Cupcake: smartphone‑based signing device.

[satscraper]

I have recently come across an interesting solution called Cupcake , which allows you to turn the old Android or iOS smartphone or tablet into the air‑gapped hardware signing device ^{aka cold wallet}.

Unlike  Cryobrick , which we discussed earlier, Cupcake is completely free, open‑source, air‑gapped, and not tied to any specific mobile device.

 I think this solution is worth considering for anyone who cannot afford to buy a dedicated hardware wallet.

The accompanied software client for Cupcake-based signing device is well known Cake Wallet.

The technical deep‑dive can be found here.

The latest firmware release is v.1.1.0.

[SFR10]

which allows you to turn the old Android or iOS smartphone or tablet into the air‑gapped hardware signing device ^{aka cold wallet}.

For those who'd like to try this approach, it's better to use a phone with hardware-level secure enclaves ^{[e.g., older entry-level Android phones tend to lack them]}.
^{- Even though they mentioned in the latter part of the "Security at rest" section that for phones without such things, they'll "enforce a multi-layered secure storage approach, capable of preventing most types of attacks", there's always going to be some risks!}

[dkbit98]

Problem with Cupcake wallet is on a hardware level.
Everything you ever done is recorded and stored on iPhones (and most Android device), and data can can never be truly erased, even if devices are formatted.
Than we also have the issue of leaking different radio connections, even if they are disabled in software.
We can't say that something is really air-gapped if I can change that with a simple click of a button.
I tried testing Cupcake on some old phone and it was not supported, probably because it needs newer version of Android OS.
That being said, Pixel phones are probably the best option to be used for installing Cupcake wallet.

For those who'd like to try this approach, it's better to use a phone with hardware-level secure enclaves ^{[e.g., older entry-level Android phones tend to lack them]}.
^{- Even though they mentioned in the latter part of the "Security at rest" section that for phones without such things, they'll "enforce a multi-layered secure storage approach, capable of preventing most types of attacks", there's always going to be some risks!}

Even doing that is not good enough if operating system on those devices is not open source, and full of bloatware and hidden spyware.
But it's surely safer than using regular hot wallet.