Wallet and Infrastructure Security Features
Wallet encryption features: There’s already an article on Medium that describes how the app treats the seed phrase and private keys of users by applying top-notch cryptographic protocols, biometrics, and secure storage.
Lock manager with on-chain time lookup: The lock manager goes hand in hand with wallet encryption. It locks the wallet after a certain period of inactivity (currently set to two minutes). It also ensures that the number of valid authentication tries is limited to five such that the pin code cannot be brute-forced. One has to wait a couple of minutes before the next attempt can be made. And here comes the magic. Even changing the system time of the mobile phone does not reset the lock timer, as it does not rely on the system time but uses timing information from the blockchain. This is an outstanding security feature among crypto wallets, to the best of our knowledge, and is especially helpful in case you have lost your phone.
Communication to our backend is solely done via HTTPS, according to industry best practices. We have configured our backend to allow only encrypted connections. That means no data is sent in plaintext to our backend servers which is especially important when handling sensitive data such as user names for the airdrop.
Automatic security updates by using GitHub Dependabot: You all probably have heard of software security issues due to the use of outdated external software libraries. Indeed, managing all the dependencies that exist in modern software can be cumbersome. Dependabot is a GitHub feature that helps us alleviate this problem by raising automatic security alerts when it detects a vulnerable piece of external software that is used in one of our repositories.
Smart contract audits: All used smart contracts have been evaluated by the popular auditing service SOLIDproof from Germany. All major findings have been fixed by our experienced smart contract developers. You can find the audit report along with the source code of the contracts in our public GitHub repository.