Deja vu Security x Status
The last several decades of the internet—from inception to mass adoption—have seen truly exponential growth and change. Consistent with Moore’s Law, that processing power doubles every two years, web technology has gone from an intellectual curiosity of a few to an all-encompassing extension of our personhood for all. The internet has without a doubt revolutionized societies and significantly affected the course of human evolution—for good and bad.
Just as social prophets predicted the massive socio-economic upheaval of the internet, so too have they begun to herald the latest disruptive technology known as “blockchain.” To detractors, blockchain is either just another technological false messiah or worse, a system by which inequalities and dangers already present in the internet will quickly compound. To proponents, blockchain represents the next stage of socio-economic evolution, wherein everything from the act of hailing cab to the very foundation of politics and finance will be liberated from dangerous, unjust, and overly-powerful actors: "The same way the internet revolutionized communication, blockchain is going to revolutionize trust. Now there is an alternative to institutions and governments. We can rethink the whole system.” (Justin Drake, Researcher at the Ethereum Foundation, quoted in the MIT Technology Review May/June 2018).
Put simply, blockchain is a virtual system in which every step in a process is dialectically both nearly 100% documented and traceable, but also nearly 100% private and decentralized. The power of verification and disclosure is in the hands of not one central authority, such as a bank or government, but in the hands of potentially millions or even billions of computers, or “nodes,” with possibly just as many different people. In a truly decentralized blockchain system known as “proof of work,” fraud, corruption, or centralized power of any kind is theoretically possible but practically implausible.
The potential promise of a decentralized future with power in the hands of the many, and personhood in the hands of the self, is what led Jarrad Hope and Carl Bennetts to found Status, an ambitious blockchain-based mobile platform that allows users to conduct financial transactions, communicate, and ideally, do basically everything else they would ever need to do online, with safety and self-sovereignty. They encoded their beliefs into the name of their project: “Status” comes from “the State of Us,” and they envisioned a borderless, decentralized community (a “state”) that anyone can be a part of—the promise of the internet from its early days, but finally truly realized.
Along the way, Status has evolved from a platform for cryptocurrency transactions and messaging to an app that functions essentially as a mobile operating system, running on standard systems like iOS and Android. The idea is to have users download Status from their phone’s app store, and then through Status, they’ll be able to do everything they would normally do on their phone—manage their finances, communicate with others, and banal tasks like order food—but with the benefit of those actions being done on a decentralized, heavily-encrypted system where they own their data.
One challenge Status faces in building a decentralized platform is that most applications users currently use to perform tasks, such as booking a cab, are they themselves not decentralized; it’s not as simple as opening Status and accessing, for example, Uber, from within it. Since nearly all applications have centralized servers that store data, using those applications from within Status wouldn’t make any sense; to have the process be completely decentralized, Status works with what are called DApps—decentralized apps. Like everything else that runs on blockchain, DApps do not collect data in a central location—they are everywhere at once and thus nowhere, and users themselves own their own experience and the data they already have and create along the way. There are obviously nowhere near the number of DApps as there are centralized applications, but the developers at Status believe DApps are the future. They’ve created their own first-party DApps including an app for chatting, an app for financial transactions, and an app for browsing the web. Though third-party DApps are few and far between, their numbers are growing, and Status is incorporating them into their own app, with the goal of making Status a blockchain-protected method of accessing the “revolutionary world” of DApps.
Unfortunately, just because something is run on a blockchain doesn’t make it inherently perfectly secure. To be sure, when implemented absolutely flawlessly, blockchain is, at least with current computing power, nearly functionally impregnable. But blockchain experts like the ones developing Status know better than to blindly trust in a technology, even if it’s touted as the most secure internet technology ever. Status COO Nabil Naghdy explains, “People are going to be trusting us with potentially their life-savings. It’s a precarious case when you’re handling people’s money…There are a lot of potential attack vectors we’re dealing with, so we wanted to make sure we’re covered for most if not all of those risks…Having someone audit [the platform] was pretty key.”
