Documentation
Security Audit

Security Audit

Introduction

To be listed on the Ledger Live “My Ledger“ section, Device Apps and Plugins must go through our integration process that includes a security audit performed by one of our trusted partners.

Provided your project fulfills the conditions, this is how an external audit unfolds:

  1. You get in touch with the auditers and sign a contract with them. Read more.
  2. The auditors review your app based on Ledger specifications. Read more.
  3. Ledger reviews the security audit report
  4. Ledger publishes your app
⚠️

The security audit is mandatory for an application to be available on our production providers (accessible by default from the LedgerLive). However it is possible to deploy without security audit on other providers, for test purposes. However, the application will need to display a warning message when starting.

Conditions

To go through an external security audit, ensure your project fulfills the following conditions:

  • Your Device App works with all our devices (Ledger Nano S, S Plus, X and Stax)
  • Your Device App has been functionally validated by Ledger team
⚠️
  • - Do not start a security audit process if your Device App is not ready for all Ledger devices (Ledger Nano S, S Plus, X and Stax).
  • - Your Device App must still be functional after the security audit

Content of the security audit

Ledger has established and made public a detailed specification of what needs to be done to perform a security audit following Ledger’s standards.

StepSpecification
Application privilegesCheck application flags (privileges) and allowed derivation paths.
CompilationCheck for compilation warnings, and if warnings have been silenced. If so, ask for a fix.
TestsRun tests and check they succeed / Check tests are sound.
Static AnalysisCheck for defects using scan-build and our scan options. Add in CI if not present / CodeQL: check with the "security and quality" queries. Add in CI if not present.
Manual code reviewList every transaction fields. Look which ones must be displayed to the user / Check transaction parser, field formatters / Check if sensitive data is properly erased / Do not allow blind signing.
FuzzingImplement a transaction fuzzer. Best effort to reach decent coverage / Use libFuzzer if possible to integrate with ClusterFuzzLite.
DeliverablesReport and executive summary detailing findings, and tests that gave no results / Security fixes: on a temporary private fork / Feedback on the SDK: what could be improved for a better security.
Ledger
Copyright © Ledger SAS. All rights reserved. Ledger, Ledger Nano S, Ledger Vault, Bolos are registered trademarks of Ledger SAS