Questions on cold storge in an Android phone.

[chessnut]

Hi folks,

I would like to use Andreas Schildbach's wallet app to cold store some bitcoins in a dedicated Android phone.

I have a few questions that I need to answer first though,

1.) is the private key created in the phone or online?

2.) any chance that my private key is being shared into the internet when I install the app? I plan to remove all the apps that I can before I do this.

3.) Has there been any suspicious trouble keeping bitcoins on Android phones at all? I know that google spyware can be really bad sometimes...

..... the storage would theoretically be cold if I was to keep the phone turned off... if I can be sure the private key has not been shared. Is there an option to create the private key offline?

Thanks for your thoughts!

[Andreas Schildbach]

The private key is created and stored on the phone only and never transmitted via any network, except in the case of an encrypted (!) wallet backup.

Android has app-private storage, so it offers a lot more protection against malicious apps/viruses than any Desktop OS does.

Generally if you don't trust what the app or your device does, consider auditing the source code. I took great care to not only open source the app, but also depend only on libraries and APIs that are open source themselves. Code audits are much appreciated!

I think a dedicated device running plain Android AOSP without any other apps can make a great and secure wallet. You can even partly run it offline, because it's possible to sign transactions and transmit them to another node just via QR code.

[chessnut]

The private key is created and stored on the phone only and never transmitted via any network, except in the case of an encrypted (!) wallet backup.

Android has app-private storage, so it offers a lot more protection against malicious apps/viruses than any Desktop OS does.

Generally if you don't trust what the app or your device does, consider auditing the source code. I took great care to not only open source the app, but also depend only on libraries and APIs that are open source themselves. Code audits are much appreciated!

I think a dedicated device running plain Android AOSP without any other apps can make a great and secure wallet. You can even partly run it offline, because it's possible to sign transactions and transmit them to another node just via QR code.

Thanks Andreas, you are very helpful.

[scooby]

Today I read about the pony malware targetting android.

1) Is there a way to encrypt the wallet when not in use?

or

2) Is is possible to backup key (encrypted) then have the wallet forget the keys until needed?


Thank you

[Andreas Schildbach]

Afaik Pony is targetting PCs, not Android.

Your wallet currently cannot be encrypted. It is a planned feature. However you should know that if a malware manages to access your wallet it will also be able to sniff your password. Unlike PCs programs need root access to get to your files.

You can backup your wallet then uninstall the app. This will "forget" the keys.