pineapples
Legendary
 Offline
Activity: 1204
Merit: 1000
to your stations, man the pineapples!!!
|
 |
January 30, 2015, 06:32:16 AM |
|
Might be time you guys go open-source and let people help with bugs more. I mean it is an Android app so the source is available if you want it, no sense in keeping it closed any longer.
Bump. Crypto is only strong if you can prove it openly. If there's a bug/flaw and you keep it closed you're risking the whole project. Make it open and let the community help improve it. Like I said before, it's an Android app, the source is readily available anyways so might as well invite the community. if you had the source you could fake the accelerometer requirements. cheaty haxors  |
|
|
|
|
|
|
|
|
In order to achieve higher forum ranks, you need both activity points and merit points.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
|
|
Quartx
|
|
January 30, 2015, 08:24:05 AM |
|
Might be time you guys go open-source and let people help with bugs more. I mean it is an Android app so the source is available if you want it, no sense in keeping it closed any longer.
Bump. Crypto is only strong if you can prove it openly. If there's a bug/flaw and you keep it closed you're risking the whole project. Make it open and let the community help improve it. Like I said before, it's an Android app, the source is readily available anyways so might as well invite the community. if you had the source you could fake the accelerometer requirements. cheaty haxors So much this, one can simply modify the code and make it simpler for him to "mine" coins. Then again, whats with the posts recently trying to downplay the dev? I'm pretty sure the devs are coming up with bugs fixes and better application and features, take the upcoming iphone app for instance |
|
|
|
cromwell600
Newbie
Offline
Activity: 4
Merit: 0
|
|
January 30, 2015, 10:13:47 AM |
|
Since everyone is talking about source and security lately, let me share my opinions. I'm an Android app and system developer and just recently started looking into cryptocurrencies.
So here are my findings about this coin:
- Reverse-engineering the apk was trivial, devs didn't even use ProGuard to make it harder to read. This is not a problem actually, because even if the app is obfuscated, it's not much harder to understand.
- The coin is centralized and all data is probably stored in a database without a blockchain and proof-of-anything. This system can be hacked, devs can do bad things (though they seem to be honest).
- Even if you don't have the source, there are a lot of ways to cheat the system on Android.
- Coding a desktop implementation based on the reverse-engineered apk is trivial, one can sync without using an Android device at all. Add proxies and bots to this and you can easily "mine" hundreds of coins per day. You can also signout anyone just by knowing the username. It might be possible to sync an arbitary amount of coins to any username too, this depends on how much checking is implemented. I guess it could work since if one used random device data, the system would think the user started using another device (too).
- The app uploads the following information about a device: device model and name, IMEI number and if the device is rooted. All of them can be faked on a rooted device. I understand that IMEI is used for checking multi-account usage on one device, but not in plaintext, it should be hashed and only that value sent to the server. What if the server is hacked, IMEI numbers are stolen and sold on the black market? I personally wouldn't be happy.
- Up until v0.5.0b, only salted password hashes were sent to the server, providing a secure authentication. The salt was generated by the device randomly upon signup. Since v0.5.1 update, passwords are sent directly to the server without hashing. This causes a security risk as devs can now save passwords in plaintext, which is problematic if you use the same password elsewhere, let's say for your e-mail account, not to mention they know your e-mail address too.
- Probably this was introduced to ease server load as there's no need for another API call to get the salt.
- Fortunately, communication between the device and the server is done through the secure HTTPS protocol. However, the server uses a self-signed certificate (trusted certificates are not free) and the app is coded not to reject unauthorized certificates for this very reason. This makes it possible to successfully execute a man-in-the-middle attack and steal passwords which aren't sent hashed anymore. This kind of attack is very common on public Wi-Fi access points, such as a coffee shop, airport, etc.
By all this said, please do not think I'm against this coin or anything. People just have to know the truth. Even if it might have sounded harsh at places, I appreciate developers' work, because this really is a unique idea. Unfortunately without a real blockchain and proof-of-anything system there's no way to properly secure the system. You can make it harder to cheat, but not impossible.
|
|
|
|
|
|
SreleFromMangoCoinz (OP)
|
|
January 30, 2015, 12:46:01 PM |
|
Since everyone is talking about source and security lately, let me share my opinions. I'm an Android app and system developer and just recently started looking into cryptocurrencies.
