TL;DR

Coinomi doesn’t use SSL for their communication from their Android app to their backend servers. When you open the app, all of your wallet’s addresses are sent in plain text across the internet. Luke Childs noticed and pointed out the glaring security/privacy issue politely via GitHub. Coinomi refused to admit it was a problem. Twitter, Reddit, and GitHub hilarity ensued.

Screenshots

Coinomi appear to be in disaster recovery mode and are deleting public comments. Don’t worry though, Luke and I expected this, so we took screenshots of everything and made snapshots of the GitHub issue on the Wayback Machine , so you can see what was deleted so far and if they delete anything in the future.

Disclosure Timelines

All times in GMT

16 September 2017 @ 19:30: Luke posts the issue on Coinomi’s Android repo with the title “Use SSL for Electrum nodes” (later changed by Luke to include “Security Vulnerability: “, and then by Coinomi to the title below):

18 September 2017 @ 10:27: After not hearing anything for over 24 hours, Luke directly tags Coinomi’s CEO and CTO in the GitHub issue (this generally sends a notification, but that can be disabled):

25 September 2017 @ 20:48: After still not hearing anything, Luke reaches out to Coinomi on Twitter.

26 September @ 16:24: After waiting for 11 days with no response from Coinomi, Luke posted on Reddit to warn the general public that Coinomi is not using SSL to communicate from the Android application to their backend servers. That is, communication with the server is being sent in plain text:

27 September @ 00:17: I post Luke’s Reddit thread on Twitter, again warning the general public that Coinomi wallets are insecure:

Coinomi Respond – Hilarity Ensues

Editor’s note: right click + open image in new tab to read text clearer

Rather than admit they made a mistake, thank Luke, and fix the problem, Coinomi go on the offensive. My response to their handling of the issue started out like “wat”, moved to “they can’t be serious”, and settled at “this is insanse – they’re committing PR suicide”:

Let’s start with the wat:

Then we move swiftly onto “they can’t be serious…”:

If you thought this was bad enough already, it gets worse. Coinomi say publicly that it’s not bad privacy to leak your wallet addresses:

They try to distract from the issue by saying it’s not all of their wallets that have this issue… just 87+. To quote Luke, “They weren’t even saying the ETH wallets didn’t have the issue, just that they weren’t running on ElectrumX on the backend. It was just a snarky remark that had nothing to do with the issue whatsover.”:

They have the audacity to ask Luke for an apology. I’m still in my “they can’t be serious” stage by the way:

Then they went full retard. This is the “they’re committing PR suicide phase”. They implied that Luke is “hating” and that he is a “shill”. Luke is super entrenched in the OSS world, doing the majority of his work for free. He’s the least shilly person I know. Luke’s response is great:

shilly person I know. Luke’s response is great: And soon enough the public caught on to what Coinomi was doing after I posted a screenshot of the initial disclosure:

My personal favourte:

At some point along the way, I realised that Coinomi are based out of the UK, and had flashbacks to my data breach training at corporations whilst working there. I’m not 100% on this (I Am Not A Lawyer – IANAL), but I’m pretty sure in the UK that you have 24 hours from realising there’s been a security breach to report it to the UK’s ICO (Information Commissioner’s Office). Again, IANAL, but I think they might have refused to acknowledge this as a security concern for liability reasons. What adds evidence to this is that both myself and Luke were quite prompty blocked after this tweet:

Maybe because:

There are more hilarious comments from both sides, but I’ll leave it at that because it provides more than enough context/background to continue. Let’s move on to why all of this matters from 3 perspectives: security/privacy, legal, and general corporate behaviour/image.

Security and Privacy Concerns

Cryptocurrency users have the right to keep their public addresses private. Due to the lack of SSL, all of your Coinomi wallet addresses are broadcast in plain text whenever you so much as open Coinomi on your phone. You can get around this by using a VPN, but you shouldn’t have to in the first place – the functionality needed to keep things private and secure is already integrated into the open source software that Coinomi is using on their backend servers. They literally just need to create a certificate and wire up the config settings. That they haven’t just done that is shocking! Any competent sysadmin/devops could have this resolved in under an hour. Again, the time and cost to fix this is infinitesimally small. As you can clearly see from the screenshots above, the people have spoken on this one – whether Coinomi want to admit it or not, this is a huge privacy and security concern for their users.