The developers at Status had three top security concerns they wanted audited, so they could have the confidence to launch the platform and protect their users: One, financial transaction integrity—making sure transactions were authenticated and truly authorized. Two, protection against data leakage outside the app. And third, that the app was protected against hacking and malicious actors.
But not just anyone can audit a blockchain project: The nascent technology is highly complex and for many, still shrouded in mystery. Luckily for Status, by the time they were ready for an audit, Deja vu Security (Deja) had already completed projects for both the Ethereum Foundation itself and the blockchain-run financial management system Melonport - among others. After a referral to Deja and discussions about Status’ needs and the scope of the project, two Deja security consultants got down to brass tacks.
Dan Wessling, the lead consultant on the Status project, had just come off working on Melonport, and was in charge of managing the engagement’s scope, overhead, and other logistics so the other consultants could focus solely on the code. He described the general flow of work for Status as starting with assessing its architecture, and then looking for attack surfaces. “The first [attack surface] we look for is, where does the user control data that the application is taking in? Another thing we look at is configurations of whatever services, frameworks, or libraries they’re using…[We also look for] how sensitive data is stored, managed, and cleared. And especially when we’re working with blockchain, one thing we need to look into is the implementation of the app’s cryptography.” Wessling explained that the team studied the entropy of Status’ twelve-word backup phrases—a security measure that in practice is unlikely to be broken by an attacker but is—like with all of blockchain—not inherently foolproof. And Status wasn’t interested in taking chances: COO Naghdy urged that “[The app’s security] is very important for us; because of how cautious we are in holding people’s funds, we had to make sure it was secure. It wasn’t optional.” Deja’s team was satisfied with the backup phrase implementation, calling it “sound.”
But Status still had some work to do: Deja found four highly critical vulnerabilities and a handful of vulnerabilities of medium-to-critical risk. Among the vulnerabilities were issues with API implementation and potentially malicious DApps taking advantage of the platform. Some companies might balk at security experts poking holes in their work, but Status was ready for it: Nabil explained, “We were prepared to put in the time to fix [any vulnerabilities]. They weren’t simple to fix, but it didn’t delay the project. We wanted to make sure we’re covered for most if not all risks.” Status’ team was able to address every one of the issues Deja found, and considered Deja’s work so useful that they plan to book them again for another round of audits. On this first engagement: “Practically, we discovered vulnerabilities. But it also gave the team the confidence to launch the app and gave them a lot of experience in discovering vulnerabilities for themselves. We’ll be doing many more security audits internally, though we’ll also continue to use external audits, like Deja’s.”
Deja’s security consultants enjoyed the work too and spoke highly of Status: “This is cutting-edge technology—this is the first time we’ve seen an Ethereum client on a mobile device. They’re using new technology in a new way.” They’ve also appreciated the collaborative and safety-first attitude of blockchain clients in general: “Blockchain developers are terrified [of security risks]. When we find stuff, they say, ‘good catch,’ whereas other developers may get defensive. [Blockchain] developers have more of a security mindset when they’re programming.” Despite that, Wessling knows that hiring external security auditors like Deja vu Security is still crucial. He originally came from a development background, and having been in that environment before, knows its challenges: “While it’s very good practice to [program software] with a security mindset, it’s very difficult to put all your focus in both development and security. When you’re creating software—especially in a rapid and agile development environment like with Status—if you’re constantly focusing on security all the time, it hinders your development speed. Hiring a security company whose only focus is the security of your application allows your developers to focus on what’s important to them, and that’s developing. Developing is already hard enough.”
Status plans to make the app available to the wider public later in 2018, but early access to the beta is currently available to coders who support an open-source, decentralized world. Deja vu Security continues to run security engagements for some of the world’s largest companies and is always open to new opportunities. Contact the Status team at status.im, and Deja at dejavusecurity.com.