So here are my findings about this coin:
- Reverse-engineering the apk was trivial, devs didn't even use ProGuard to make it harder to read. This is not a problem actually, because even if the app is obfuscated, it's not much harder to understand.
- The coin is centralized and all data is probably stored in a database without a blockchain and proof-of-anything. This system can be hacked, devs can do bad things (though they seem to be honest).
- Even if you don't have the source, there are a lot of ways to cheat the system on Android.
- Coding a desktop implementation based on the reverse-engineered apk is trivial, one can sync without using an Android device at all. Add proxies and bots to this and you can easily "mine" hundreds of coins per day. You can also signout anyone just by knowing the username. It might be possible to sync an arbitary amount of coins to any username too, this depends on how much checking is implemented. I guess it could work since if one used random device data, the system would think the user started using another device (too).
- The app uploads the following information about a device: device model and name, IMEI number and if the device is rooted. All of them can be faked on a rooted device. I understand that IMEI is used for checking multi-account usage on one device, but not in plaintext, it should be hashed and only that value sent to the server. What if the server is hacked, IMEI numbers are stolen and sold on the black market? I personally wouldn't be happy.
- Up until v0.5.0b, only salted password hashes were sent to the server, providing a secure authentication. The salt was generated by the device randomly upon signup. Since v0.5.1 update, passwords are sent directly to the server without hashing. This causes a security risk as devs can now save passwords in plaintext, which is problematic if you use the same password elsewhere, let's say for your e-mail account, not to mention they know your e-mail address too.
- Probably this was introduced to ease server load as there's no need for another API call to get the salt.
- Fortunately, communication between the device and the server is done through the secure HTTPS protocol. However, the server uses a self-signed certificate (trusted certificates are not free) and the app is coded not to reject unauthorized certificates for this very reason. This makes it possible to successfully execute a man-in-the-middle attack and steal passwords which aren't sent hashed anymore. This kind of attack is very common on public Wi-Fi access points, such as a coffee shop, airport, etc.
By all this said, please do not think I'm against this coin or anything. People just have to know the truth. Even if it might have sounded harsh at places, I appreciate developers' work, because this really is a unique idea. Unfortunately without a real blockchain and proof-of-anything system there's no way to properly secure the system. You can make it harder to cheat, but not impossible.
Hey cromwell600, Good job! -Yes, .apk files are easy to open, and in the next update we are going to have ProGuard. -Yes the coin is centralized, but there is a blockchain and there is proof of how many coins someone has. We have security in place, and everyday we are thinking of ways of improving it. I don't like doing bad things, I would rather be honest. -We thought up a way of authenticating API request and it will be implemented in the next update so to mitigate the risk of bots. -Yes the app gets some info about the device, but not much. -Yes, we changed some things from v0.5.0b to v0.5.1. The password is hashed server side, and the password is sent via a secure connection (HTTPS). -This was not introduced to ease the server load, but to improve security. We now use an even better salting method. -As for the self signed certificate, it will be changed to a signed (payed) certificate hopefully by the end of next week (or even earlier). The new certificate that is signed by a trusted source will stop a MITM (Man In The Middle) attack. The iPhone version of the app will be in the works hopefully by the end of next week, and we plan on making it even more secure If you have any suggestions, please tell us by sending us an email to mangocoinz@gmail.comBest regards, Srele from MangoCoinz. |
MangoCoinz, mobile cryptocurrecy mining is here. Available for Android now and soon on the iPhone!
|
|
|
|
jluizg
|
|
January 30, 2015, 03:41:12 PM |
|
Where are you from DEVs?
|
|
|
|
|
Nthused
Legendary
Offline
Activity: 1554
Merit: 1001
|
|
January 30, 2015, 04:00:55 PM |
|
Where are you from DEVs?
I think they are from Serbia, have you seen their video regarding mangocoinz ? The guy gets up after sleeping, says I want to mine mangocoinz and runs with 2 phones in his hand lol |
|
|
|
|
|
SreleFromMangoCoinz (OP)
|
|
January 30, 2015, 06:55:54 PM |
|
Where are you from DEVs?
