CloutFeed: An Independent Audit

CloutFeed: An Independent Audit

By Hunter Paulson

Introduction

CloutFeed is a native iOS application[1] built on the BitClout block chain. After the application was released on April 6, 2021, questions emerged within the BitClout community about the authenticity and trustworthiness of the new client.

Not long after, the CloutFeed team posted this message on BitClout, answering some questions about their product and explaining that they'd be willing to undergo the independent audit that the community had strongly requested. After posting this, CloutFeed reached out to me via direct message[2], asking if I'd like to participate. I agreed, and after meeting with the team to go over the basic code base and operations, I set out to discover any vulnerabilities, security concerns, and flaws within CloutFeed, entirely independently.

My name is Hunter Paulson. I'm a software engineer working for SeismicCore, LLC, and I'm a big fan of Cryptocurrency. Over the past few weeks, I've gained a sizable following within the BitClout platform, and I've been described as an "Impactful dev[eloper] on the platform [and a] trusted builder"[3].

I'd like to thank the BitClout community for trusting me with the task of auditing CloutFeed, and I promise that this report contains the entire truth, and nothing but the truth. The credibility of this audit is my primary concern, so I'm hopeful that the community will trust the authenticity of such as presented.

I've included information in this report gathered from various sources. These sources include: The CloutFeed Github Repository, the CloutFeed App Store page, private conversations with the CloutFeed developer, posts from the CloutFeed BitClout account, and more. For full transparency: Information deemed confidential has been intentionally excluded from this report. This information may include the following: trade secrets, source code, or personal information not publicly accessible. The excluded information does not, in any way, impact the authenticity and accuracy of this report.

Before I begin, I should mention that this report covers topics that require a moderate understanding of technical concepts, such as client:server relationships and REST APIs. It also assumes that the reader has a decent understanding of BitClout's current state, how its blockchain works, and that they've read the one pager.

DISCLOSURE STATEMENT

Following the start of the audit process, I acquired holdings of $CloutFeed. These holdings do not create a conflict of interest or deny the authenticity of this report, as they were purchased AFTER the audit began, and following my look at the code base. My $CloutFeed holdings were purchased with the knowledge that thus far the audit had been positive, and with expectation that this report would increase the coin price due to its conformation of CloutFeed's legitimacy. I was in no way involved with, or had ever spoken to, the CloutFeed developer prior to this audit.

CloutFeed: Who's building it?

First and foremost, I'd like to address the concern of identity absence regarding the people behind CloutFeed. Initially, the team consisted of two Software Developers, who are friends and colleagues from an SaaS company[4]. The first person, Ribal Al Hatem, known as @bitcloutdeveloper on BitClout, is currently the only engineer building CloutFeed. It wasn't always this way, however. When the project first began @cloutchaser was also involved. @cloutchaser's final contribution to CloutFeed before leaving the project came on April 1st, 2021.

Most of his contributions covered documentation, with limited contributions to the code base. It appears that his contribution was extremely limited. Al Hatem, with whom I've been in close contact during the audit process, stated that his partner "left [him] alone." Even so, he explained that he didn't "want to exaggerate" about @cloutchaser. The Terms of Service additionally mention CLOUT TECHNOLOGIES, however this "project" (as the site states) appears to simply be a name assigned to CloutFeed and other future projects from the same engineer.

Al Hatem runs the @CloutFeed BitClout page and Discord account. Throughout the audit process, he was extremely transparent, cooperative, and helpful. Al Hatem was eager to get the audit process going, was willing to be extremely open and straightforward with all of my questions, and gave me access to all information I requested for this audit. He even stated "You can include anything you think the public should know", when I asked him questions regarding what information would be considered confidential.

The transparency and willingness to complete this audit shows me that Al Hatem is a trustworthy individual, who truly wishes to build the community, and has no clear intentions of harm. Through my multiple voice and text conversations with him, I'm proud to report that he's presented himself as an intellectual engineer with the BitClout community's best interests in mind.

Inside CloutFeed

CloutFeed is an application built in React Native, along with the help of Expo. The application has availability to be built for iOS and Android native systems. However, it is currently deployed only to the Apple App Store due to API restrictions, which we'll explore later. While auditing the application, I reviewed each and every file within the CloutFeed source code (Excludes dependencies, of course). The CloutFeed Codebase is nothing less than an engineer would expect from a React Native application. Though the code base is messy in parts, I'm proud to report that I discovered ZERO security or operational vulnerabilities within CloutFeed. In fact, the application is arguably more secure than the development BitClout node, which resides at BitClout.com.

