Infinito Wallet’s Security Audit by World-Leading Security Auditor SmartDec – Our Commitment to Transparency

July 16, 2018

As a universal cryptocurrency wallet application, the security of Infinito Wallet is of utmost importance to us. To ensure the highest possible standards, we have embraced a peer review approach for Infinito Wallet’s development – in addition to regular internal audits, we invited a professional third-party security auditor to carry out an independent audit for our universal wallet application.

The external audit, conducted by SmartDec, commenced earlier this year and was completed by the first quarter of 2018. SmartDec is an esteemed security auditor who analyzes the source and executable codes of software application. Read the full Infinito Wallet security audit by SmartDec here.

All notable issues found were promptly resolved by our diligent technical team who is working on the remaining minor issues. Please rest assured, regardless, that hackers can exploit these vulnerabilities ONLY by having physical access to your device, being able to bypass your phone’s own password protection, AND somehow obtaining your wallet’s password, all at the same time, which is no feasible task per se!

To ensure transparency, we have listed the remaining minor issues below. Our technical team is working days and nights on this and we will update the community about these fixes soon.

Unencrypted Storage for Non-Sensitive Information (public address, contact book)

  • Possible scenario: An unauthorized person with physical access to your device might connect your phone to their computer to substitute the public addresses in your contact list for their own, allowing them to receive all funds sent out from your wallet. It is important to note that your passphrase and private keys are still fully encrypted in your storage.
  • Recommendation: We recommend you protect your device from physical unauthorized access and always check the contact recipient address twice before sending your fund. You should also set a device password as the foremost barrier to protect your phone.

Unlimited Password Entry Attempts

  • Possible scenario: Infinito Wallet currently does not have any password entry limits. Therefore, an unauthorized person with physical access to your device is free to guess your password with impunity, commonly known as the “brute-force” attack.
  • Recommendation: We recommend you protect your device from physical unauthorized access and set a complex password for your Wallet. There are good practices found on the Internet to help secure your password.

Lack of Protection against Unauthorized Access to The Mobile Device

  • Possible scenario: An unauthorized person with physical access to your jailbroken (iOS) or rooted (Android) device might install backdoor malware, then later return the device to you. When you use your phone, consequently, sensitive information might be leaked.
  • Recommendation: We recommend you protect your device from physical unauthorized access and research/understand the security risks associated with rooting/jailbreaking your device. Our team strongly advises against using rooted/jailbroken devices to host your Infinito Wallet.

iOS Background Mode Screen Caching

  • Possible scenario: When Infinito Wallet is on any screen displaying your passphrase and your iOS device goes into background mode; the full Infinito Wallet passphrase screen is in the background. Therefore, an unauthorized person with physical access to your device might be able to capture this screenshot and obtain your wallet passphrase. As almost all users tend to complete wallet creation/passphrase backup in one go, this is a highly unlikely scenario.
  • Recommendation: We recommend you protect your device from physical unauthorized access and NEVER leave Infinito Wallet on any screen displaying your wallet passphrase.

Lack of Authentication After Background Mode on iOS

  • Possible scenario: After logging in to your app with Touch ID/password and switching to another app, an unauthorized person with physical access to your iOS device might reopen the app and use it.
  • Recommendation: Infinito Wallet has several existing security options to reduce this risk. Users can enable options for the app to require password/Touch ID input upon access whether on start-up, re-open from the background, or re-open upon unlocking the screen. However, the best way to secure your wallet and device, still, is to protect your phone from physical unauthorized access.

Please refer to SmartDec’s blog post to read about our collaboration.

The approach we have taken here is uncommon, if not unique, compared to our competitors. Infinito Wallet’s extensive security audit with SmartDec exemplifies its commitment to deliver the best-in-class mobile cryptocurrency universal wallet to end-users. But it does not stop here. We aim to be as consistent and transparent with our development progress as possible by becoming 100% open-source by the end of this year while reserving a significant amount of our development budget for community bounty programs and frequent third-party external audits. We thank you for your continued support and hope you enjoy using Infinito Wallet!

Download Infinito Wallet

NEO NEP5 ETH ERC20
NEO NEP5 ETH ERC20

 

 

Author

isysadmin