A computer science engineer at Michigan State University has one piece of advice for the millions of Bitcoin owners who use smartphone apps to manage their cryptocurrency: Don’t. Or at least be careful. MSU researchers are developing a mobile app that will act as protection for popular but vulnerable “wallet” applications used to manage cryptocurrency.

“More and more people are using Bitcoin wallet apps on their smartphones,” said Guan-Hua Tu, an assistant professor at MSU’s College of Engineering who works at the Department of Computer Science and Engineering. “But these applications have weak points.”

Smartphone wallet apps make it easier to buy and trade in cryptocurrency, a relatively new digital currency that can be difficult to understand in just about every way, with one exception: it’s clearly valuable. Bitcoin was the most valuable cryptocurrency at the time of writing. One bitcoin was worth more than $ 55,000.

However, Tu and his team uncover vulnerabilities that can put a user’s money and personal information at risk. The good news is that the team is also helping users better protect themselves by raising awareness of these security issues and developing an app that fixes these vulnerabilities.

The researchers featured this app – the Bitcoin Security Rectifier – in an article published for the Association for Computing Machinery conference on data and application security and privacy. To raise awareness, Tu aims to help wallet users understand that these apps can make them vulnerable by violating one of Bitcoin’s core principles called decentralization.

Bitcoin is a currency that is not tied to any central bank or government. There is also no central computer server on which all information about Bitcoin accounts is stored, e.g. B. Who owns how much.

“There are some apps that violate this decentralized principle,” said Tu. “The apps are developed by third parties. You can also connect your wallet app to your proprietary server, which then connects to Bitcoin.”

Essentially, Bitcoin Security Rectifier can introduce a middleman that Bitcoin purposely leaves out. Often users do not know this and app developers do not necessarily share the information.

“More than 90% of users don’t know if their wallet violates this decentralized design principle, based on the results of a user study,” said Tu. And if an app violates this principle, it can pose a major security risk for the user. For example, simply taking a user’s bitcoin can open the door for an unscrupulous app developer.

Tu said the best way users can protect themselves is to avoid using a smartphone wallet app developed by untrustworthy developers. Instead, he encourages users to manage their Bitcoin using a computer – not a smartphone – and resources, which can be found on the official Bitcoin website bitcoin.org. For example, the site can help users make informed decisions about wallet apps.

But even wallets designed by reputable sources may not be entirely safe. This is where the new app comes in.

Most smartphone programs are written in a programming language called Java. Bitcoin wallet apps use a Java code library called Bitcoinj, pronounced “Bitcoin Jay”. The library itself has vulnerabilities that cybercriminals could attack, as the team demonstrated in their recent article.

These attacks can have a number of consequences, including compromising a user’s personal information. For example, you can help an attacker infer all of the Bitcoin addresses that wallet users have used to send or receive Bitcoin. Attacks can also send a lot of unwanted data to a user, draining batteries and potentially resulting in high phone bills.

Tu’s app is designed to run simultaneously on the same phone as a wallet, where it is monitored for signs of such tampering. The app warns users when an attack is occurring and provides remedial action based on the type of attack, Tu said. For example, the app can add “noise” to outgoing Bitcoin messages to prevent a thief from getting accurate information.

“The goal is that you can download our tool and be free from these attacks,” said Tu.

The team is currently developing the app for Android phones and plans to make it available for download from the Google Play App Store in the coming months. There is currently no schedule for an iPhone app due to the added challenges and limitations iOS brings, Tu said.

Meanwhile, however, Tu emphasized that the best way for users to protect themselves from the insecurities of a smartphone bitcoin wallet is to simply not use them unless the developer is trusted.

“The main thing I want to share is that if you don’t know them well, it is better not to use your smartphone wallet applications as every developer – malicious or innocuous – has their wallet apps on Google Play or Apple Upload app can save, “he said.


Professor Li Xiao from MSU and Ph.D. Students Yiwen Hu and Sihan Wang, all from the Department of Computer Science and Engineering. This work was funded in part by the National Science Foundation.

Disclaimer: AAAS and EurekAlert! are not responsible for the correctness of the press releases published on EurekAlert! by contributing institutions or for the use of information via the EurekAlert system.