Security Best Practices
Deploying a solution with Wallet as a Service means that your application can be a target to adversarial parties. As such, Coinbase recommends that you follow the security guidelines below.
Threats & Mitigations
This section lists some of the most common attack vectors and the associated mitigations.
Compromised API Key
Threat: Your API key is compromised. An adversarial party can access your key and create API calls to the WaaS API on your behalf.
Impact:
WaaS resources can be enumerated (Pools, MPCWallets).
WaaS resources can be created (Pools, MPCWallets, MPCKeys, MPCTransactions, MPCOperations). This eats into your quota for wallets, and depending on your billing plan, could exhaust your resources.
MPC transactions can be initiated. That said, a transaction cannot be signed without active engagement by the user on a phone with a biometric prompt. For an MPC transaction to be valid, it needs to be created under a particular device group. Once created, it can be polled with List MPC Operations under the given device group.
Mitigation:
Never store API keys in your code repository.
Never embed API keys in a deployed code package (mobile or web).
Store API keys encrypted on your middle tier server (see Proxy Server), or load them once in environment variables.
Rotate API keys on a regular basis
If an API key is compromised, or is at risk, rotate your API key
When initiating signing operations from your application, store the assigned MPC operation ID (
mpc_operation_id) in your middle tier database and relate it to the user and context of the operation. When enumerating MPC operations, verify that every operation returned by WaaS is present in your middle tier database. Filter out operations not initiated by the end user to prevent an adversary spamming the user with signing requests.
Compromised Device
Threat: The end user device gets compromised.
Impact: Key export can be triggered if biometrics or passcode are by-passed or circumvented.
Mitigation: Key export requires biometric approval or passcode from the end user Lost or compromised devices must be remotely wiped by the end user using Google or Apple “Find Device” feature.
Security Model
Deploying a secure solution end to end is a shared responsibility between the end users, customer and Coinbase.
End User Responsibility
Protect and secure the mobile device, including any biometrics or passcode
Protect and secure the decryption key and seed phrase when exported
Ensure the mobile device is up to date.
Only approve biometric prompts after end user initiated-actions (export, signing, onboarding).
Don’t use jailbroken or rooted devices.
Only end users can access the full private key.
Customer Responsibility
Securely integrate the WaaS SDK before building applications.
Store API keys and secrets in secure configuration.
Ensure API keys and secrets are not deployed to mobile devices.
Rotate API keys regularly, or if there is a chance they have been compromised.
Implement some level of jailbreak detection in the application.
Provide end user identification.
Provide the end user authentication and authorization layer between the mobile device and the middle tier.
Maintain the mapping between resources and end users, and ensure end user actions can only affect the resources they own (MPCWallets, addresses, MPCKeys, MPCTransaction, MPCOperations).
Protect and secure the middle tier server hosting the customer application layer.
Implement and expose key export functionality so that end users can decide to backup their private key if necessary, and import into another wallet.
Implement and expose backup/restore functionality so that end users can recover keys in case of device loss or bug.
Coinbase Responsibility
Provide services needed for WaaS and secure the infrastructure.
Store and secure encrypted key shards on Coinbase infrastructure in a manner accessible only with the decryption key held by the end user
Keep nodes up-to-date based on public release of blockchain builds.
Maintain the infrastructure to support WaaS.