I think they are from Serbia, have you seen their video regarding mangocoinz ? The guy gets up after sleeping, says I want to mine mangocoinz and runs with 2 phones in his hand lol Yep, we're from Serbia. Best regards, Srele from MangoCoinz. |
MangoCoinz, mobile cryptocurrecy mining is here. Available for Android now and soon on the iPhone!
|
|
|
blackwat3er
Newbie
Offline
Activity: 19
Merit: 0
|
|
January 30, 2015, 07:15:59 PM |
|
Since everyone is talking about source and security lately, let me share my opinions. I'm an Android app and system developer and just recently started looking into cryptocurrencies.
So here are my findings about this coin:
- Reverse-engineering the apk was trivial, devs didn't even use ProGuard to make it harder to read. This is not a problem actually, because even if the app is obfuscated, it's not much harder to understand.
- The coin is centralized and all data is probably stored in a database without a blockchain and proof-of-anything. This system can be hacked, devs can do bad things (though they seem to be honest).
- Even if you don't have the source, there are a lot of ways to cheat the system on Android.
- Coding a desktop implementation based on the reverse-engineered apk is trivial, one can sync without using an Android device at all. Add proxies and bots to this and you can easily "mine" hundreds of coins per day. You can also signout anyone just by knowing the username. It might be possible to sync an arbitary amount of coins to any username too, this depends on how much checking is implemented. I guess it could work since if one used random device data, the system would think the user started using another device (too).
- The app uploads the following information about a device: device model and name, IMEI number and if the device is rooted. All of them can be faked on a rooted device. I understand that IMEI is used for checking multi-account usage on one device, but not in plaintext, it should be hashed and only that value sent to the server. What if the server is hacked, IMEI numbers are stolen and sold on the black market? I personally wouldn't be happy.
- Up until v0.5.0b, only salted password hashes were sent to the server, providing a secure authentication. The salt was generated by the device randomly upon signup. Since v0.5.1 update, passwords are sent directly to the server without hashing. This causes a security risk as devs can now save passwords in plaintext, which is problematic if you use the same password elsewhere, let's say for your e-mail account, not to mention they know your e-mail address too.
- Probably this was introduced to ease server load as there's no need for another API call to get the salt.
- Fortunately, communication between the device and the server is done through the secure HTTPS protocol. However, the server uses a self-signed certificate (trusted certificates are not free) and the app is coded not to reject unauthorized certificates for this very reason. This makes it possible to successfully execute a man-in-the-middle attack and steal passwords which aren't sent hashed anymore. This kind of attack is very common on public Wi-Fi access points, such as a coffee shop, airport, etc.
By all this said, please do not think I'm against this coin or anything. People just have to know the truth. Even if it might have sounded harsh at places, I appreciate developers' work, because this really is a unique idea. Unfortunately without a real blockchain and proof-of-anything system there's no way to properly secure the system. You can make it harder to cheat, but not impossible.
thanks for sharing this info but you are quite a bit late, i have already discussed this with the Srele and provided further information on how to fix some of these issues a few of the recent updates were to fix issues regarding aforementioned information that i reported to them in private along with proof of concept showing how easily abused most of this is/was as for proguard it is easily defeated if you know what youre doing and it will not stop a knowledgable individual from reversing the apk and further enumerating the requests the app makes id like to point out "Since v0.5.1 update, passwords are sent directly to the server without hashing. This causes a security risk as devs can now save passwords in plaintext" before v0.5.1 passwords were sent to the server hashed with a salt easily obtained via an unauthenticated request to the api which one could easily do from the browser arbitrary account creation + sync of coins was possible, probably still is quite a few other issues still exist such as the possibility to log out active users with nothing but a single http request i understand youre trying to help but youre about 2 weeks late on reporting the very same issues i have reported to them in private and worked with them to attempt to fix. there are still a plethora of issues that exist and probably will you may also want to note, you should have brought up any concerns you may have had with them in private because posting this information to a public outlet such as this can and will entice others to attemtp to investigate and possibly even attempt to carry out attacks against them and abuse their service. full disclosure is not the right course of action because by doing so you have enabled anyone interested whom has the knowledge to research further and carry out an attack on their services. |
|
|
|
|
barabbas
Legendary
Offline
Activity: 1162
Merit: 1000
|
|
January 30, 2015, 08:40:19 PM |
|
Since everyone is talking about source and security lately, let me share my opinions. I'm an Android app and system developer and just recently started looking into cryptocurrencies.
