Topic: [ANN] MangoCoinz Official ANN Thread - Mine cryptocurrencies on you smart phone - page 65. (Read 164585 times)

Hey everybody,

We've just published MangoCoinz v0.5.2 and it will be available to update in a few hours.
This is a security update, and updating from v0.5.1 will not result in coin loss.

A short time after the update is available, it will be the only version able to interact with the system.

Best regards, Srele from MangoCoinz.

Ok, no worries!  Thanks for the info!

Im excited to try it out.  Best of luck to you and your team!

JJ12880

Yep, we're from Serbia.

Best regards, Srele from MangoCoinz.

I think they are from Serbia, have you seen their video regarding mangocoinz ?  The guy gets up after sleeping, says I want to mine mangocoinz and runs with 2 phones in his hand lol

Where are you from DEVs?

Since everyone is talking about source and security lately, let me share my opinions. I'm an Android app and system developer and just recently started looking into cryptocurrencies.

So here are my findings about this coin:
- Reverse-engineering the apk was trivial, devs didn't even use ProGuard to make it harder to read. This is not a problem actually, because even if the app is obfuscated, it's not much harder to understand.
- The coin is centralized and all data is probably stored in a database without a blockchain and proof-of-anything. This system can be hacked, devs can do bad things (though they seem to be honest).
- Even if you don't have the source, there are a lot of ways to cheat the system on Android.
- Coding a desktop implementation based on the reverse-engineered apk is trivial, one can sync without using an Android device at all. Add proxies and bots to this and you can easily "mine" hundreds of coins per day. You can also signout anyone just by knowing the username. It might be possible to sync an arbitary amount of coins to any username too, this depends on how much checking is implemented. I guess it could work since if one used random device data, the system would think the user started using another device (too).
- The app uploads the following information about a device: device model and name, IMEI number and if the device is rooted. All of them can be faked on a rooted device. I understand that IMEI is used for checking multi-account usage on one device, but not in plaintext, it should be hashed and only that value sent to the server. What if the server is hacked, IMEI numbers are stolen and sold on the black market? I personally wouldn't be happy.
- Up until v0.5.0b, only salted password hashes were sent to the server, providing a secure authentication. The salt was generated by the device randomly upon signup. Since v0.5.1 update, passwords are sent directly to the server without hashing. This causes a security risk as devs can now save passwords in plaintext, which is problematic if you use the same password elsewhere, let's say for your e-mail account, not to mention they know your e-mail address too.
- Probably this was introduced to ease server load as there's no need for another API call to get the salt.
- Fortunately, communication between the device and the server is done through the secure HTTPS protocol. However, the server uses a self-signed certificate (trusted certificates are not free) and the app is coded not to reject unauthorized certificates for this very reason. This makes it possible to successfully execute a man-in-the-middle attack and steal passwords which aren't sent hashed anymore. This kind of attack is very common on public Wi-Fi access points, such as a coffee shop, airport, etc.

By all this said, please do not think I'm against this coin or anything. People just have to know the truth. Even if it might have sounded harsh at places, I appreciate developers' work, because this really is a unique idea. Unfortunately without a real blockchain and proof-of-anything system there's no way to properly secure the system. You can make it harder to cheat, but not impossible.

So much this, one can simply modify the code and make it simpler for him to "mine" coins. Then again, whats with the posts recently trying to downplay the dev? I'm pretty sure the devs are coming up with bugs fixes and better application and features, take the upcoming iphone app for instance

if you had the source you could fake the accelerometer requirements.

cheaty haxors

1) I need to know what the official time of APP to understand what is the beginning and the end of the 24-hour cycle.

2) Why the app needs to determine the phone number and codes of the device?

This is extremely risky

while some might help improve, more likely we see all the scamcoin makers clone it and start pumping daily new *Coinz in altcoin seciton.  this would be enough to kill real development here imho.  The devs from what i see are making something original and is entirely their own work and not another crapcoin cloned from bitcoin/peercoin like the hundreds others here. 
too many scammers waiting to make a quick profit from easily available source, and are able to quickly shill their scamcoins and ipos with sockpuppets, and then the arrangements they have with exchanges to get their coins listed/ipo means the real hard working and honest devs and users stand to lose out, while the scammers would continue to profit with something they have contributed nothing to.
 
I think there maybe a place something like this to be opensourced and decntralized later on, but not while the project is still finding its feet, its doesnt need its hard work complicated and quickly devalued. 

Bump.

Crypto is only strong if you can prove it openly. If there's a bug/flaw and you keep it closed you're risking the whole project.
Make it open and let the community help improve it. Like I said before, it's an Android app, the source is readily available anyways so might as well invite the community.

exactly, glad someone does their research

do you mean device's IMEI number?

im willing to bet these users had the app installed on their device and registered with a different username hence that error message and they just dont want to admit it
the information used for registration uses a value unique to each device and there is no possibility in a different device having the same information as another
infact most governments have bans placed on import/export of devices containing the same aforementioned duplicate information used for device identification

Hey j22904,

Could you please send us the models of the phones that you are trying to signup to [email protected], and we will see how we can help you.

Best regards, Srele from MangoCoinz.

I just got the transfer, it was quite quick, and I like the idea that you use a nickname instead of a string of numbers 

I just sent 993 or so Mangocoinz to EBK1000 which is my nickname. How long does it take for it to show up on the blockchain