Electrum... Android 7....safe?

[9thsky]

If hardware wallet is not an option, is using Electrum on Android 7 (an android version that's no longer getting security update patches) safe to use? If not, how big of a risk is it relative to Windows or the latest Android? Any way to make it safer?

[1714793138]

1714793138

[1714793138]

1714793138

[1714793138]

1714793138

[jackg]

It shop ld be safe enough for an online wallet. You're going to run a risk even if it does get rapid security patches.

Critical vulnerabilities are (probably/hopefully) still patched as well. I think most antivirus companies have free apps too but I'm not sure how good they are.

[9thsky]

Latest update was 2017.
Also phone is rooted.

[Bitcoin_Arena]

Latest update was 2017.
Also phone is rooted.

If the phone is rooted then you just increased the risk of your mobile device getting compromised. But a side from that, With small amounts of crypto and good practices such as

- Not keeping your recovery phrases and passwords online, in the notepads or in that very same device
- Avoiding downloading and installing suspicious and unofficial apps that don't have the Google play protect logo  and those from third party stores
- Avoiding downloading and installing APK mods
then you should be fine.

But if you are planning to keep lots of crypto assets in your wallet, please just buy a hardware wallet. Some just cost a little less than $60. The security of your assets is really worth it  

[HCP]

It's impossible to give you any sort of definitive answer given the shear number of variables.

But not having had 3 years worth of security updates and rooting the phone obviously opens up a lot of possible attack points. What are you personal phone usage habits like? Do you connect to a lot of public, unsecured WiFi? Do you download/use cracked apps? Do you download/use a lot of "random" apps from "unknown" devs from the playstore or other locations?

Personally, I wouldn't keep any more funds in that wallet, than you would feel comfortable carrying as fiat cash in your pocket and would not be overly distraught about it if it fell out of your pocket and you lost it.

[nc50lc]

If hardware wallet is not an option, is using Electrum on Android 7 (an android version that's no longer getting security update patches) safe to use? If not, how big of a risk is it relative to Windows or the latest Android? -snip-
Any way to make it safer?

You can use it as the offline Electrum for a "cold-storage" set-up: https://electrum.readthedocs.io/en/latest/coldstorage.html
That's if you can let go of that phone's online and wireless features.

The steps are the same but the buttons are different on the Android version.
Example, the wallet info where the xpub is, is accessible when you click the wallet name above (for android version).
You can use OTG to copy what's need to be copied if you're gonna use a PC for the online watch-only wallet (based from the steps in the electrum cold-storage link).

[Lucius]

~snip~

You need to ask yourself, would you use a desktop OS that has not received a single critical/security patch in 3 years? Any vulnerability that any OS has can be exploited at any time, and hackers are especially interested in crypto hacking because it brings them significant profits. Personally, I wouldn’t trust a crypto wallet on Android 7, but if you want me to tell you honestly I don’t trust it either on Android 10 which I personally have on my smartphone.

In essence, mobile wallets are not intended to store crypto for a long time, but at a certain moment when you need crypto on mobile, you transfer a smaller amount (a smaller amount is of course a relative term) that you will spend soon.

If you want security, pay attention to the discounts that will most likely happen on next Black Friday - I believe you will be able to buy a hardware wallet for $30+, and it’s certainly a much cheaper option than buying a new smartphone.

[bL4nkcode]

Latest update was 2017.
Also phone is rooted.

I would not risk my financial holdings on an outdated device, especially for a rooted phone which make your device prone of malware, hacking, and etc.

I would always use a device with the latest security patch to avoid of having problems in the future.

[khaled0111]

You can use it as the offline Electrum for a "cold-storage" set-up: https://electrum.readthedocs.io/en/latest/coldstorage.html
That's if you can let go of that phone's online and wireless features.

This might help against malwares trying to connect to malicious parties and leak his sensitive data. But, what if his device was already infected with a virus like the ransomware virus which may encrypt his wallet file!

