Bitcoin Forum

I'm playing with a blockchain.info wallet. Their web security seems really great, and I use Google Authenticator as a second factor. I've installed their Android wallet on my phone and paired it to my wallet. This seems to bypass all security. It never asks for my password, and never asks for my second factor. It just opens my wallet. I don't know if it would allow me to transact, but it seems so.

This is no good. Phones are stolen and lost all the time. Is there some setting I'm overlooking, or is this a gaping deficiency in their Android app?

Enable "double encryption" - this adds a second password to use when withdrawing. It's a good idea to use this anyway. It will ask for this second password when using the phone app.

Nope, you're not overlooking anything, it just works that way. I recommend you password protect the wallet application if you have the ability to do it.

PS - I had the same initial concern when I started using the phone app, so don't feel bad.

The site dev should really put a message above the phone sync screen that says "Use double encryption or your phone will become a huge security hole!"

Also encrypt the whole android OS.
Try this:
http://curacaoconnected.com/how-to-protect-your-data-on-your-android-device/

Careful with this option.  I had it on, and will never use it again.  Read this thread:

https://forums.motorola.com/posts/b027ce4327

Basically data encryption doesn't just encrypt OS and/or application-crerated data, but all data on internal storage *and* any removable sdcard, including all files that existed prior to turning on encryption or were copied over later, i.e. it's not controlled by file, but by partition.

So if you take out the removable SDCard and try to use it anywhere else (in case phone dies, or you have to do a factory reset), you are screwed.  You can't even re-read it in the same phone and using same PIN after a factory reset, because there is some randomizing factor involved.  I got bitten by this a few days ago, had to do a reset due to Home button no longer working, and assumed the external SDCard was not encrypted as I bought the card a few weeks ago.  Just in case, I took it out during reset.  End result: putting the card back in, all files were unreadable.  Thankfully for me, 99% of the files on that card were podcasts that I could redownload.

Bottom line:

Without encryption...you will lose your data (BTC) if your phone is stolen.
With encryption...you will lose your data (BTC) if your phone is stolen *or* your phone dies *or* you forget to make a backup to an external device (not to the internal or mountable SDCard!) before factory reset.

Great warning,  This is intended for people who would like to secure their data and make sure it does not fall in the wrong hands.  I have a Galaxy Nexus with no removable SD card.