Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Chinese developers. Show all posts

University of California Researchers Develop a Technique to Discover Inconsistencies in Smart Contracts


Researchers from the University of California, Santa Barbara, presented a "scalable technique" to check smart contracts and minimize state-inconsistency bugs, finding forty-seven zero-day vulnerabilities on the Ethereum blockchain during the process. Smart contracts are programs stored on the blockchain that are executed automatically when default conditions are met, depending on the encoded terms of the agreement. 

These programs let authorized transactions agreements be used by unknown parties without having the need of a central authority. In simple terms, the code is in itself a final party of the trade it is presenting, the program controls all the execution aspects, also provides an immutable evidentiary audit chain of transactions, both irreversible and trackable. As per the paper and researchers, "since smart contracts are not easily upgradable, auditing the contract's source pre-deployment, and deploying a bug-free contract is even more important than in the case of traditional software."

About Sailfish 

It aims to find inconsistencies in smart contracts, that allows an attacker to meddle with execution order or transactions, affecting control flow in a single transaction, for instance, reentrancy. Sailfish is a tool that converts a contract into a dependency graph, capturing control and data flow relations between state-changing instructions and storage variables of a smart contract. The tool helps to find potential inconsistencies. The researchers analyzed Sailfish on 89,853 contracts retrieved from Etherscan. 

Finding forty-seven zero-day vulnerabilities that can be exploited to extract Ether and might also comprise application-specific metadata. This will include vulnerable contracts implementing a house tracker that may be exploited so that house owners can do multiple active listings. "This is not the first time problematic smart contracts have attracted attention from academia. In September 2020, Chinese researchers designed a framework for categorizing known weaknesses in smart contracts with the goal of providing a detection criterion for each of the bugs," reports the hacker news.

Google Takes Down Around 46 Apps by Chinese Developers from its Play Store


Last week, around 46 apps by a Chinese developer, iHandy were taken down by Google from its Play Store. Initially, Google declined to provide reasons for the sudden removal of various security, horoscope, selfie, health and antivirus related apps which were downloaded over millions of times.

However, a total of eight apps were still present on Google’s Play Store, until three more were taken down, as per a Buzzfeed report. The Chinese company, established in the year 2008, claims to have almost 180 million monthly active users in more than 200 countries across the globe. Currently going through investigations, iHandy is one of the world’s largest mobile application developers.

In a conversation with Buzzfeed, iHandy VP Simon Zhu, while expressing how they found Google’s takedown quite unexpected, said “It is an unexpected action from our point of view. We are trying to find out the reasons. Hope the apps will be back to Play Store as soon as possible.”

Notably, Google has taken down apps made by Chinese developers in the past as well for various reasons; in this case, the removal is triggered by deceptive and disruptive ads. In August this year, after Trend Micro discovered malware inside certain apps, Google removed a total of 85 apps from its Play Store, most of these apps were related to gaming or photography and had more than 8 million downloads. The most popular names among these infected apps included, ‘Super Selfie’, ‘Cos Camera’, ‘One Stroke Line Puzzle’ and ‘Pop Camera’.

To exemplify, a very popular app known as ‘Sweet Camera- Selfie Beauty Camera, Filters’ which had over 50 million downloads was also removed in the process and it is not to be found on the Indian Play Store either.

Researchers discovered that all of these infected apps were put on the Play Store via distinct developer accounts and were signed by non-identical digital certificates, but they exhibited the same behaviors and shared a similar code.

Referenced from the statements given by Google’s spokesperson, "Our Google Play developer policies are designed to help create the best experience for users, and we explicitly prohibit deceptive or disruptive ads. When violations are found, we take action,"