Bitcoin Forum

What security risks are involved when storing bitcoins in a an Android mobile app wallet, and how to minimize (or preferably eliminate) those risks when using one (such as Electrum)?

Your Android OS is considered safe if you know how to protect it from not installing unknown apps, reducing the phone's connection to the Internet, not downloading a lot of apps, physically saving the device from theft and things that cause it to stop.

Electrum wallet is not the best for a mobile device and you should not assume that your coins is safe just because you use it.

If you are looking for enhanced security, you should not use a hot wallet, but rather cold storage in hardware wallets or well Air gap devices.

The biggest risk in my eyes is getting your phone stolen.  Since that's always a possibility, I would protect whatever wallet you use with  a solid password that won't allow access to your coins unless it's entered correctly.  Some wallets use PINs, and I'm not sure how secure those are.

It's definitely got a decent reputation, and I think you could do a lot worse than Electrum for a mobile wallet.  I've used it with no problems in the past, as well as Mycelium.  There are so many available, and I haven't used most of them but the password security issue goes for any of them--and always back up your wallet with the seed phrase or whatever a given wallet gives you the option to do to back it up.

Well, I totally agree with that but OP asked specifically about mobile wallets, so I think he's looking to use one.

1. the most obvious one, It's very easy to lose a mobile device since you move with it everywhere.

Solutions
- Always encrypt your device and all the wallets with very strong pins, passwords or Pass phrases
- Always backup your private keys and seed phrases and keep the safely in a secret place

2. High chances of downloading malware especially if the device is used to access internet all the time. This problem is so common with android devices.

Solutions
- Keep your device's OS always up to date in case of any exploits
- Avoid downloading unnecessary apps which could contain malware. Always download only official apps
- Avoid rooting the phone (common with Android OS)

do you carry around all the physical cash you have in your pocket or purse every day? obviously no. you only carry around small amount of cash. that's the same with bitcoin, just because you can physically carry a million bitcoin in a phone wallet it doesn't mean you should. a phone wallet should be considered similar to a purse where you put cash in to carry around even if it has better security.
on top of that it is digital and can be damaged. for example next time you connect your phone to a power outlet to be charged the storage may be damaged and your wallet be wiped.

in short unless you have absolutely no other options, you should not use a phone to store your bitcoins. instead use hardware wallets, paper wallets and other cold storage options.

The way Apple and Android designed it's OS makes one more secure over the other. Apple doesn't allow the user to do much with their devices which is a bane if you're looking for a more open software and a boon if you're looking for a device which is more secure.

There's just one inherent risk that cannot be eliminated with mobile wallets; it's portability. There's no way you can prevent people from stealing or yourself from losing your phones if you're bringing it everywhere with you. It's more suitable as a hot wallet to put a small portion of your coins in for daily spending.

The most common risks except the risk of loosing your smartphone are phishing scams and ransomware. How can you enhance your security?
1. Regularly update the software and antivirus solution.
2. Use a reliable password manager
3. Download a VPN to ensure your anonymity online.
4. Use two wallets for cold and hot storage. I like Ledger and Ownr.
 

Keep in mind that using a VPN or not does not mean improved security. It could even add additional risk of data stealing if you use a free one or even a paid one. Always input your seed/private key offline to avoid this.

Your seeds or private keys shouldn't leave your device in the first place. Connecting to a VPN does help with the anonymity but the impact to the security should be managed fairly well. There's a risk of Sybil attack with SPV  wallets but some wallets tries to mitigate this.

To mitigate the risks of getting your coins stolen when you lose your phone, you have to encrypt your important files or the whole disk. You can do this from the settings page or use a reliable encryption app.
You must also activate the lock-screen feature and use a strong password or a complex pattern.
To avoid drawing the attention of the thief, you can hide your app's icon. Again, you can use a reliable third party app for this or activate the private feature (something like that) from the settings page.

Always keep a back up of your wallet file/seed in a safe location and never keep more coins than you need in your mobile wallet.

I believe that's my main issue when it comes to using mobile wallets. Aside from being stolen, the case of getting it crushed or damaged is high. So if you want to use mobile wallets for convenience purposes, you really need to do the above solutions mentioned by logfiles. Because ask yourself, how many phones have passed on your hands? So the phone where you want to install your mobile wallet definitely will not be your last and forever one.

A huge risk is using outdated software.

If you are that type of a person who doesn't update his windows 7 device, then be assured, your mobile is way more secure than your PC.
However, if you are not that careless, you actually need to check what the latest patch for your device is.
Older phones often do not get enough security patches past ~2 years of lifetime. This poses a risk.

Besides that, the obvious things to consider are:

• Do not use shady software with tons of permissions needed
• Use encryption + backup in case of loss or theft
• Keep your mobile up-to-date
• Only carry as much with you as you would carry cash in your wallet

You can minimise some risks but not eliminate all.

Installing apps outside the official App stores is what many users do for several reasons. This carries a lot of risk which can be eliminated.

Keep the Android version updated which also means buying the new phones since they are created to only last for an average of 2years after which the software support is stopped and you are forced to buy.

