how secure is my non-rooted android phone?

[niko]

How likely are my coins to get stolen from the bitcoin spinner running on a non-rooted android phone? I am perfectly content with the security of my paper wallets, but am getting tired of printing, cutting, laminating with Al foil inserts, and redeeming private keys whenever I need to spend a portion of my savings. Bitcoin spinner is convenient, but how secure is it? Can you provide examples of any past exploits (wallet stealers) on Android devices?

[Mike Hearn]

What model of phone do you have?

The Nexus phones are pretty secure and you probably don't need to worry about it. Samsung Galaxy phones have had a series of extremely bad security holes that it took them months to patch. So it can vary quite wildly.

[RodeoX]

There are other things that could mitigate or reduce risk.

• You could only keep only a small amount accessible on your phone. Perhaps less than the value of the phone itself?
  
• You could pay for VPN service. Last week I was in Oman and could connect to public wifi with confidence, knowing I had an encrypted and anonymized connection.
  
• You could also ask your provider if they can further secure your phone. It may come at the cost of shutting off services, but maybe the phone can be hardened as a target.
  

[niko]

What model of phone do you have?

The Nexus phones are pretty secure and you probably don't need to worry about it. Samsung Galaxy phones have had a series of extremely bad security holes that it took them months to patch. So it can vary quite wildly.

It's a samsung galaxy note, still on the Canadian Telus' ICS.

RodeoX: good suggestions, I'll check with the provider about hardening the device.

[Mike Hearn]

You should check the firmware release to see if it still has /dev/exynos-mem type holes. Otherwise we can't say for sure. I'd not trust any Samsung OS by this point, they have released serious mistakes too often and clearly have some systematic issue with making secure software. You could maybe reflash it to some other firmware, but that'd break your warrantee.

[Teka]

I have a nexus 7 (tablet) it's my wallet storage device and I've decided to encrypt it using the stock android encryption option. Does anyone now how secure the stock android encryption is?

[MysteryMiner]

I would not consider mobile phone to be secure device at all. I don't know is there a government backdoor in it or not. Encrypting something that have totally closed and proprietary hardware in it makes no sense. Increases risk of data loss if password is forgotten or encryption or hardware malfunctions.

For small amounts it might be OK but don't expect security or privacy. PC FTW!

[pekv2]

I think if you're on a linux system "which most droids,androids come with" and with android firewall with VPN, you're good to go. You can allow what comes in and what goes out with Android Firewall.

https://play.google.com/store/apps/details?id=com.jtschohl.androidfirewall#?t=W251bGwsMSwxLDIxMiwiY29tLmp0c2Nob2hsLmFuZHJvaWRmaXJld2FsbCJd

Always use a firewall. Wifi or Roaming.

[MysteryMiner]

And what about how proprietary hardware does upon receiving something from air? I messed with phone repairs some time ago and I it never ended to surprise me how many things are wrongly done or are completely undocumented by manufacturer.

[tiberiandusk]

Newer versions of android let you encrypt the entire phone. I just flashed my old Mesmerize to 4.2.2 and it has an encryption option. Other than that just make sure you use something like Lookout and don't install apps from strange sites or with crazy permission requests.

[Anon136]

I would not consider mobile phone to be secure device at all. I don't know is there a government backdoor in it or not. Encrypting something that have totally closed and proprietary hardware in it makes no sense. Increases risk of data loss if password is forgotten or encryption or hardware malfunctions.

For small amounts it might be OK but don't expect security or privacy. PC FTW!

the government isnt going to steal a couple of bitcoins from anyones phones.

[niko]

I would not consider mobile phone to be secure device at all. I don't know is there a government backdoor in it or not. Encrypting something that have totally closed and proprietary hardware in it makes no sense. Increases risk of data loss if password is forgotten or encryption or hardware malfunctions.

For small amounts it might be OK but don't expect security or privacy. PC FTW!

I feel that the attack surface on a non-rooted android phone I use is much smaller than the attack surface on the PC I use.

Again, can someone point to documented cases of past wallet stealers on Android?  I've never seen one, and I've seen many on PCs.

[RodeoX]

When they come out I'm getting one of these!

http://www.ubuntu.com/devices/phone

I think it could be secured very well, but I'm not positive about that. Hopefully these will be fully unlocked and configurable.