So here are my findings about this coin:
- Reverse-engineering the apk was trivial, devs didn't even use ProGuard to make it harder to read. This is not a problem actually, because even if the app is obfuscated, it's not much harder to understand.
- The coin is centralized and all data is probably stored in a database without a blockchain and proof-of-anything. This system can be hacked, devs can do bad things (though they seem to be honest).
- Even if you don't have the source, there are a lot of ways to cheat the system on Android.
- Coding a desktop implementation based on the reverse-engineered apk is trivial, one can sync without using an Android device at all. Add proxies and bots to this and you can easily "mine" hundreds of coins per day. You can also signout anyone just by knowing the username. It might be possible to sync an arbitary amount of coins to any username too, this depends on how much checking is implemented. I guess it could work since if one used random device data, the system would think the user started using another device (too).
- The app uploads the following information about a device: device model and name, IMEI number and if the device is rooted. All of them can be faked on a rooted device. I understand that IMEI is used for checking multi-account usage on one device, but not in plaintext, it should be hashed and only that value sent to the server. What if the server is hacked, IMEI numbers are stolen and sold on the black market? I personally wouldn't be happy.
- Up until v0.5.0b, only salted password hashes were sent to the server, providing a secure authentication. The salt was generated by the device randomly upon signup. Since v0.5.1 update, passwords are sent directly to the server without hashing. This causes a security risk as devs can now save passwords in plaintext, which is problematic if you use the same password elsewhere, let's say for your e-mail account, not to mention they know your e-mail address too.
- Probably this was introduced to ease server load as there's no need for another API call to get the salt.
- Fortunately, communication between the device and the server is done through the secure HTTPS protocol. However, the server uses a self-signed certificate (trusted certificates are not free) and the app is coded not to reject unauthorized certificates for this very reason. This makes it possible to successfully execute a man-in-the-middle attack and steal passwords which aren't sent hashed anymore. This kind of attack is very common on public Wi-Fi access points, such as a coffee shop, airport, etc.
By all this said, please do not think I'm against this coin or anything. People just have to know the truth. Even if it might have sounded harsh at places, I appreciate developers' work, because this really is a unique idea. Unfortunately without a real blockchain and proof-of-anything system there's no way to properly secure the system. You can make it harder to cheat, but not impossible.
thanks for sharing this info but you are quite a bit late, i have already discussed this with the Srele and provided further information on how to fix some of these issues a few of the recent updates were to fix issues regarding aforementioned information that i reported to them in private along with proof of concept showing how easily abused most of this is/was as for proguard it is easily defeated if you know what youre doing and it will not stop a knowledgable individual from reversing the apk and further enumerating the requests the app makes id like to point out "Since v0.5.1 update, passwords are sent directly to the server without hashing. This causes a security risk as devs can now save passwords in plaintext" before v0.5.1 passwords were sent to the server hashed with a salt easily obtained via an unauthenticated request to the api which one could easily do from the browser arbitrary account creation + sync of coins was possible, probably still is quite a few other issues still exist such as the possibility to log out active users with nothing but a single http request i understand youre trying to help but youre about 2 weeks late on reporting the very same issues i have reported to them in private and worked with them to attempt to fix. there are still a plethora of issues that exist and probably will you may also want to note, you should have brought up any concerns you may have had with them in private because posting this information to a public outlet such as this can and will entice others to attemtp to investigate and possibly even attempt to carry out attacks against them and abuse their service. full disclosure is not the right course of action