November 11, 2022
Article by
Recently at HashPack, we celebrated the one year anniversary of our launch. It's been exciting to work on new features and watch the community use them while advancing the ecosystem. Hedera Hashgraph is seeing growth and interest from all angles, and at HashPack, we’re at the centre of that growth, onboarding new community members, creators, and developers. We do this by building platform tools, refining our product features, and creating an environment where people are genuinely excited to interact with the Hedera ecosystem.
Cyber security is our number one priority at HashPack. Any business who has software as a product or service would be negligent for not having a focus on security. Hacks and data breaches are a daily occurrence in the news, this is especially true in crypto as it’s such a nascent industry. There's lots we do at HashPack to keep things secure, while still providing an excellent user experience.
Some of the work that goes into building HashPack is visible, and some of it less so. For example, a lot of effort goes into the release of something new in the application. We have a planning discussion followed by the design, development, implementation, and automated testing, then we perform security-focused code reviews and automated analysis. After that, it goes through a testing phase to see if it behaves as expected, and tweaks or fixes are applied.
What excites us most, however, is the future. In this article, you'll read briefly about our progress on development over the past year, our future plans, and finally, a timeline for HashPack to be audited.
Recently, we launched the dApp browser, a feature that allows users to interact with decentralised applications from inside HashPack. This is great for both the convenience of the user, and the exposure of applications to the wider HashPack community. It’s also a great way to reduce the possibility of users interacting with malicious decentralised applications. Many times, scammers will imitate the branding, colours and style of the dApp to trick users into thinking it is a legitimate site. With an in-app browser, it is extremely unlikely that this scam will succeed.
We have also released the Android app and opened up HashPack on a new platform. We are happy to see that users are enjoying and using this standalone application for Android. The use of a smart phone with a wallet is very convenient, increasingly common and boasts the security benefits of a native application. The use of biometrics to access your wallet from your device is preferable to a password in both security and convenience. In addition to biometrics, data is saved into encrypted storage in the device, and only the wallet application can access this data.
One of the most common questions we get asked is when the HashPack iOS app will be ready. We are happy to say that the iOS application has been in development for a while, and we are nearing a beta version. This release will utilise the hardware specific security features for iPhone to give users a secure native app experience. iOS has similar features as Android in terms of security such as biometrics and encrypted data storage.
Our Secure Trade feature will also receive an update soon. We have listened to the feedback of our community and Secure Trade V2 will allow users to trade HTS fungible tokens, HBAR and NFTs instead of just currently NFTs for HBAR. Users will also be able to utilise this feature with any combination of the aforementioned assets. The royalties associated with NFTs and fungible tokens will be respected. The peer-to-peer nature of Secure Trade makes asset exchange safer and more convenient for all users.
Just as features and platforms can be added, they can be phased out. We will eventually phase out the web application in favour of the dedicated Chrome extension and mobile apps. We have decided to eventually sunset the web wallet, as our mobile apps and Chrome extension offer better security, which is paramount to our values. More details will be released when the timeline becomes clear, and users will be given ample time to move over to our other platforms.
Audits are important, and we have been waiting to start the audit once we reach a certain point of maturity in terms of features and available platforms. As mentioned above, the iOS and Android applications are large additions to our codebase, and we would like to have these under the umbrella of the audit. We would also like some planned features not listed above to be included in the audit.
What is an audit?
A cyber security audit is a process that takes a codebase from a specified git commit hash and analyses the code at a specific snapshot for security and functionality. This process usually takes several weeks. Once the process is complete, the owners of the codebase receive a report with all the findings with suggestions for remediation. The developers will then correct the findings and the audit company will confirm the changes meet their criteria. This process is very effective for smart contracts especially since once the contracts are deployed, they are immutable.
On the other hand, since software applications like HashPack can be updated, the code which was audited may change as part of the process. Despite this fact, audits are still ultimately a good thing for applications as it establishes a baseline in terms of vulnerability management and offers awareness into the state of the codebase. Audits also have the added benefit of an objective, outside party looking at the code which often offers insight into the product that may otherwise be missed.
When will HashPack be audited?
We feel that the audit is an important distinction for projects in the crypto space and we have decided to engage in an audit Q1 of 2023. This decision was the result of several factors. First, the audit process is very expensive. We want to have the most important features included in the audit since it is cost prohibitive to continuously engage auditors. Funding has also been a factor in paying for the audit, and the opportune time to do this is when both the feature set is mature and the resources are available.
In addition to expense, time is also required to prepare the code for an audit. Auditors notice things in the source code that are innocuous in terms of security but could be improved. These small findings should be refined to reduce the amount of clutter an auditor may see and this requires time that we are currently spending building and refining features. Documentation is also something that takes time to produce and is noticed by auditors.
What security measures does HashPack currently employ?
Since we started with HashPack, security has always been top of mind. Our Co-Founder and CISO, Nicholas Hanna, is a Senior Application Security Engineer with relevant certifications such as the OSCP (Offensive Security Certified Professional). He and the developers engage in code reviews focused on security for all new code pushed to our repository. There are also automated static analysis tools that analyse code when merged into the main branch. These and other policies we have help us to account for risk in the codebase.
To list some specific examples, we use SonarCloud for static analysis and Dependabot for 3rd party library analysis. These scanning tools are designed to not just look for vulnerabilities in our own code, but also alert us to vulnerabilities in supporting libraries so that we can address them. We also use dynamic analysis tools such as ZAP and Burp Suite for automated and manual testing. The end result is each and every code change goes through these checks, before finally being internally audited by Nick before anything ever goes live to users.
In addition to our code analysis procedures, Nick uses his experience as a senior Application Security Engineer with OSCP (Penetration testing) certification to analyze the attack surface of the wallet apps and our servers. He also maintains risk profiles for each piece which guides how we approach internal audits as a company and prioritize risks.
From day one the HashPack team has been dedicated to providing enterprise-grade security, and we will continue to update our tools and pursue critical items such as external audits to bring the highest level of confidence to our users.
In addition to these policies, there are more things on the horizon in terms of policies and tools to help us manage the security aspects of our codebase and entire organisation. We also have engaged with developers from Hedera, Swirlds, The HBAR Foundation, Hedera Governing Council members and external developers as well as white hat hackers from the community. All of these measures help to make HashPack as secure as it can be.
We’re excited for new things on the horizon and the release of our iOS app. HashPack approaches user experience as seriously as application security, community involvement, or new feature development. Stay tuned and join the HashPack community Discord or follow us on Twitter for more updates.