Legal Concerns

Disclaimer: I am not a lawyer. This is just my interpretation of things. Happy to edit if anything is wrong/misleading:

In the UK, when data has been leaked and it’s your company’s fault, you have to report it to the ICO (Information Commissioner’s Office). You generally have about 24 hours to report from the moment you realize that a “data breach” occurred. If Coinomi refuses to acknowledge the leak, they might be able to skirt around this law. Publicly admitting that data has been leaked would be quite a liability for them. I think this could be the reason that they acted so strangely about everything. Data protection laws in the UK are quite strict, and if you run afoul of them you end up in a whole heap of legal issues. Again, I’m not a lawyer, but I can’t think of anything else to explain their bizarre reaction to their community trying to make their platform more secure.

It’s worth noting that the ICO states SSL configuration issues are frequent in their data breach investigations:

Corporate Behaviour Concerns

The Tweets speak for themselves. This is not how a responsible corporation deals with a security concern or treats their users generally. The Tweets they came out with came across to me and many others as extremely childish, which is not the attitude I want in a company that creates software that literally holds my money. Coinomi really need to clean up how they do deal with the public. The people that do it for them now are clearly not well trained enough for the job. They also have no way that I know of to report security vulnerabilities, which is a bit concerning considering the type of software they make.

As of writing (29 September 2017), Coinomi still haven’t admitted that this is a problem and have provided no ETA regarding when it will be fixed.

Open Source Concerns

Coinomi market themselves as an open-source wallet, but they are clearly not:

The title of their site literally says Coinomi is an open-source wallet, but their Android source code hasn’t been updated in months (although newer versions of the app have been released on the Google Play Store):

Even more worrying is their attitude towards OSS as a whole:

This is not how open source works. They also use open-source software to support their platform, and they may be running afoul of these products’ licenses. I’ve not had time to properly dig into this, as the main issue I have is with Coinomi’s handling of the SSL incident, but perhaps an open-source buff can take over the investigation on this front and see what else Coinomi have managed to make a mess out of? If you uncover anything and don’t have the time to write about it, feel free to pass the information over and I’ll make sure you get full credit for everything I publish about it (or not if you want to remain anonymous).

A Personal Note About Luke

Luke is one of the biggest OSS buffs I know. Just check out his GitHub, it speaks for itself. For example here’s his PR to add RFC-compliant caching to an OSS project that gets 8 million downloads per month. These are not small, insignificant things he’s doing. He genuinely cares about OSS projects, and often fixes issues in projects himself, but in this instance he couldn’t because Coinomi’s code isn’t open source. He cares not only about the code he writes, but also the community that uses that code as a whole. That is why he responsibly reported this issue to Coinomi, and is also why we later pushed the issue after getting no response. There has to be people like Luke out there checking that things are actually done securely and follow best practices. Luke should be thanked for that by Coinomi and the community as a whole. We need more people like Luke. He spends the vast majority of his time working for free. He didn’t ask for me to put this in here, but I think we should all show him our support in order to encourage this behaviour in others and to thank him for bringing this to our attention. Here’s one of his public Bitcoin addresses: 1FT2kF87rWxn2mvQViW14BvuXFb1MSyRAR. When I asked him for it, he literally said, “oh… I didn’t even think of that.” That’s who Luke is.

Although the majority of Luke’s time is spent on open-source projects, he does occasionally do freelance work so he can buy food and pay his rent. If you’re interested, you can contact him here for work requests: lukechilds123 {at} gmail com.

Luke uncovered this and did all the real work, so let’s put him first. If you like what he did and want to show your support, feel free to follow him on Twitter.

Like the post? Follow me on Twitter to hear about when I post more stuff. Do you disagree with any of my sentiments? I’m always willing to listen to counterarguments. Feel free to either Tweet me publicly or DM me privately.