Security Issues in Coinomi Wallet? A Fair Balance
As a crypto user that has some seniority, I like Coinomi wallet. I made an entire review about it and I have included it in the list of best mobile multi-currency wallets.
But, despite my preferences and the fact that they claim they didn't have security issues since the first launch, there are people complaining about some security features of this wallet. There are 2 cases that draw my attention:
- February 2019, the Reddit user Warith Al Maawali claiming he lost around $70k because of Coinomi;
- September 2017, developer's Luke Childs desire to make an improvement in the open-source software of Coinomi.
I will tell from the first beginning that this article is not some conspiracy theory served as a dish. I am trying my best to remain as objective as I can, so you access balanced information. You will find below the mentioned stories, but also the Coinomi's response. My aim with this article is to help you correctly decide if Coinomi wallet is safe enough for your investment.
First Issue: The story behind the $70k loss
Warith Al Maawali is a crypto user that explained on this website how the lack of security in the implementation of Coinomi wallet made him lose his savings. Long story short: he installed Coinomi wallet on his Windows device. Then he (probably) asked to make a custom passphrase. The passphrase he introduces was the same he had on his Exodus wallet. After a week he realized he had lost 90% of his Exodus wallet assets.
Why does he blame Coinomi software?
This user seems to have some knowledge regarding software development. As a matter of fact, he has noticed that the main Windows application of the Coinomi wallet didn't have a digital signature, although the setup file had it. After contacting the support, things were fixed.
When his digital assets were gone, Warith went back on the steps he made in order to analyze how this happened. He says he made all the steps again in a virtual machine and he monitored all HTTP/HTTPS requests.
Additional information regarding HTTP/HTTPS requests and security.
If you already know what this is about, please skip this section.
Additional info. When you access different features from an application, there is data that is sent on the internet. For example, when you authenticate on Facebook, there are some HTTP/HTTPS requests. This basically means there is a conversation between your device (phone/laptop) and a Facebook server. That conversation is something like "user icl_cx1090 with password/hash 1234%$#@! wants to authenticate. Are the credentials valid?" The server makes some verification and gives the answer "yes/no". As you may imagine, things are a little more complicated behind and every developer that reads it will laugh. But, basically, things stay this way.
Security info. An HTTPS connection is considered secure because the conversation (the sent/received data) is encrypted. Over an HTTP connection, your password is sent as plaintext. If a hacker has access to this kind of data, he can take over your accounts.
Back to Warith's story
When configuring his Coinomi wallet in the virtual machine, he saw something surprising. When accessing the restore wallet function, he could see that the passphrase is sent, as plaintext, to a Google server. He explains how this is technically possible. One of the Coinomi software components has a spelling check feature implemented. This feature is designed by Google and it sends the data to analyze to a Google server (probably, over an HTTP connection??).
According to Warith, if I well understood, when he entered his Exodus passphrase, the sequence of 12 random words reached someone's hands (and that someone works for Google). And anyone that has something to do with the crypto world knows that it might be a wallet passphrase.
I had a look at Coinomi wallet and, indeed, in the settings menu, there is a Mnemonic Code Converter. You can type your own twelve words as a passphrase, but why in the world would you do that? We seem to have different approaches regarding security.
Could this story be fake?
Well, there can be fake things in this story. In my personal opinion, the probability of such a leak in the software of Coinomi can be true. I mean, shit happen, even at this level.
On the other hand, the story of the loss can be fake. I mean, why would someone link 2 crypto wallets this way? Just transfer the money if you need to. According to the common-sense security rules, you should not use the same password for 2 different accounts. Why would you choose the same passphrase?
And, according to Warith, only people from Google and/or Coinomi could access that HTTP(?) request and steal the passphrase. Why is that I am not sure I understand.
My impression regarding Coinomi CTO
You can follow the Twitter conversation that Warith had with the Coinomi CTO by accessing this link. Of course, it can be fake, but let's assume it is true. Warith is, in my opinion, quite aggressive and threatening, but we can presume it was about his money and he had the right, couldn't we? I don't blame him, but the CTO's answers are interestingly good. He has a normal business position and he cannot assure paying some money without clear evidence of the loss. Finding a software vulnerability doesn't mean that they have to pay $100k. The loss because of their fault has to be proved first.
