BiYong, An IM-Integrated Digital Wallet App, Poses Serious Privacy and Personal Risks
[Update: (2018-06-05) The latest version of Biyong has accordingly fixed the reported issues! Thank Biyong team for responsible and timely upgrade!]
Digital wallets provide an essential functionality in managing digital assets or tokens for users and are considered a key pillar in the broad blockchain ecosystem. In today’s mobile app markets, there are quite a few wallet-oriented mobile apps (e.g., Exodus and imToken) that provide great convenience and service for managing digital assets. However, different from other mobile apps, digital wallets may face stricter requirements and higher standards for better privacy and security, especially with the enforcement of EU General Data Protection Regulation (GDPR).
Recently, researchers at PeckShield have examined a number of mobile app-based digital wallets and came across a well-known blockchain-oriented IM app, i.e., BiYong, with nearly 3 million monthly active mobile users. This particular app aims to become “WeChat” in the Blockchain world by building a social network that links Blockchain users, communities, media, assets, applications and etc. It not only offers features to seamlessly interact with Telegram, but also provides digital wallet functionality for asset transfer or payment. However, our analysis shows that BiYong fails to hold a high standard in managing and collecting users’ private information. Specifically, this app collects user ID in Telegram (i.e., Telegram ID and name), telephone number, and even payment passcode and uploads them to BiYong servers in plaintext! We consider it completely unacceptable as it violates user privacy and disobeys the fundamental spirit behind Blockchain for the maintenance of user privacy and pseudonymity.
We examine a recent version of BiYong’s Android app downloaded from mainstream app markets. The basic information is shown as follows:
|App Name||Package Name||Version||Platform|
After diving into the code logic decompiled from the app, we found that there existed severe privacy leakages in BiYong’s app. The first leakage was found in LoginActivity which calls uploadUserInfo() whenever a successfully login occurs.
As shown in Figure 1, uploadUserInfo() collects user’s ID (e.g., Telegram ID/name) and telephone number into a local variable named v3. Then, the content of v3 are uploaded to a predefined URL — UrlConfig.URL_USER_UPLOAD. As shown in Figure 2, UrlConfig.URL_USER_UPLOAD points to https://www.biyong.info/app/user/upload, a private domain owned by BiYong.
Moreover, we also came across another leakage in RollOutActivity which calls sendOutToServer() when an user transfers cryptocurrency.
As shown in Figure 3, the plaintext password is stored in v3.trxPassword. Later on, the content of v3 is again uploaded UrlConfig.URL_OUT_SUBMIT. Our analysis (Figure 4) shows that UrlConfig.URL_OUT_SUBMIT points to https://www.biyong.info/app/wallet/withdraw/create, another domain owned by BiYong.
We notice that the leaked password is 6 digits long. And many payment methods use 6-digits passcodes, for example, in credit cards, Alipay, and WeChat etc. Due to the fact that many people might use the same password across a variety of payment methods, it’s extremely dangerous when an attacker can get hold of the 6-digits passcodes along with the victim’s phone number.
In summary, whether it’s an intentionally built-in feature or a terrible mistake, those leakages reflect the lack of awareness of basic software security. BiYong should hold a high standard and take responsibility for protecting users’ private information, especially with the latest enforcement of GDPR.
PeckShield Inc. is a blockchain security company which aims to elevate the security, privacy, and usability of current blockchain ecosystem by offering top-notch, industry-leading services and products (e.g., smart contract auditing). Please contact us at Telegram, Twitter, or Email.