Don't Trust, Verify: Xumm Audit Report and Improvements
A comprehensive look at our proactive approach to security and our latest audit with Cossack Labs.
Do not index
Do not index
At XRPL Labs, we put security first through our Xumm app-only model and strive to maintain the highest security standard.
In this blog post, we offer a detailed look at our recent security audit conducted by Cossack Labs, demonstrating our commitment to safeguarding your digital assets.
We selected Cossack Labs for our audit due to their rare combination of expertise in security audits, decentralized finance, deep cryptographic knowledge, native and React Native mobile apps, and their commitment to developing a strong relationship with us, trusting they would care about our product and users as if they were their own.
In this announcement, You will discover how the audit's insights led to key improvements in Xumm's security measures and the implementation of robust security controls, ensuring a secure and reliable user experience.
Audit Insights: Enhancing Security Measures
Back in August 2021, XRPL Labs sought the expertise of Cossack Labs. Our goal? Refining the security measures and cryptographic layers of Xumm through a third-party audit, showing the world that we don’t just talk the talk, but we also walk the walk.
Cossack Labs embarked on a comprehensive examination of Xumm's mobile app. It scrutinized our implementation, studied our architecture, and explored potential areas to improve.
By focusing on secure storage, user interactions, and communication with the XRP Ledger, Xumm backend, and xApps, the audit provided valuable insights into areas for improvement.
The team at Cossack Labs stated: “We would like to note a solid security-oriented engineering effort of the XRPL Labs team in building and securing the app.” pointing towards all of the security features XRPL Labs added to Xumm over the years, such as application locking, passphrases, data-at-rest encryption, user authentication, and many more.
Raising the Bar: Implementing Robust Security Controls
Collaborating with Cossack Labs allowed us to address their findings and further enhance our security measures. By implementing their expert recommendations, Xumm Wallet offers enhanced protection for users' data, keys, and transactions furthering our security measures.
Wietse Wind, the Founder, and CEO of XRPL Labs, said, "We've always been transparent about prioritizing security. The self-custody space deserves nothing less, and our goal is to lead the way in helping our users manage and use their private keys responsibly and securely. We are thrilled and proud to not only claim that we care about security but also showcase a security audit that led to actionable improvements, which we've integrated into recent Xumm updates."
Incorporating Cossack Labs' expert recommendations has strengthened Xumm Wallet's defense-in-depth protections, improving our platform's overall stability and maintainability.
Going Above and Beyond: Setting the Standard with an App-Only Model
Constraining Xumm to an app-only model avoids the vulnerabilities often associated with browser extension wallets sidesteps the issues that frequently compromise their security.
This strategic decision allows us to deliver a higher standard of wallet security, ensuring the protection of our user's digital assets and providing them with peace of mind.
The team at Cossack Labs expressed their confidence in Xumm Wallet's security measures.
They emphasized users' data, keys, and transactions are safeguarded as long as users understand their responsibilities regarding account credentials protection, mobile app limitations, and ensuring mobile device and OS security before accessing the wallet.
Cossack Labs found no direct exploitable attack vectors in their preliminary report.
This comment highlights the importance of user awareness and responsibility in maintaining the highest level of security when using Xumm Wallet.
Xumm is dedicated to safeguarding our user's assets, exemplified by our voluntary collaboration with Cossack Labs for a comprehensive security audit. This partnership puts our devotion to transparency and determination to stay ahead of the curve on display.
Improving the Entire Cryptographic Layer
Following the audit, we focused on further improving the already robust cryptographic layer within the Xumm Wallet by introducing a new encryption scheme. The audit identified no exploitable vulnerabilities, but we seized the opportunity to improve further, going from good to great.
By strengthening the encryption layer, we've bolstered sensitive data storage and application-level encryption, giving users a fast and reliable wallet experience with top-notch security.
Depicting Xumm’s security progress based on Mobile Application Security Verification Standard, reflecting our commitment to ongoing security enhancements.
Xumm Wallet users can feel confident knowing that with recent improvements, our wallet security is even better.
Relentless Pursuit of Excellence in Security
At Xumm Wallet, our users' security is our top priority. Our voluntary security audit and app-only model showcase our commitment to providing the industry's highest security levels.
Our journey to security excellence is never-ending. We are constantly on the move, working to improve and refine our platform to ensure we maintain the highest level of security.
We take great pride in protecting your assets with the most robust security measures.
Our forward-thinking approach guarantees that Xumm Wallet remains ahead of the curve, empowering you to confidently use our platform for all your XRP Ledger (XRPL) needs.
We want to thank the team at Cossack Labs for their support throughout the audit process. Their dedication went beyond merely identifying and explaining issues; they genuinely invested themselves in helping us make Xumm even better.
The full security audit can be read here.
About Cossack Labs
Cossack Labs is a provider of data security tools (cryptographic and data security frameworks), bespoke solutions, and consulting services focusing on sensitive data protection in modern systems.
Cossack Labs' experts in this audit have decades of hands-on practical experience, appropriate formal education, and academic degrees in cryptography, software engineering, data security, and general information security.