because by doing so you have enabled anyone interested whom has the knowledge to research further and carry out an attack on their services. While I agree there are significant risks out there by making this information public, I thank cromwell600 for it because lets not forget this is a BETA projecty and all of these issues MUST be dealt with and solved. If some people do take advantage, lets not forget either that this is a CENTRALIZED project, WHICH MEANS, AMONG OTHER THINGS, THAT THE DEVS CAN CANCEL THE ACCOUNTS THAT GAME THE SYSTEM, PERIOD. And they should exactly do that. Also, they have told me that they do not have any problem coming out publicly with their personal holding in the coin. THEY MUST DO THAT as soon as possible and immediately after a proper blockchain is made available... which is way more urgent than any other development. The credibility and transparency of the devs MUST be paramount since this is, again, a centralized project. Another matter: I have corroborated that the synced coins are ARBITRARILY (I repeat: ARBITRARILY) reduced. One again, I have CORROBORATED it personally. I moved the phone for a while to add to my synced coins the 7 daily maximum, at 10:00 PM. The system added them with no problem. Next day, more than 24 hours later, I did exactly the same... the system added the 7 coins -including the 1 and change it had mined all day- but, later, it deleted them -not ALL of them, it retained the 1 and change it had mined during the day-. I repeated the experiment hours later... to the same exact effect. And, finally, I repeated the same actions 24 hours (more, actually) later, and still the system would not sync the max of 7 coins per day, not even close to that. What's with that? That is a major, major, MAJOR bug that has to be corrected, because as it is, it is quite a joke. Finally guys, you are not advancing at all in re-branding and frankly concentrating too much on the IOS compatibility.... which is NOT as urgent as securing the network, making the proper blockchain available and correcting issues like the one I have detailed. GET ON THE PRIORITIES, please. |
|
|
|
|
|
JJ12880
|
|
January 31, 2015, 12:11:18 AM |
|
hey guys, I have an older Nexus 7, and when I try and sign up on the app, it keeps crashing. Is this due to it not being a phone? The OS is older too, I haven't updated it in about a year. Unfortunately, my primary phone is a 4S.
JJ
Hey JJ12880, Sorry, but the app wasn't made to run on tablets, that's why it crashes. The iPhone version of the app will be coming soon, so you will be able to mine on your iPhone. Best regards, Srele from MangoCoinz. Ok, no worries! Thanks for the info! Im excited to try it out. Best of luck to you and your team! JJ12880 |
|
|
|
|
SreleFromMangoCoinz (OP)
|
|
January 31, 2015, 02:21:09 AM |
|
Hey everybody,
We've just published MangoCoinz v0.5.2 and it will be available to update in a few hours.
This is a security update, and updating from v0.5.1 will not result in coin loss.
A short time after the update is available, it will be the only version able to interact with the system.
Best regards, Srele from MangoCoinz.
|
MangoCoinz, mobile cryptocurrecy mining is here. Available for Android now and soon on the iPhone!
|
|
|
|
Quartx
|
|
January 31, 2015, 04:40:22 AM |
|
Hey everybody,
We've just published MangoCoinz v0.5.2 and it will be available to update in a few hours.
This is a security update, and updating from v0.5.1 will not result in coin loss.
A short time after the update is available, it will be the only version able to interact with the system.
Best regards, Srele from MangoCoinz.
Updated successfully and smoothly, no coins lost. Looking forward to more updates, Cheers! |
|
|
|
barabbas
Legendary
Offline
Activity: 1162
Merit: 1000
|
|
January 31, 2015, 06:23:01 AM |
|
Hey everybody,
We've just published MangoCoinz v0.5.2 and it will be available to update in a few hours.
This is a security update, and updating from v0.5.1 will not result in coin loss.
A short time after the update is available, it will be the only version able to interact with the system.
Best regards, Srele from MangoCoinz.
Actually it HAS resulted, again, in coin loss. This is NOT working guys. Not at all. twice it has taken the coins out in 48 hours and a third time now with the update. This is getting absolutely ridiculous. |
|
|
|
|
|
ByronP
|
|
January 31, 2015, 07:48:01 AM |
|
Balance is gone and if I try to send it says "no user with your username"
None of it makes sense...
|
|
|
|
|
|
ByronP
|
|
January 31, 2015, 07:59:33 AM |
|
Balance is gone and if I try to send it says "no user with your username"
None of it makes sense...