I'd like to begin by explaining how CloutFeed and similar clients are able to function currently, and how they access the BitClout block chain.  BitClout, in its current state, is entirely closed source. This means that currently only the BitClout development team has access to the blockchain directly, and the nodes which run the chain. The development team behind BitClout runs and maintains multiple nodes. One of these nodes resides at BitClout.com. It is the node which processes all the content we know and love on the platform. The BitClout.com node runs in a similar fashion to most applications on the web: It uses a REST API (Written in Go) which handles requests from the client, such as making posts, and processes such requests to sign transactions on (or respond with data from) the block chain.

The BitClout.com API, located at api.bitclout.com, is restricted, however. The development team has enacted restrictions on the API to prevent abuse, including using strict CORS policies and Cloudflare protection. Such restrictions generally keep engineers away from the API, as they make it fairly annoying to use. Common solutions to such issues are using a web proxy, however, CloutFeed is not doing this.

iOS applications which make web requests rely on Apple's Webkit Webview to do so. Webview contains some interesting properties which allow applications to access otherwise restricted API's. While bypassing Cloudflare protection, Webview is able to request endpoints which programs otherwise can't access. It also doesn't enforce CORS policies, making it the perfect solution for bypassing the BitClout API restrictions. However, Webview still ensures security by locking down its cookie jar, separating cookies by application, and ensuring applications only have access to cookies which they create (more on this later). Due to this bypass ability using Webview, CloutFeed is able to function on iOS devices. This, however, is the reason why CloutFeed and other mobile applications for BitClout do not exist on Android, even though they have the capability to do so. Since only Apple's Webview has this capability, the API is not accessible from an android machine.

CloutFeed Login and Authentication

The largest concern regarding CloutFeed is how they handle user authentication information. Due to the login process for accessing ones BitClout Account, users must authenticate (login) to CloutFeed using their Seed Phrase Mnemonic. In the cryptocurrency community, providing your seed phrase to an unknown application is a large red flag and an instant turn off. For this reason, I've focused heavily on the login process while performing my audit.

To first understand how CloutFeed handles the login process, you must first understand authentication with BitClout.com. Here's how it works: when you log in to BitClout.com, the client verifies that the mnemonic entered is valid, creates an entropy, and encrypts your mnemonic in hexadecimal. Then, it sends a create-user-stateless POST request to the API with the entropy, encrypted seed, and the seed itself. Following this request, the API responds with a 200 status code, along with a set-cookie header. This header is vital to the login process. The set-cookie header in an API response signifies a cookie that the client will store at the API's domain. Such a cookie is not accessible to client-side JavaScript in any way (however it may be accessed through malicious extensions). When this cookie is received, the cookie is stored within the client. In BitClout's case, this cookie includes information about your user, most notably your encrypted seed phrase.

From this point on, whenever an API request is made to the API, the cookie sent in the initial response is sent with the request, and it allows the API to authenticate the request. This process is a large security flaw in BitClout.com. However, it is unlikely that any storage is occurring on BitClout's side. What we do know for sure is that our seed phrase is stored client side in a cookie, and is sent over our network when making a request.

This is where CloutFeed comes into play. All of the steps above are for BitClout.com, and the BitClout API. In fact, they are exactly the same for CloutFeed. The native application accesses the API directly on the user's device, with no proxy or middle-man. When the request is made, a cookie is stored from the set-cookie header, the same as bitclout.com. When the end user enters their seed phrase into CloutFeed, the exact client-side processes take place as on BitClout.com: The entropy is generated, the seed is encrypted, and the request is sent.

Your seed phrase is not stored on a server (In fact, CloutFeed doesn't operate any servers at all. All data and requests with the exception of reports are stored on the blockchain, and are gathered from the API itself), in local storage, in a State Store of some sort, in memory, or any other method of storage.  After the application sends the create-user-stateless request, the application has no ability to access your seed phrase, unless of course, you log out and log back in. Your seed phrase is only stored in memory (As a variable) momentarily as CloutFeed encrypts it properly for the request, and following this point, not even the app itself can see your mnemonic. This process allows CloutFeed to authenticate requests sent to the API when a user, for example, likes a post.


Is CloutFeed Trustworthy?

