[1/๐งต] You've heard of @XummWallet but aren't sure if you can #trust its #security?
You'll learn about @cossacklabs' most recent security assessment and why the #XUMM #wallet strives to maintain the highest security standards.
Follow along in this "all-in-one security ๐งต" ๐
You'll learn about @cossacklabs' most recent security assessment and why the #XUMM #wallet strives to maintain the highest security standards.
Follow along in this "all-in-one security ๐งต" ๐
[4/24] โ 1โฃ Hot Wallet Fundamentals โ
โถ๏ธ #XUMM is a hot, self-custodial ("unhosted") mobile-only #cryptocurrency wallet designed exclusively for the XRPL ecosystem, allowing users to securely store their private keys, make payments, and engage with the #XRPL via #xApps.
โถ๏ธ #XUMM is a hot, self-custodial ("unhosted") mobile-only #cryptocurrency wallet designed exclusively for the XRPL ecosystem, allowing users to securely store their private keys, make payments, and engage with the #XRPL via #xApps.
[5/24] โ 2โฃ Hot Wallet Fundamentals โ
Regardless of how secure the app is, "hot" desktop & mobile apps have access to the internet & are only as secure as their weakest link.
Keep the following in mind:
๐ธ Update your smartphone
๐ธ Don't use public WiFis
๐ธ Use strong passwords
Regardless of how secure the app is, "hot" desktop & mobile apps have access to the internet & are only as secure as their weakest link.
Keep the following in mind:
๐ธ Update your smartphone
๐ธ Don't use public WiFis
๐ธ Use strong passwords
[6/24] โ #XUMM Wallet Security โ
โ How long would it take an attacker to successfully exploit the app?
๐ธ ~99 quadrillion years โ secret number
๐ธ ~228 years โ 6 digit passcode
๐ธ There is basically no pw-length restriction for the signing password โ 200+ years (16 chars)
โ How long would it take an attacker to successfully exploit the app?
๐ธ ~99 quadrillion years โ secret number
๐ธ ~228 years โ 6 digit passcode
๐ธ There is basically no pw-length restriction for the signing password โ 200+ years (16 chars)
[7/24] โ 1โฃ #Security Audit โ
@XRPLLabs had a security assessment performed by #Cossacklabs that required over 240 person-hours of work and was publicly disclosed on 18.05.2023
The main takeaway was:
โ๏ธ "No critical vulnerabilities or immediate exploits were identified"
@XRPLLabs had a security assessment performed by #Cossacklabs that required over 240 person-hours of work and was publicly disclosed on 18.05.2023
The main takeaway was:
โ๏ธ "No critical vulnerabilities or immediate exploits were identified"
[8/24] โ 2โฃ #Security Audit โ BEFORE โ
During the 1st evaluation, #Cossacklabs noticed that "only" 28 of the relevant 65 standards had been met.
Sounds worse than it is since #XUMM users were never at risk as long as their ๐ฑ were updated and their passwords were kept safe. ๐ซก
During the 1st evaluation, #Cossacklabs noticed that "only" 28 of the relevant 65 standards had been met.
Sounds worse than it is since #XUMM users were never at risk as long as their ๐ฑ were updated and their passwords were kept safe. ๐ซก
[9/24] โ 3โฃ #Security Audit โ AFTER โ
Following the implementation of the solutions, #Cossacklabs verified that 58 of the necessary 65 criteria were met, significantly reducing the number of unresolved issues.
Consider how much effort went into resolving all of that. ๐ฅ
Following the implementation of the solutions, #Cossacklabs verified that 58 of the necessary 65 criteria were met, significantly reducing the number of unresolved issues.
Consider how much effort went into resolving all of that. ๐ฅ
[10/24] โ 4โฃ #Security Audit โ
Many cryptographic flaws and weaknesses, according to #Cossacklabs, were caused by insufficient security controls that were already in place but did not meet the highest criteria.
Many cryptographic flaws and weaknesses, according to #Cossacklabs, were caused by insufficient security controls that were already in place but did not meet the highest criteria.
