Kraken Mobile Wallet

Findings · 24

1. 1 The QR code scanner is configured to detect all code types Informational
2. 2 Hard-coded Infura API key Informational
3. 3 Use of unpinned third-party scripts and images in CI Low
4. 4 react-native-argon2 is unmaintained Informational
5. 5 Missing certificate validation in electrum-client Medium
6. 6 Third-party applications can take and read screenshots of the Android client screen Medium
7. 7 Users may accidentally break wallet initialization Informational
8. 8 Local biometric and password authentication can be bypassed Medium
9. 9 Reauthentication not required for all sensitive actions Medium
10. 10 Password policy issues on extra password protection Low
11. 11 Sensitive content exposed via Clipboard Low
12. 12 Truncated message content when signing via WalletConnect Medium
13. 13 Removal of URL protocol when pairing with WalletConnect Low
14. 14 Exposure of misconfigured GCP API key Low
15. 15 Absence of account lockout mechanism Low
16. 16 Harmony proof of work allows attacker to tamper with expiration Medium
17. 17 Harmony reuses the same HMAC key for signing proof-of-work challenges and image URLs Informational
18. 18 WalletConnect transaction confirmation screen may be suddenly switched Medium
19. 19 SafetyNet Verify Apps and Play Integrity APIs not implemented in the Android client Informational
20. 20 No explicit verification of the Android security provider Informational
21. 21 Project dependencies are not monitored for vulnerabilities Informational
22. 22 Device-to-device backups are not disabled Low
23. 23 Application crashes when SVG image is tapped twice in the NFT module Low
24. 24 Fee amounts are not displayed and can be controlled by remote services Medium

Findings extracted from the published report PDF. See the full report below for details and remediation.