Something similar to PC, don't download email attachment from unknown senders, they often contain malware or so.

Also don't share your private keys with others. It is something that everyone should be knowing already but still we have some noobs.

If someone wants maximum security when using mobile crypto wallets, in my opinion one of the safest options is that such wallets are used in combination with hardware wallets. Of course, this requires an additional cost in the form of buying an extra device - but it actually gives us a lot of security because private keys and all important operations take place outside the mobile device.

Although if the tips given by other members are applied, the mobile device can be a fairly secure way to store crypto - emphasizing that it shouldn't be large amounts, because despite all the security measures it really doesn't make sense for me to have thousands of dollars worth of BTC on mobile device.

Depends on what kind of VPN you use. Have you heard of the Five Eyes or Nine Eyes?
Those are "surveillance alliances" that collect data on their users with the help of their Internet Service Providers and VPNs.

A VPN can be both a great way to hide your identity and a huge adversary of your privacy.
Read about it here > https://restoreprivacy.com/5-eyes-9-eyes-14-eyes/

Assuming that you rather trust the VPN provider with your data, than your ISP.
In any other case, a VPN is not beneficial.

This especially means that you shouldn't use a VPN to increase you privacy if you aren't in a developing country (or in the USA).

@Pmalek

VPN does not change anything for in terms of what the OP asked. Some VPNs may promise a lot of privacy but rest assured one fine day the authorities may crack down on them and take their logs. It is like pool of sharks trying to induce more paranoia to the small Frys and then taking their money. Something similar to AV software and using linux on the same. One is enough in my opinion but there are other opinions too.

Like bob123 said, I am lucky enough to live somewhere where such surveillance is almost none. Thus I don't have to bother about VPN. However this does not change the fact that I have to be very secure about how I am storing my private keys and my coins.

No one here has mentioned setting a password or unlock pattern to unlock the phone. So even if the phone gets stolen the thief can't access anything inside because they don't know the pattern or password, and there are no brute forcers for phones to find the correct pattern/password because to get any malware on the phone in the first place, you have to trick the user to give some app more permissions, social engineering by making them click on an Approve button.

So if a phone is stolen and it's not already infected then no thief can infect it with malware without knowing the pattern/password to use the phone, short of doing a factory reset which deletes your wallet and all your apps from the phone!

NotATether, Unfortunately, a lock screen is not an obstacle for someone who wants to bypass this protection, and there are several methods that can be used to bypass such protection. A fingerprint is also something that can be bypassed, so you should never rely on these methods in the sense that they are absolute protection.

Some smartphone manufacturers even give advice on how to avoid fingerprint misuse, as there are cases where people have had their data stolen from their smartphones while they were sleeping or were unconscious (under the influence of alcohol or drugs). Setting a PIN is a much safer option in this case, but people mostly go for what's faster and easier - and unlocking a phone with a fingerprint is very popular today.

You can read more at the following links :

https://drfone.wondershare.com/unlock/bypass-android-lock-screen.html
https://www.forbes.com/sites/daveywinder/2019/11/02/smartphone-security-alert-as-hackers-claim-any-fingerprint-lock-broken-in-20-minutes/

I scanned the first link with VirusTotal and it does not show any threat, but I advise caution when downloading any file from that and any other site.

The security risk if you store your asset in your android mobile app wallet is your phone can be stolen by someone who knows that you store your asset in that phone. Your phone can be lost in somewhere which you don't know.

To minimize that, you should have one mobile phone which you don't carry anywhere you go. That phone will not connect to any telecommunication provider and only connect in your WIFI or the place that has a private internet connection. If you can do that, you don't have to worry about anything.

Losing your phone does not necessarily mean that your assets are immediately lost.  You have lost access to then temporarily but it would depend on the type of asset you have there. Day you have stocks on a trading app, then without the password they can't access it. Say bitcoin is there in your mobile wallet, you can access your wallet from another device, clean it by sending to a new wallet and leave the thief hanging dry. You have to be quick to react and you might end up saving some of your assets like that.

Now I have heard of this airgapping thing but practically it is something cumbersome to do. Store coins that you might need for daily purpose on your mobile wallet and rest on the desktop wallet. That should work in most cases provided you are taking security of both devices seriously but not obsessively.

How obsessively someone fusses over their security is likely dependent on how much they hold. The benefit of using a desktop wallet is that it doesn't get carried around easily, but if you regularly visit the internet with it, you're exposed to hack/phishing attacks. Regulating how you use such devices could give you a very high level of security, but one wrong click could do a whole lot of damage.

This cannot be overemphasized. Biometric security shortcuts like fingerprint and face recognition are really not secure. Some devices actually allow a face scan when the eyes are closed and some cannot notice differences when a face is similar.
It's weird that sensitive apps like bank apps and wallets allow biometric verification as a security option.

Actually, that is the most common problem with mobile phones, stolen or lost. And if you are not good in securing your passwords or key phrases, your funds will be lost forever. As for me, if I will install mobile wallet, I will only store coins for immediate use but for long storage, I prefer hardware wallet.

