Frequent security incidents involving crypto assets raise the question: how can you ensure that the platform and wallet app you use are secure?

Author: Mu Mu, Plain Language Blockchain

Asset security has always been an important topic in the crypto industry. However, according to observations from Plain Language Blockchain, despite frequent safety education, not many people truly pay attention to security issues, because many people generally have the mindset: "This is completely a probabilistic event, it won't happen to me with my 'small assets'," while often believing that the probability of winning the lottery, which is even lower, will definitely happen to them.

In fact, with the mainstreaming of crypto assets, security incidents targeting individual users' assets are frequent, and whether for large holders or retail investors, many times these incidents occur right around us and are no longer rare events.

So starting from the most common recent security incidents involving personal user assets, let's sort out those security issues that are closely related to us. The first and foremost question is: how to ensure that the platform and wallet app you are using are secure?

01 Is "official channels" always safe?

Most people think that ensuring the security of a platform and wallet app is simple, just stick to "official channels," right? But that's not necessarily true…

1. "Official" websites that look more official than the official site
Everyone knows to look for the "official website," but taking common mainstream wallets as an example, can you immediately list their accurate official website addresses? Let's do a quick test:

Most people might choose A and B. According to common practice, many people believe that only websites with brand names followed by .com or .io are "official" websites with brand strength, but in fact, many teams started as small startups, and the official website domains they registered back then were quite "careless." The correct answer is actually C.

For the same reason, these wallet official teams might not have even considered registering trademarks when they started… and then the brand trademark was registered by someone else. Subsequently, others can purchase brand protection services on certain search engines with the trademark, marking the search results with "official brand" certification labels, or buy promotional services to always rank at the top, which is extremely misleading. This has happened in the past two years. To this day, searching for "xxx wallet official website" on some mainstream search engines will likely yield mostly counterfeit results.

These "official" websites that look more official than the official site have indeed "trapped" many people, as they are also one of the lower-cost and higher-success-rate methods for hackers.

2. So what if you know the official website address?

Many people think that ensuring the correct official domain name is entered means the downloaded app is definitely safe. However, incidents can still occur. Recently, in the Bitkeep wallet security incident, BitKeep announced that after preliminary investigation by the team, it was suspected that some APK packages downloaded were hijacked by hackers, resulting in the installation of packages with implanted hacker code.

In simple terms, some users' APK packages were "hijacked" during the download process, resulting in the installation of a "wallet" specially processed by hackers, which we can tentatively categorize as a non-official "fake wallet."

The main reason mentioned in the announcement is "hijacking." Due to the numerous methods and steps involved in "hijacking," it is currently unclear which step had the issue. However, we can discuss how hackers typically allow a user to input the "official" domain name yet download a fake wallet: The first method is tampering with the local Localhost file.

If a local PC device is induced or has malicious software or viruses installed through vulnerabilities, by modifying the local host Localhost file, this method can redirect a specified domain name directly to a non-official server's IP (for example, a "fake" official page prepared by hackers). This means that when the browser opens and the correct domain name is entered, it actually accesses the website provided by the hacker, and the downloaded app is also a fake one.

The second method is tampering with the page opened in the local browser or app.

When you open certain platform websites or wallet web pages, browser plugins can directly modify the content displayed on specific web pages, such as replacing the app download button's link with the hacker's prepared address or replacing asset deposit and withdrawal addresses with the hacker's. They can also read and modify wallet addresses or private keys in the clipboard. As for whether browser plugins have permission to modify web pages, there's no need to worry about that, as almost all browser plugins have such permissions. If you observe carefully, you'll find that even our commonly used MetaMask wallet has such permissions… Not long ago, there was an incident where downloading a leading CEX resulted in the commonly used fake app causing deposit and withdrawal addresses to be replaced, leading to asset loss.

The third method involves remote DNS hijacking, domain resolution record modification, or the app vendor's server being hacked.

This falls under the issue of remote internet service providers and is rarely seen, with high costs and difficulty levels, but it has indeed occurred, also through a "poisoning" method, causing the domain you access to resolve to the hacker's address. Additionally, if the service provider's own domain service account is hacked, leading to domain resolution being modified, it can also result in entering a hacker's website despite inputting the official website address. If the app vendor itself is hacked, then there's nothing more to say; these are situations we cannot control.

02 Security Tips from Plain Language Blockchain

Upon learning that hackers can even hijack official websites, one can't help but exclaim "it's hard to guard against." So what should be done? In fact, these security issues are not only present in the crypto field; in the digital age, any app has security issues, including banks and third-party payment apps, where many fake "apps" exist. Therefore, based on past experiences, we have summarized some corresponding security prevention tips for your reference:

1. Use HTTPS to prevent hijacking.

When entering the correct official domain name, be sure to add https:// at the beginning of the domain name. This has a significant effect; when opening the website, if there is a risk of local hijacking or remote DNS hijacking, the browser's address bar will usually display a "not secure" red warning and various security alerts. The specific principle will not be elaborated here; simply put, this is also a widespread application of asymmetric encryption, used to prevent hijacking, ensuring that the accessed webpage is the one provided by the official source through asymmetric verification of encrypted signatures.