If OP decides to use this phone and use it offline, he must, at least, make a backup of the wallet file / seed and save it  somewhere else.

[BitMaxz]

~snip~
Also phone is rooted.

If your phone is rooted it's no longer safe just like what others said but why not reflash it again with stock ROM you can able to remove the root and clean your phone by flashing it again with stock ROM.

And then make sure to download apps like Eset Mobile or Kaspersky mobile for an extra layer of security. But it's still not guaranteed safe I don't also recommend you to switch to a new phone if you are going to buy a fake phones or chinese phone(Which has weak security). I do recommend only use original phones like samsung that has a knox secured folder and I think they keep your phone up to date.

This might help against malwares trying to connect to malicious parties and leak his sensitive data. But, what if his device was already infected with a virus like the ransomware virus which may encrypt his wallet file!

If OP decides to use this phone and use it offline, he must, at least, make a backup of the wallet file / seed and save it  somewhere else.

Ransomware on Android is rare and it's new but they only do is to hide files and lockup your device so if the phone is locked with Ransomware he should need sometools like virus and malware scanner and removal only available for Phone Tech who has dongle and boxes for repair tools.

So having a backup seed somewhere else is a must like writing them manually in your notes or piece of paper.

[pooya87]

for usage it is safe. for storage it is not.

think of your android as the physical wallet that you can carry in your backpocket or like a purse. you don't store all your money in that so you shouldn't store all your bitcoins in your android wallet either.
for storage you should always create a cold storage (paper wallet, a desktop wallet on an airgap computer,...) and store your bitcoins there while only keeping small pocket change in your mobile wallet.

[9thsky]

for usage it is safe. for storage it is not.

think of your android as the physical wallet that you can carry in your backpocket or like a purse. you don't store all your money in that so you shouldn't store all your bitcoins in your android wallet either.
for storage you should always create a cold storage (paper wallet, a desktop wallet on an airgap computer,...) and store your bitcoins there while only keeping small pocket change in your mobile wallet.

I thought a desktop (Windows) wallet is less secure than a mobile one. I'm getting conflicting info on this.

[pooya87]

for usage it is safe. for storage it is not.

think of your android as the physical wallet that you can carry in your backpocket or like a purse. you don't store all your money in that so you shouldn't store all your bitcoins in your android wallet either.
for storage you should always create a cold storage (paper wallet, a desktop wallet on an airgap computer,...) and store your bitcoins there while only keeping small pocket change in your mobile wallet.

I thought a desktop (Windows) wallet is less secure than a mobile one. I'm getting conflicting info on this.

desktop is referred to PCs rather than indicating the operating system. you can run a Linux OS for a much better security than Windows while Windows itself isn't insecure. i also said a desktop wallet on an airgap computer which is the ultimate security if done right.

additionally you can always cut the connection between your PC and the rest of the world (no internet, no lan, no other form of connection) a mobile device on the other hand is not going to be disconnected ever, instead it will always have some sort of connection.

[bob123]

Actually, this is not enough information to give you a definite answer.

The most important question would be, how you use your mobile. Does it have a network connection? Or is it just sitting in your drawer with air-plane mode turned on?

I wouldn't call it safe, if you are still using your mobile "like a regular one". If it sits in your drawer without an internet connection tho, that's fine.

I thought a desktop (Windows) wallet is less secure than a mobile one. I'm getting conflicting info on this.

It really depends on the operating system and the way you use your device.

For a regular user and updated systems, i'd say android is definitely better than windows.
But you still need to consider that a mobile is easier lost than a notebook or even a tower pc.

[NotATether]

~snip~

You need to ask yourself, would you use a desktop OS that has not received a single critical/security patch in 3 years? Any vulnerability that any OS has can be exploited at any time, and hackers are especially interested in crypto hacking because it brings them significant profits. Personally, I wouldn’t trust a crypto wallet on Android 7, but if you want me to tell you honestly I don’t trust it either on Android 10 which I personally have on my smartphone.