Give Warith some help
Don't get me wrong, I don't say Warith is lying or he is saying the truth. I do believe that Coinomi had an issue with this thing. I just have some doubts regarding this user's loss.
But, if you trust the story and you think you can help him, in any technical way, please contact him either on his website or Twitter. Blockchain transactions are irreversible, but they are also transparent. So everyone is able to see what money was transferred from what address to what address. If you have any knowledge about identifying the potential thieves, please help Warith.
Personal experience with Coinomi
I have been using Coinomi (mobile application) for more than 2 years now and I haven't experienced any problems. I have moved my wallet on different Android devices, then moved it to iOS when the version was launched. By moving, I mean restoring. So, if this story is true, my passphrase is probably visible/available for those people. I have to mention I've never had big amounts on this wallet, as I keep it for little know cryptocurrencies only.
On the other hand, I am no one to say if this story is true or not. As already mentioned, I believe there is a chance that the fund loss story is fake. I didn't replicate what Warith did, so I cannot confirm/infirm his theory regarding Coinomi's security. But if you want to do it, there is a video with all the steps on his website. Let's not forget that the internet is a very free world. There are many (fake) users blaming brands and claiming things. Is Warith one of them?
Coinomi's Response (section added AFTER I first published the article)
Shortly after publishing this article (as you can see it above), someone from Coinomi has contacted me. They have linked this article, politely asking me to have a look at their official response regarding the issue. After reading the article, I found it fair enough to add this section because we should always see a story from both sides.
In that article, Coinomi admits there has been an issue on desktop versions of their application. They name it a bad configuration option in a plug-in, which is precisely what Warith said. On the other hand, Coinomi explains that a hack wasn't possible: the passphrase was not transmitted in plaintext (it was over an HTTPS connection) and Google (the only recipient) was contacted. Obviously, Google has rejected potential accusations. More than that, Google claims the requests coming from Coinomi wallet weren't processed due to a bad structure of the packages.
So, if I well understand, according to Coinomi, no one has ever seen anyone's passphrase because the issue was just a half-problem? I am not sure.
What Coinomi's article has confirmed is that:
- there has been a problem in the desktop versions of the Coinomi application; so, if you use it, check to have it up-to-date;
- no mobile version was compromised (great for me);
- there is no evidence that any funds have ever been stolen (according to Coinomi), but this is to still be investigated.
As a personal opinion, overall, I like Coinomi as a company. I don't know what is the pure truth in this story, but the fact that they have responded so quickly makes me like them. Of course, this does not guarantee they will not have security branches. But it shows they do their best to remain a leader in the world of multi-currency crypto wallets.
Second Issue: The missing SSL
The second story about Coinomi security issues is older and less complicated. Back in September 2017, a smart developer, Luck Childs, discovered that the data sent between the Android Coinomi app and the (Electrum) server was in plaintext (no SSL). This basically means that all wallet addresses could be accessed. Well, this is not awesome, especially in the long term. On the other hand, it is neither straight forward damage. Adding the SSL was a must, but, probably, the lack of it, didn't harm anyone at that time.
If you follow the thread of this discussion, Luck Childs was professional. But the response of the Coinomi support/representatives were quite childish and rude. Sometimes it is better to accept the bullshit and fix the problem. On the other hand, the author of this article has a potential explanation for the behavior. Coinomi LTC is a company from the UK and they could have had legal concerns. If they had admitted the mistake, they would have gone through a lot of legal complications. Maybe that complication didn't actually make sense.
Final Thoughts
The first story I told you about draw my attention first. All that has to do with cryptocurrencies is a little risky. Coins can die, some ICOs are scams, exchanges are hacked, people receive email scams and hot wallets are not super trustful. Of course, there are solutions: you can either use hardware wallets or alternatives that are either secure. But at a conference in December 2018, some researches showed vulnerabilities in the Trezor One and 2 Nano Ledger wallets. Although the Ledger team said the vulnerabilities are not critical, there remains a question of what if.
Disclaimer. This article can also be found on Crypto Land website that I have a collaboration with.