Pera Web Wallet Security Measures

Introduction

Pera Web Wallet is a secure web wallet for storing, managing and transacting with cryptocurrencies on the Algorand blockchain. The wallet is designed to provide maximum security and ease of use to its users. In this knowledge base article, we will explore the security measures taken by Pera Wallet to ensure the safety of user accounts and their private keys. As well, we will compare the security features of Pera Web Wallet with MyAlgo wallets.

Open source and transparency

One of the core principles of Pera Wallet's security policy is the use of open-source software. The wallet's source code is published on its GitHub repository and is available for public scrutiny. This provides a high level of transparency and allows the community to audit the code for vulnerabilities or potential issues.

Simplicity

Pera Wallet's security measures also rely on simplicity. The wallet does not attempt to perform any complex operations on user accounts, and it does not include any unnecessary features that could compromise security. This approach reduces the attack surface and minimizes the risk of potential exploits.

Continuous audits and training

Pera Wallet undergoes yearly security audits that cover not only its mobile apps but also its API and server infrastructure. These continuous audits ensure that the wallet's security measures remain up-to-date and effective. Additionally, Pera Wallet trains its staff on identifying potential security gaps before they are merged for security testing. Starting from this year's audits, the results will be published publicly.

Ledger support

Pera Wallet has been working closely with the Ledger team for over a year to ensure easy-to-use access to secure user accounts with a Ledger hardware wallet. Ledger is the industry standard in this field and provides the best way to secure private keys. Here, we’ve prepared an article to explain the Pera Web - Ledger integration.

Encryption and storage

One of the most critical aspects of a cryptocurrency wallet's security is the way it encrypts and stores private keys. At Pera Wallet, we take this aspect very seriously. Here's how we do it:

Encryption Method: We use NaCl secretbox to encrypt the secret key with a user-provided password. NaCl is a widely respected and audited encryption library that's used by many reputable crypto projects. We leverage tweetnacl (1.0.3), a port of the original NaCl library to JavaScript, which is also audited.

Key Derivation: We use script-async (2.0.1) to derive the key from the user's password. This is done in the browser, so the password never leaves the user's device.

Storage: We store the encrypted secret key in the browser's IndexedDB. There is no way to decrypt the secret key without the user's password. We also store the hashed version of the password in the browser's LocalStorage, which is used to verify the user's password. This hash is completed by the NaCl hash function.

Attack surface protections

While our encryption and storage methods are robust, we also take other measures to protect our users' funds. Here are some of the ways we protect against possible attack vectors:

User Password: We require users to create a strong password with a minimum of 12 characters, at least 1 lowercase, 1 uppercase letter, 1 number, and 1 special character. This makes it harder for attackers to brute-force the password.

Supply Chain Attacks: To protect against supply chain attacks, we use a minimal amount of package dependencies, all pinned to a strict version. If a package needs to be upgraded, we read the changed code and act accordingly.

Browser APIs: To manage the browser's LocalStorage and IndexedDB, we do not use any package. We implemented our own solution using native browser APIs, which minimizes the risk of third-party vulnerabilities.

No Analytics or Tracking: We do not use analytics or tracking scripts to avoid any possible data leak, even error tracking services.

Common web wallet vulnerabilities and Pera Web

It is crucial to understand the common vulnerabilities in web wallets to ensure their security. A common misconception is that the risk of vulnerability lies in where the keys are stored, but this is not entirely true. As long as the keys are encrypted, the method and location of storage are not significant. And even the encryption method is not that important. We haven't seen any attacks where the attacker gets access to encrypted keys and somehow decrypts them with brute force.

The more common and successful attack strategy is to inject code into the web application. Most attacks on other wallets have utilized this method, with a very common mistake being the use of third-party tools such as Google Analytics. If attackers gain access to the console of such tools, they can inject arbitrary JavaScript into the web wallet and steal keys before they are even encrypted. To prevent this type of attack, Pera Web Wallet takes extreme measures against any DNS or CDN injection vectors, similar attack vectors where arbitrary JavaScript can be injected. Additionally, Pera Web Wallet does not include any analytics tools or third-party libraries to ensure user security.

Comparison to MyAlgo

We've noticed some discussions comparing Pera Web Wallet to MyAlgo, another browser-based Algorand wallet. While we don't have all the information about MyAlgo's security measures, we can provide some insights based on our findings:

Encryption Method MyAlgo uses a different encryption method, and we don't know the details of it. At Pera Web Wallet, we use NaCl secretbox, which is widely respected and audited.

IndexedDB Management: MyAlgo uses a third-party package to manage IndexedDB, where they store private keys. At Pera Web Wallet, we use native browser APIs to minimize the risk of third-party vulnerabilities.

Analytics and Tracking: MyAlgo uses tracking software, which poses a significant security risk. For example, if an attacker gains access to the Google Analytics console, they can inject arbitrary JavaScript into the wallet and steal private keys. At Pera Web Wallet, we do not use any analytics or tracking scripts to avoid any possible data leak.

ASA Verification Program - Enhancing ecosystem security

In April of 2022, we unveiled the updated ASA Verification Program, which we still maintain to offer further insights on the tokens that users engage with. Additionally, we have recently incorporated Verified, Unverified, and Suspicious badges, along with an in-depth view of each ASA, into our mobile applications. Our verification program will continue to grow and encompass additional aspects of Algorand, providing our community with additional research tools.

Conclusion

In summary, Pera Wallet takes several security measures to ensure that user accounts and private keys are safe. These measures include open-source and transparency, simplicity, continuous audits and training Ledger support, encryption and storage, and protection against a wide-range of attack vectors. Pera Wallet's security policy is designed to provide maximum security and ease of use to its users.

Updated on: 19/04/2024