This means that CloutFeed follows the exact same security standards as BitClout.com. Simply put: If you trust BitClout.com with your seed phrase, then you trust CloutFeed with your seed phrase, as CloutFeed exclusively and directly relies on BitClout.com, and nothing else. Expanding on this, I believe that CloutFeed is actually more secure than BitClout.com in nature, solely due to the fact that the application runs natively on iOS devices. Not only is Apple known for their device security in all aspects; they also provide very strict policies when it comes to applications.

For starters, applications must be reviewed by Apple prior to being on the App Store. This means that Apple must manually confirm that applications are legitimate, and follow their rules. By being on the App Store, Apple is confirming that CloutFeed is legitimate. More importantly, however, is how Apple containerizes cookies within WebView. Each iOS application which uses WebView has its own cookie jar. This jar isn't accessible from any application beside the one which it belongs to (In this case CloutFeed). This means that even if you somehow managed to install malicious software on your iOS device, your seed phrase is inaccessible. Additionally, Apple disallows applications the ability to read cookies which they haven't created. This means the CloutFeed has no access to your authentication cookie, as it's created by the BitClout API response, rather than the application itself.

Finally, iOS devices are in general secure. Whereas when using a browser and have the ability to install malicious extensions and software which has access to files and cookies stored within your browser, iOS devices are secure in nature, and don't have such sorts of vulnerabilities created by user-installed software.

CloutFeed only has two functions which occur without the BitClout API. The team runs a very small REST API using Cloudflare Workers. This API is used for reports and pinned comments. Due to Apple's reporting requirement for social applications, the team was forced to implement the ability to report content and users. When pressed, the report button send a request to the CloudFlare worker API, and stores the Transaction / public key of the post / user who was reported, along with the public key of who reported the content. This API is also used to set a "pinned post". The worker stores the post which is "pinned", and the client displays such post at the top of the global feed. Beyond these two features, 100% of CloutFeed remains within the BitClout API.

The rest of the operations handled by CloutFeed are fairly straightforward. They request the API and use the data which they receive from API responses in the same way that BitClout.com does.

To put it simply, CloutFeed is BitClout.com, only with different visuals and additional built-in features, which all still rely on the same API. They handle all requests very effectively and efficiently–exactly as I'd expect from such a code base. Actions like logging in and out are handled in the exact manner BitClout handles them. Overall, the insides of CloutFeed are extremely well-written and function great. I'm extremely impressed with Al Hatem's work, and was very surprised by the lack of flaws found within the application. For all intents and purposes, CloutFeed's client is secure, functional, clean, and designed for the community's benefit.

Monetization

In CloutFeed's Q&A post[4], their direct response to community speculation following their application's announcement, the team spoke about monetization of their application. They stated their intention to not show ads on their client, to not sell user data, and to not use their users as products. Curiosity arose about the intentions of CloutFeed due to this.

I spoke with Al Hatem about this topic, and he was very transparent with his intentions toward monetizing the application. The details from this conversation outline the monetization structure which CloutFeed is looking into, and gives a very good understanding of their intentions regarding making money. In summary: The team wants to monetize, but they want to do it ethically. They don't believe in ad tracking or data selling. Our conversation is as follows:

HPaulson04/14/2021

One thing I did want to speak about
Why are you building CloutFeed?

It's not open source, and you stated that you won't be showing ads, so what's the motivation?

cloutfeed — 04/14/2021

Fair question

I am amazed by the idea of the decentralized social networks, since I myself really hate fb, twitter,.... for stealing our data and commercialize it.
The problem is not only that they commercialize our data, but they are running machine learning algorithm to analyze our behavior. With your technical knowledge you know how powerful is that to control the mindset of a whole new generation.

With CloutFeed I assure that no more such things can happen.
The second part is BitClout is a lot bigger than a social media. I have a lot of ideas that I want to build based on BitClout which can earn me money to finance CloutFeed. It will be mostly commissions for services. The social media part was just the first step to get user adoption.

HPaulson04/14/2021

As I thought okay

So you do have an interest in monetization, just through other methods (Such as additional paid features or something of the sort) than ads

cloutfeed — 04/14/2021

Yes

I am still making deep thinking about the ads part. If I want to change that in the future, it will be in a fair way. Since we don't analyze user behavior, we cannot show targeted ads.