Apparently signing out and back in fixes the problem. |
|
|
|
|
Nthused
Legendary
Offline
Activity: 1554
Merit: 1001
|
|
January 31, 2015, 08:06:35 AM |
|
When is the difficulty going to increase again and what will be the sync limit for MCZ ?
Mining Mangocoinz is fun and easy but if it gets harder again it will be a challenge, I just walk with my phone in my hand and it earns just as much overall as shaking for 15 mins non-stop.
|
|
|
|
|
cromwell600
Newbie
Offline
Activity: 4
Merit: 0
|
|
January 31, 2015, 09:52:05 AM |
|
-Yes the coin is centralized, but there is a blockchain and there is proof of how many coins someone has. We have security in place, and everyday we are thinking of ways of improving it. I don't like doing bad things, I would rather be honest.
-We thought up a way of authenticating API request and it will be implemented in the next update so to mitigate the risk of bots.
-Yes the app gets some info about the device, but not much.
-Yes, we changed some things from v0.5.0b to v0.5.1. The password is hashed server side, and the password is sent via a secure connection (HTTPS).
-This was not introduced to ease the server load, but to improve security. We now use an even better salting method.
- If I may ask, how is proof implemented? - Just updated and saw that. This authentication still can be implemented in a bot. - I'm not concerned about manufacturer and device name, it can be even used as useful statistics, but please hash the IMEI in the next update. You have no need to store the IMEI number of all registered devices. - This will only get effective if you migrate to trusted certificate. Also, this doesn't guarantee you don't store passwords in plaintext anymore. - Same as above. Because of the centralized nature, users can't know for sure it isn't that way. id like to point out "Since v0.5.1 update, passwords are sent directly to the server without hashing. This causes a security risk as devs can now save passwords in plaintext"
before v0.5.1 passwords were sent to the server hashed with a salt easily obtained via an unauthenticated request to the api which one could easily do from the browser
arbitrary account creation + sync of coins was possible, probably still is
quite a few other issues still exist such as the possibility to log out active users with nothing but a single http request
What would anyone do with the salt? You'd still need the password to successfully create the matching hash. Now this isn't needed anymore. Your password is sent plaintext to the server. Yeah, it's HTTPS, but self-signed as of now so it really is plaintext as a matter of fact. Regarding "one could easily do from the browser" and "nothing but a single http request": I personally don't feel it simple doing a POST request from a browser. I don't know if it would be better to open-source the whole project, release the blockchain and stuff, because it's also a point that scamcoin makers would saturate the market with this kinda coins. The problem is, we are talking about stuff worth money after all and trust isn't something anyone can build anything upon in this field. If there are flaws in the system, people will go and abuse them. |
|
|
|
|
|
speedy1987
|
|
January 31, 2015, 09:57:24 AM |
|
Hey everybody,
We've just published MangoCoinz v0.5.2 and it will be available to update in a few hours.
This is a security update, and updating from v0.5.1 will not result in coin loss.
A short time after the update is available, it will be the only version able to interact with the system.
Best regards, Srele from MangoCoinz.
Can you please implement some kind of auto update? cheers |
|
|
|
|
|
Quartx
|
|
January 31, 2015, 10:41:31 AM |
|
Hey everybody,
We've just published MangoCoinz v0.5.2 and it will be available to update in a few hours.
This is a security update, and updating from v0.5.1 will not result in coin loss.
A short time after the update is available, it will be the only version able to interact with the system.
Best regards, Srele from MangoCoinz.
Can you please implement some kind of auto update? cheers I think it is possible to auto update certain apps only in google play |
|
|
|
old fart
Member
Offline
Activity: 308
Merit: 10
Bitcoin is the future
|
|
January 31, 2015, 11:14:57 AM |
|
Hey everybody,
We've just published MangoCoinz v0.5.2 and it will be available to update in a few hours.
This is a security update, and updating from v0.5.1 will not result in coin loss.
A short time after the update is available, it will be the only version able to interact with the system.
Best regards, Srele from MangoCoinz.
Can you please implement some kind of auto update? cheers I think it is possible to auto update certain apps only in google play At least there are updates available. That's the most important thing. |
|
|
|
|