Just use the mobile wallets as hot wallet (so for small payments) and not for storing you coins. If something goes wrong, you don't lose all your money.

For me this works the best. Gladly I never had any problems with mobile wallets (Blockchain.com Android app, Trustwallet)

If we still store the password, we can load the wallet again, but it will be different if we forget about where we save it. That can be a problem for you. It is about how we can remember what the password, and where we keep that password, so if something worst happens, we can have that wallet in other devices. I am sure that we get the assets as soon as possible before the thief steals our assets.


Having a back up of the wallet will be a great idea since we don't know what will happens with our wallet and mobile phones. It can help us prevent losing the assets, but we need to take care of the devices from the thief.


Yes, using a hardware wallet as cold storage will also the way to store the coins for a long time, and by doing that, I am sure that we can prevent the stealing that can happen anytime.If the mobile phones have been stolen, we don't have to worry because we can open the wallet on the other devices, and we still have a big amount of assets in the hardware wallet.

Unfortunately many people think that no one can unlock their smartphone if they use fingerprint or face recognition, but this is far from the truth. As I already wrote, it is a very fast way to unlock the device and does not require remembering passwords and PINs, so as such it is very well accepted given today's fast-paced lifestyle.

I had the option of unlocking my laptop with face recognition 10 years ago, and even then ASUS used this technology on its computers - and honestly when it appeared en masse some 6-7 years later it was already old technology to me. There is no doubt that there has been an improvement in this technology, so in China we have the first stores that allow customers to pay only by scanning a face (Smile-to-pay (https://www.theguardian.com/world/2019/sep/04/smile-to-pay-chinese-shoppers-turn-to-facial-payment-technology)) that is already pre-connected to a banking application. In other words, you don't need a card, cash, a smartphone to buy something.

Typically, the risk of using your mobile phone to store your coins is being stolen or loss it somewhere so I wouldn't recommend using your phone with these important information. Besides, avoid downloading unknown software so if possible you should have an another phone designated for your storage and on for your daily use.
Keep away your passphrase online because it is more exposed on hackers, much better if you will place it on cold storage.

Does vpn protect it though?

I think it doesn't
It's only for privacy purposes it won't protect your wallet app for any risk.

Like the other said from the first page it might also lead to data compromise if you keep using VPN.

---

If they want a security solution it would be better to use a phone with Knox. Any latest Samsung Galaxy phone has Knox "that provides a secure environment for corporate data and apps"
My phone has a secured folder protected with Knox and you can't able to access the secured folder if you don't have password.

As of now, I don't have any problem using Knox(Secured folder) everytime I made any action inside the secured folder it ask for a password(Which I feel safe compared using a phone without Knox).

The anticipated risks may vary depending on the wallet in consideration. Centralized wallet may have extended risks as compared to non-custodial wallet because there are other entities that can get compromised beside the user. A few I can think inclue losing you phone when you haven't properly backed up your private keys, keystore etc. I personally use Atomic Wallet on mobile and have my keystore backed up on Empass password manager. This is possible because Atomic Wallet is a non-custodial wallet and as such gives users full control of their funds.

You can loose your fund in course of sending funds but to a wrong recipient. An unauthorized pary ould get access to phone and transfer your fund. There are a whole lot of other risks.

A VPN does not increase the security at all.
The whole purpose of a VPN is to circumvent geo restrictions and similair.

Regarding privacy.. you are shifting the trust from your ISP to the company providing you the VPN service. Please note that these companies make money with your data. Even if they claim not to.

I would like to point out that both Apple and Google's App store is also plagued with copycat apps of official wallet apps so you need to keep that in mind that even before having a mobile wallet in your phone their is also a big risk that you will download a fake version of it that is aimed to steal your private keys and passwords. That's why you also need to check the app's information from their developers, upload date, reviews, and rating to see if what you are downloading is the real one you also have the option to check the wallet's official website and look for their App store link in their so you can be redirected to their download page but of course you always need to double check this.

Use a very strong password I have two android phones one for my everyday use, the other for all my wallets I did not go out with my phone where I have wallets installed because, be sure that you downloaded the right wallet from Google play there are so many fake wallet there, be sure to get the link coming from the wallet's official download page.

The problem with Google Play Store is that they don't manually verify what gets uploaded on their site. Many fake wallets escape their verification procedures easily. With a bit of fake reviews and fake positive ratings, my guess is that it doesn't take long to spread that wallet across thousands of devices. It is also wrong to rely on official links that lead to Google Play Store, precisely due to the lack of proper verification on their part. 

I can't be bothered to search for an article I read a few months ago that mentioned that an experienced app developer needs about $20 to design a new (fake) wallet. That is just some of the reasons why there are so many fake ones. 

Face ai and fingerprints are easiest security measures to bypass, if you ever get kidnapped or smth, it takes no effort for the criminal to break it.

If you actually get kidnapped, you're screwed either way regardless what security authentication you chose as it's going to be either you unlock the phone, or you lose your head.

Learn about the $5 wrench attack, peeps!

• https://cryptosec.info/wrench-attack/
• https://blog.keys.casa/how-to-protect-your-bitcoin-from-5-wrench-attacks/