That's why I don't like ads. Maybe I will show some promotions on the global feed

But when I want to change the ads terms
I will make it public for everyone
Before starting

Publication

The final topic I'd like to discuss in this report is CloutFeed's publication. While submitting the application to Apple for review, the CloutFeed team experienced significant delays due to being denied five times. The lag raised concerns within the community, especially since the team had not communicated what caused the delay until later on. They were denied for the following reasons:

  1. The application did not require users to accept the CloutFeed Terms of Service. Apple requires this for all applications which contain user-generated content. The team's solution was requiring the user to accept such terms.
  2. On iPad, there was a UI bug where users were not able to accept the TOS. The team fixed the bug using an Over the Air update.
  3. The application was denied again for the bug outlined in reason 2. The Apple Agent encountered the issue twice as the update was sent Over-The-Air, and thus required a reload, which the tangent did not perform. The team solved the issue by shipping the bug fix with the actual application build.
  4. The Direct Messages tab was listed as "Coming Soon", which was denied as Apple does not permit beta content. CloutFeed removed the tab.
  5. Apple requested more information on how users could acquire a sign-in seed phrase. The application was approved after CloutFeed complied.

In terms of ethos of production, the CloutFeed team follows crypto-ethos closely. Though the application has a report function, due to requirements from Apple, their team closely follows the ideals of decentralization. This ethos, taken together with their refusal to censor or sell data, bodes well for meeting the expectations of the crypto community.

Conclusion

Technically speaking, CloutFeed is extremely secure in its current code base. It relies entirely on the BitClout.com API directly for every action with the exception of reports, and handles security practices in the same way that BitClout.com does. As I stated above, it is my strong position that CloutFeed is more secure in nature than BitClout.com, due to its home on iOS: An extremely secure operating system with containerized applications, allowing the application to escape vulnerabilities (Such as malicious extension use) which BitClout.com may be susceptible to.

While my personal opinions about CloutFeed are separate from my conclusions about the security of their client, I must emphasize how open and transparent Al Hatem and the team was through this process. My expectation when agreeing to this audit was to find flaws in the application which I could report to the team and the community. I also expected that the team wouldn't cooperate fully with questions, instead yielding the minimum level of cooperation demanded by the community.

Overall, I strongly believe that my CloutFeed audit was a major success. Based on the evidence and facts I've provided in this report, it is my hope that the community can come to a consensus about the application and whether they can trust the platform or not.

Acknowledgement

Thank you again to the CloutFeed team for allowing our community to independently audit and report our findings on your application. With trust comes power, and providing the community such an ability allows us to endure our own thoughts and opinions regarding your platform, and if we shall use it. Your transparency is appreciated greatly.

Disclaimer

This report is not a form of investment advice in any shape or form. All information in this report has been gathered and concluded based on my own individual and independent discoveries from the CloutFeed Code base which has been provided to me by the CloutFeed team. I cannot 100% guarantee in any way that the audit I performed was on the exact code which runs in the native application. This audit and report were written entirely free of charge- I was and will not be compensated for such in any way. All thoughts in this report are my own, and I was and am not censored from sharing my findings in their entirety regarding the CloutFeed application. Information in this report is accurate to the best of my knowledge and ability, however such information is provided "AS-IS", with no guarantees that the information provided in this report will create financial or other gains. I am in no way responsible for damages caused by CloutFeed, it's development team, or changes in their code base.

Citations

  1. CloutFeed BitClout Profile  Description
The first decentralized social network mobile app based on BitClout

2. CloutFeed Audit Request Direct Message

Hello HPaulson, we know that you are following BitClout from the start and already built some amazing documentations and projects built on that. As you can find in our last posts, we are looking for community people with a solid technical knowledge who can help us audit our app and provide a secure experience to the whole community. Based on that we want to ask you, if you have experience with auditing iOS Apps or know a third party who can lead the process for us. Thank you in advance. CloutFeed

3. BuilderTF Post

@hpaulson is one of the most impactful devs on the platform. He is a trusted builder and is a part of the independent audit report team for @cloutfeed . His coin is valued at ~1800 we believe this is undervalued.

(NOT INVESTMENT ADVICE)

4. CloutFeed Q & A Post

We are a small team of two developers with a passion for crypto currencies. We have been working together for over four years for a SaaS company.
[...]
To provide the best decentralized social network which does not:
1. Show Ads to its users.
2. Collect user’s usage data and commercialize it.
3. Use the user as a product.

Subscribe to The Pulse

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe