search

mycelium-com / wallet-android

Mycelium Bitcoin Wallet for Android
http://mycelium.com
Other
658 stars 319 forks source link

Enabling spending PIN / backing up seed not enforced #586

Open 2pac1 opened 3 years ago

2pac1 commented 3 years ago

Hey guys,

So the protocol that is now in effect for Mycleium on android is:

  1. you install the app
  2. open the app and create a new wallet for example
  3. you are not forced when creating a new wallet to backup your seed
  4. you can continue to use the wallet without backup
  5. whenever you want to enabled SPENDING PIN, then once you try to enable it, it will ask you to verify all 12 words that you should have backed up in the first place. Once you verify all the words (if not backed up, you then back them up), then and only then app allows you to set a spending pin. If that were not enforced it would mean you could have wallet without backup seed, and could have set some random pin, and once you forget that pin, you cannot restore nor can you spend out of that wallet.

So what happens when /data/data/com.mycelium.wallet/shared_prefs/settings.xml file where Mycelium saves the PIN in clear text, gets deleted for whatever reason? And this could happen on non rooted phone. You could use TWRP or something else to access the path that is usually acessable only on rooted phone and to delete the settings.xml file for example.

If you delete this file, with TWRP prior booting, what happens to your enabled spending PIN?

After the file has been deleted, you would reboot the phone, start the app, you would go to PINs and if you had spending pin it previously enabled, now it will be disabled.

So, now when you want to enable it again, it will allow you to enable it again but it will not ask you to enter/verify your seed again to verify that you do have the backup of the wards - and that is a flaw in security protocol. It asked you to verify prior enabling first time, it should ask you every time when you enable spending pin.

Whenever you are entering PIN, for whatever reason, first time or of settings.xml got removed, you should not allow anyone to set spending PIN without verifying that they have seed backed up and that they proven that by entering 12 words.

This has been tested and verified on: Phone: Nexus 5 Android OS: 6.0.1 Bootloader: unlocked (in order to install TWRP) TWRP: installed, 3.3.1-0

Giszmo commented 3 years ago

Sorry, I don't follow. How do you delete a file from protected storage? Can you also read it? Doesn't sound like an issue with our app but with Android itself.

If you refer to a flaw on rooted phones then please be aware that our app is not able to protect your funds on a rooted phone and 100% relies on the sandboxing provided by Android.