[13/24] โ 1โฃ XUMM Tangem โ Firmware โ
There are @Tangem cards and #XUMM branded Tangem cards that both use one firmware that has been reviewed by #Kudelskisecurity with one exception:
The XUMM-branded #Tangem cards are not designed to sync the keys ๐
There are @Tangem cards and #XUMM branded Tangem cards that both use one firmware that has been reviewed by #Kudelskisecurity with one exception:
The XUMM-branded #Tangem cards are not designed to sync the keys ๐
[14/24] โ 2โฃ XUMM Tangem โ Firmware โ
Not only can the firmware not be upgraded by design, but the #firmware can never give out your #privatekey because it is physically only feasible to communicate through #NFC while keeping the secret truly offline at all times.
Not only can the firmware not be upgraded by design, but the #firmware can never give out your #privatekey because it is physically only feasible to communicate through #NFC while keeping the secret truly offline at all times.
[16/24] โ 2โฃ XUMM Tangem โ Best Practice โ
Additional suggestions:
๐ธ Use 4 cards (2 #XRPL accounts) to separate your hot & cold wallets
๐ธ Do not 'root' or jailbreak your phone and use your cards on it
๐ธ Less is more, so use your cold storage to save your funds in the long run
Additional suggestions:
๐ธ Use 4 cards (2 #XRPL accounts) to separate your hot & cold wallets
๐ธ Do not 'root' or jailbreak your phone and use your cards on it
๐ธ Less is more, so use your cold storage to save your funds in the long run
[18/24] โ 2โฃ XUMM Tangem โ Hardware Chip โ
Now that we know the source of genuine randomness utilized to generate the secrets, what about the #CPU? ๐ค
#Tangem employs the "#Arm #SecurCore SC000 Core," one of the most extensively licensed 32-bit smartcard processors in the world
Now that we know the source of genuine randomness utilized to generate the secrets, what about the #CPU? ๐ค
#Tangem employs the "#Arm #SecurCore SC000 Core," one of the most extensively licensed 32-bit smartcard processors in the world
[22/24] โ 3โฃ Tangem Card โ Facts โ
. . .
๐ธ Works from -25ยฐC up to 85ยฐC
๐ธ Works even underwater ๐
๐ธ #IP68 certified
๐ธ An Access Code may be set and even adjusted to prevent it from being removed from the card after it is set.
๐ If you lose this code, you lose everything.
. . .
๐ธ Works from -25ยฐC up to 85ยฐC
๐ธ Works even underwater ๐
๐ธ #IP68 certified
๐ธ An Access Code may be set and even adjusted to prevent it from being removed from the card after it is set.
๐ If you lose this code, you lose everything.
[23/24] โ TL;DR โ
๐ธ XUMM security upgraded (MASVS v1.5)
๐ธ XUMM Tangem account backup via xApp
๐ธ Tangem cards โ simple secure offline cold wallet
๐ธ Literally indestructible
๐ธ XUMM branded cards w/o key-sync
๐ธ Cutting-edge certified hardware security
๐ธ @XRPLLabs rocks!
๐ธ XUMM security upgraded (MASVS v1.5)
๐ธ XUMM Tangem account backup via xApp
๐ธ Tangem cards โ simple secure offline cold wallet
๐ธ Literally indestructible
๐ธ XUMM branded cards w/o key-sync
๐ธ Cutting-edge certified hardware security
๐ธ @XRPLLabs rocks!
[24/24] Hopefully, this gave you a solid introduction of #XUMM and #Tangem cards in terms of security.
Rest assured, there is more to come. ๐ฅ
Please follow me here:
@krippenreiter ๐
Feel free to contribute by sharing here: ๐
Rest assured, there is more to come. ๐ฅ
Please follow me here:
@krippenreiter ๐
Feel free to contribute by sharing here: ๐
@threadreaderapp unroll
@WKahneman @digitalassetbuy @Fame21Moore @sentosumosaba @BCBacker @X__Anderson @stedas @XRPNews_ @DigPerspectives @MoonLamboio @IOV_OWL @XRP_Productions @WorkingMoneyCH @RuleXRP @AlexCobb_ ๐
โ An in-depth ๐งต about all and everything security-related on XUMM and Tangem โ
โ An in-depth ๐งต about all and everything security-related on XUMM and Tangem โ
Loading suggestions...