As a side note, in fact, many project websites, even DeFi sites, do not use or enforce HTTPS for their websites, which is completely unreasonable and makes it hard to feel the team's dedication and professionalism.

2. Check the APK file hash.

Due to certain special reasons, domestic Android users cannot directly download apps through Google Play and can only download APK installation packages. Most security incidents involving fake apps occur when APKs are replaced or fake APKs are downloaded, so we must ensure that the APK is officially provided.

First, open the official website using HTTPS, then go to the download page. Observant users may notice that some download pages usually have a link labeled "Verify Application Security" or SHA256, and it's estimated that 80% of people won't look at the security prompt, and 90% have never clicked the verification link to check its contents…

After clicking the security verification link or SHA256 link, we will see the hash value corresponding to the official APK installation package file (if the file has been modified in any way, the hash value will change completely). After downloading the APK file, calculating its hash value to match the one published by the official source indicates that the file has not been replaced.

After downloading the APK, a crucial step comes: open the virus scanning website virustotal.com owned by Google, upload the APK file you just downloaded. We can obtain the hash value of this file for comparison while checking through dozens of virus databases whether this file carries malicious code, which can be said to be a two-in-one tool.

Finally, to be even more rigorous, you should also be cautious that when opening the official download page, the hash value and download link might be tampered with by local viruses or plugins. Therefore, you can confirm the hash value's consistency through a different environment browser, such as on a mobile phone.

If the wallet's official download page you are preparing to visit does not support HTTPS, your first suspicion should be whether this is really the official website. Additionally, if they do not provide APK file hash verification, you can also question the wallet team's rigorous attitude towards security; such negligence is very inappropriate and irresponsible. Please carefully consider whether to use this app.

3. How to check if the currently installed platform or wallet app is safe?
In fact, the best method is to enter the Android Google Play or iOS App Store through the official download page to install. Because theoretically, the security level of Google and Apple's app stores is much higher than that of the wallet's official security level. They have world-class security software, hardware, and talent reserves, and wallets or platforms are not even in the same league.

Therefore, by opening the Google Play or App Store page from the wallet or platform's official download page, and confirming the developer's company name, download volume, and review volume (mainstream wallets usually have large volumes), we can consider the downloaded app to be safe.

If the APK package currently installed on the device is uncertain about its safety, you can follow the methods from the previous two security tips to confirm the official source and verify the hash before downloading and installing it on your phone. However, do not forget to back up your mnemonic phrase first, to prevent data loss during the overwrite process that cannot recover the wallet (though generally, overwriting or updating the app should not lead to data loss).

4. Other suggestions regarding wallet security

If you do not use cold wallets or hardware wallets and prefer hot wallets, the safest option is to install it on an iPhone device. First, it only requires an overseas ID without the various hassles of Android, and second, once the iPhone is locked, the encrypted data cannot be unlocked without the key.

Many mainstream apps overseas (like Metamask) do not support standalone APK downloads due to numerous security issues, but many vendors reluctantly open APK downloads due to the need to attract new users and the large number of Android users. To bypass the APK issue on Android, you need essential software like the Google Services Framework (including Google Play) and Google Authenticator, which has become very difficult to install for certain reasons. Many third-party solutions people seek are themselves unofficial and may not be safe or rigorous enough.

Of course, if you must use an Android phone, you can choose some manufacturers that still natively support the entire Google ecosystem, such as Samsung. Additionally, installing the wallet in a secure folder that supports secure chip isolation can serve as a second layer of security, achieving an extra security effect similar to that of an iPhone, where sensitive data cannot be unlocked after loss.

5. Suggestions regarding platform apps

Since most CEX platforms use multi-factor authentication, they are less affected by fake apps (as they are more challenging for hackers). However, you should also confirm whether the deposit and withdrawal addresses in the app match those provided on the official website. Additionally, be sure to enable the "whitelist" feature within the platform, allowing assets to be withdrawn only to safe whitelist addresses.

Moreover, the biggest risk faced by platform CEXs, aside from the two previously mentioned local hijacking modifications to deposit and withdrawal addresses, is phishing. This is because most people's apps, SMS, and Google Authenticator are actually installed on the same device, which means that if hackers control or monitor one device, they can likely gain access to all three pieces of information and manipulate your platform assets.

Therefore, for security reasons, it is not highly recommended to operate multi-factor authentication on a single device. You can install Google Authenticator on another secure phone, or you can operate your platform account through a PC or PC web interface without installing the app on your phone, which can prevent single-point "brute force" attacks and maximize asset security.

03 Conclusion

Security is no small matter. Plain Language Blockchain believes that security issues are worth discussing every day and should be talked about at all times. In daily operations, perhaps taking just one more second to pay attention to these details can enhance the security of assets by 99%. Why not do it?