mobile wallet security

mobile wallet security

not privacy, that's an other session

This is about crypto wallets. Where you own the money, instead of someone else.

1. what is a cryptocurrency
wallet

and how does it work?

  • It reads the blockchain for balance & transactions

  • Has a connection to a blockchain node

  • If you send a tx, you sign the tx with your privkey, then send it to the node

    • sendrawtransaction || send

  • In theory the seed never leaves device. You only sign

Easypeasy.

1. what is a cryptocurrency wallet and how does it work?

2. Now, let's go through every security risk

SECURITY RISKS 1
App: Open source or closed source?

What could be risks?

SECURITY RISKS 2
App components

External resources: Cross App Scripting

In example: Fonts

Seed generation

Too simple seeds?

Use real randomness

Where is the seed stored?

App data is in cloud storage of apps: iCloud and Google Backup

Seed encryption -> use IMEI + PIN, but sill brute forcable.

domain spoofing

DNS spoof -> refer to malicious website

WiFi spoof -> redirect  (WIMA)

Server hack -> fake website

losing phone -> people could access funds

key / touch logger -> key mitigation

event stream package.

Copay. malicious packages. 

code auditing

+ hashing

keyboard.

spell check