Status resolves key issues in pre beta release security audit

Status, the mobile OS built for Ethereum announced today that Déjà Vu Security, a leading Ethereum security expert completed a security audit in preparation for the release of Status Beta.

Contracted in Q1 ’18, Déjà Vu Security performed an extensive review of the Status codebase as well as manual penetration testing.

The scope of the audit, which covered the Status react and Status go repositories, is outlined below.

  • Transaction signing authorization
  • Forgery of malicious transactions from within a ÐApp
  • The integrity of views utilized by customers for reviewing and auditing transactions
  • Disclosure of sensitive information to unauthorized third parties
  • Private key generation and derivation
  • Public key exchange procedures between Status clients
  • Cross-account privilege escalation on a user’s device
  • Testing on iOS and Android platforms
  • Timeboxed, code assisted penetration testing of ÐApp Javascript evaluation in jailed contexts

Déjà Vu uncovered 4 major issues, which have now been resolved:

  • Improper Storage of Mnemonic Passphrases in Status.im Android Client
  • Improper Storage of Mnemonic Passphrases in Status.im iOS Client
  • Chat history persisted after the chat was deleted
  • Web3 Management APIs enabled
Getting ready for Beta and V1

The Status team said:

“Finishing the security audit prior to the release of Status Beta is not only essential to our roadmap, it’s foundational to our approach to our community and their security. We want to make sure we create the best possible experience for everyone who downloads and uses Status.”

Déjà Vu Security is a key contributor to the security audits of Go Ethereum, they were selected by Status because they’re a trusted partner in the Ethereum community with extensive smart contract experience. They will also be a partner of Status post-Beta release as they prepare for the release of v1.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.