorough security assessment. In our assessment, we employed active exploitation techniques to benchmark security against industry best practices and evaluate apps’ robustness.
The penetration test, conducted over a month from September 23 to October 23, 2023, followed a gray box methodology. This approach included intelligence gathering, service detection, vulnerability analysis, and business logic flow assessments. The assessment was comprehensive, mapping the application’s code against industry standards and employing international methodologies like OWASP.
The primary objectives were to identify technical and functional vulnerabilities, estimate their severity, model probable attack vectors, and provide a prioritized list of recommendations.
We identified no critical, high, or medium-severity issues threatening the system. The only vulnerabilities that were found were low severity and exclusively for Android. The iOS app contained no issues. The Cryptostake team has since taken the Android app offline to introduce the recommended fixes.
Low-level security issues, classified with a CVSS score of 0.1 to 3.9, represent vulnerabilities that are easier to exploit due to low exploitation difficulty but grant only minimal access privileges to attackers. Their impact on system security is relatively lower because the level of access they provide is restricted.
The Cryptostake Android app’s low-level security issues included vulnerabilities that allow operation on rooted and jailbroken devices, bypassing of password brute-forcing protection, biometric access bypass, issues with invalidation upon biometric enrollment, allowance of third-party keyboards, potential exposure of sensitive data through screenshots, and insufficient logout procedures, alongside cryptography issues related to hardcoded values.
Here’s a more detailed breakdown:
The security assessment concluded with Hacken rating Cryptostake Wallets a perfect 10 out of 10. This high score reflects system robustness and resilience.
The assessment found only low severity and informational issues, indicating no direct path for an external attacker to compromise the system fully. Moreover, Cryptostake has taken the Android app offline for upgrades, while no issues were found for the iOS app.
This finding is crucial for Cryptostake’s users, who engage in self-custodial crypto staking, which requires high trust in the platform’s security capabilities.
Cryptostake’s proactive approach in engaging with Hacken for thorough mobile penetration testing underscores its commitment to providing a secure and reliable staking service for its users.
Given a recent high-profile Ledger hack, regular assessments of crypto wallets’ security are vital in a landscape where threats are constantly evolving, ensuring that platforms like Cryptostake can continue to offer safe and uninterrupted services to their users.
Subscribe to our newsletter
Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email.