Who needs exploits when all Android (and iOS) devices let anyone unlock the phone by default? That is way more easier to exploit by the average layman than using a sophisticated CVE and proof-of-concept.

Crypto wallets on mobile devices that aren’t password-protected are unsafe to use because anyone who takes the phone can trivially open the app and steal the funds.

Even better, use a phone with a fingerprint reader so that it’s impossible for someone else to unlock it without forensic tools like fingerprint dusters.

[Lucius]

NotATether, I think that most people still use some kind of lock on their smartphones, whether it's a classic password lock, fingerprint or unlock via face recognition. Of course, it is possible to circumvent each of these locking methods in ways that are publicly available to anyone on the Internet, and to abuse them in case the person is unconscious or under the influence of alcohol/drugs.

I can’t say for other mobile wallets, but Electrum has extra protection in the form of a PIN, and I think versions above 4.0.0 allow you to set a password. In case someone still for some reason stores a larger amount of crypto on their smartphone, additional protection is of course the encryption of all data that every modern smartphone provides in its options.

[bob123]

Who needs exploits when all Android (and iOS) devices let anyone unlock the phone by default? That is way more easier to exploit by the average layman than using a sophisticated CVE and proof-of-concept.

Crypto wallets on mobile devices that aren’t password-protected are unsafe to use because anyone who takes the phone can trivially open the app and steal the funds.

Same applies to every computer/notebook/etc..
All are not password-protected by default. Or password protected with a standard password.

That's the only possible way to sell a product. Either without a password lock or with a standard password.

Every computer is unsafe because everyone with access to it can trivially open the software and steal the funds.

Obviously, you should assume that a person at least uses a pin code if not a password to lock the phone.

Even better, use a phone with a fingerprint reader so that it’s impossible for someone else to unlock it without forensic tools like fingerprint dusters.

Actual good fingerprint reader cost multiple thousands of dollars.
Those 5-50$ reader built into a smartphone are worthless and are quite easy to circumvent. Together with face recognition, these are the weakest way to secure your phone.

A passphrase/pin code is superior.

[HCP]

Even better, use a phone with a fingerprint reader so that it’s impossible for someone else to unlock it without forensic tools like fingerprint dusters.

Actual good fingerprint reader cost multiple thousands of dollars.
Those 5-50$ reader built into a smartphone are worthless and are quite easy to circumvent. Together with face recognition, these are the weakest way to secure your phone.

A passphrase/pin code is superior.

I was reading an interesting thread the other day (can't find the source today but it was possibly on Reddit), that apparently there are fingerprint "blueprints" in circulation that enable one to print a "generic fingerprint" that have a decent chance of fooling most fingerprint readers.

I'm having trouble finding a good source for that tho... closest I can find is this: https://nakedsecurity.sophos.com/2018/11/16/ai-generated-skeleton-keys-fool-fingerprint-scanners/

The ars technica article from earlier this year demonstrates that while it isn't exactly "cheap" or "easy", it is indeed possible to defeat fingerprint scanners with a reasonable amount of success.

[AdolfinWolf]

Even better, use a phone with a fingerprint reader so that it’s impossible for someone else to unlock it without forensic tools like fingerprint dusters.

Can't governments open your phone using your fingerprints against your own will?

I believe this has happend already (and is legal?) https://www.theatlantic.com/technology/archive/2016/05/iphone-fingerprint-search-warrant/480861/ , although it seems another court has recently overturned this, https://www.pcmag.com/news/court-cops-cant-force-you-to-unlock-a-phone-with-biometrics, so i'm not exactly sure what the current legal status is.

Anyhow, legalities aside, I think that forcing a fingerprint from someone is an order of magnitude easier than a password, depending on how far you're willing to go. If you're somewhat high-profile, -- I suspect that LE in most jurisdictions also won't have much issue with forcing a fingerprint for you; thus I'd think twice of just using a fingerprint as your password.


BTW; is this topic seriously about OP asking whether or not he should store funds on a rooted android device?