Security Audit

CloutFeed Security Audit Report

A full security audit was made by ImmuniWeb SA, Geneva, Switzerland to ensure CloutFeed is secure and keeps your BitClout seed phrase safe! Not only is it safe to log into @CloutFeed ‘s app with your seedphrase (as it is only stored on your device itself and never on the app’s server or database, and never leaves the app), but it’s actually safer than using the website Bitclout.com since apps have better security than browsers since the app code is sandboxed from other apps!

Medium Risk Vulnerabilities Detected:

The mobile application stores the users seedphrase and passphrase via ‘leveldb’ which is then saved inside the application private data directory, within the ‘app_webview’ directory. The resulting file contents can be extracted by an attacker who has physical access to a victim application users device. The seedphrase is only stored on your device itself and never on the app’s server or database, and never leaves the app.

This medium vulnerability comes from the BitClout Identity itself since it stores the plain seed phrase in the local storage of the browser and the same happens on mobile devices. We have addressed this issue since the launch of BitClout Identity to the BitClout team and Unfortunately, we did not receive a response regarding that.

If you trust BitClout then technically you trust CloutFeed because we are using the exact same methods BitClout is using. In addition, mobile devices are more secure than web browsers, therefore CloutFeed is still a more secure experience than the BitClout website.

We proposed a solution for this problem by storing the seed phrase encrypted in the secure storage of iOS & Android.

CloutFeed now uses its own more secure open-source method than the BitClout Identity.

Description: (FIXED ✅)

 

The mobile application does not sufficiently protect against screenshots and video screen-captures, which can cause information disclosure. Attackers with physical access to a victims device or malicious applications on the same device can capture the information that is displayed on the screen by accessing the screenshots saved to the “/data/system_ce/0/snapshots” directory.

 

Screenshots are now disallowed!

Always make sure you are using the latest version of CloutFeed App.

Description: (FIXED ✅)

 

The mobile application’s AndroidManifest.xml file sets the “android:allowBackup” flag to true. This allows application data to be backed-up via command-line tools, and allows data to be restored to it.

This can lead to information disclosure if sensitive application data is included within the apps private data directory, and the storage location is itself compromised, such as via device theft.

 

Backups are now disallowed!

Changed: android:allowBackup=”false”

Always make sure you are using the latest version of CloutFeed App.