Cointime

Download App
iOS & Android

Web3 Mobile Wallet Apps: A Secret Key Protection Perspective

Validated Project

The security of private keys and mnemonic phrases is of paramount importance in the world of cryptocurrency, as they grant access to one's digital assets and their loss or theft can lead to financial ruin. With the rise of mobile wallet apps in the Web3 space, it's crucial to understand the various security mechanisms that are in place to protect these keys.

This blog summarizes the different levels of security protection offered by web3 mobile wallet apps, and examines how they are implemented in practice by looking at nine popular open-source mobile wallets. We explore the range of security measures, from simple passcode protection to hardware-supported trusted execution environments.

Through our research, we found that some of these security protection mechanisms can effectively address some common attack patterns towards private key stealing. However, we also found that threats from the system level, such as root-based exploitation, are largely ignored. This highlights the importance of users being cautious about trusting the levels of protection offered by wallet apps on mobile devices.

The Heart of Wallet Security: Private Key Protection

The most important asset that a mobile wallet app has is the private key or mnemonic phrase. Consequently, the most severe threat that a mobile wallet app faces is the leakage of their private key or mnemonic phrase as it represents the loss of all user’s assets. To properly mitigate such threats, a well designed mobile wallet app should have a systematic way to protect the private keys at both storage time and in-use time.

In particular, we summarize the common practices that cryptocurrency wallets use on Android mobile devices in the above table. The table provides a useful summary of the common practices used by cryptocurrency wallets on Android mobile devices to protect private keys and mnemonic phrases. Each level of security practice is listed in order of increasing security level and includes the corresponding threats that it cannot fully address. By studying nine popular open-source cryptocurrency wallets, we were able to categorize them into their associated security levels and gain a better understanding of how these practices are used in real-world applications. The figure below shows the name of these mobile wallet apps and the number of times they have been downloaded from the Google Play Store.

Wallet Security: From S0 to S4

In this section, we will provide a brief overview of each security practice and how they are implemented on different applications. This will include a discussion of the strengths and weaknesses of each practice, as well as an examination of how attackers can still bypass these mitigations with different attack vectors.

S0 (No Storage Protection)

The S0 level of security practice stores all user private information locally within the application’s storage space, including private key, mnemonic phrase, etc. This prevents non-privileged users or applications from accessing the storage file directly. However, S0 level protection does not encrypt the storage file at all, meaning the user's secret exists in the storage file as plain text. Any privileged user or application can access this storage file and extract the user's private key to fully control the user's wallet.

Bitcoin Wallet Recovery from Serialized Protobuf File

It is worth noting that gaining privileged access on Android devices is not an impossible task. Apart from users choosing to root their device actively and further get abused by malicious applications, cyber criminals leveraging vulnerabilities to gain privilege is also an emerging threat on Android devices. For example, in 2021, security researchers at the Lookout Threat Lab found Android malware “AbstractEmu”, which takes advantage of multiple vulnerabilities to obtain the root access to interact with finance applications. There are also multiple presentations from 360 Alpha Lab showing how to achieve one-click remote attack to gain root access on recent Android devices.

Simple Bitcoin Wallet Recovery from Sqlite Database

To demonstrate the potential vulnerability of using S0 level protection, we conducted a test by installing popular wallets like Bitcoin Wallet and Simple Bitcoin Wallet on a rooted Android device. With root access, we were able to easily read the key storage files of these wallets and extract the user's mnemonic phrase, as shown in the above screenshots.

S1 (Passcode Encryption)

The S1 level of security practice uses a user-defined passcode to encrypt the storage file containing private keys and mnemonic phrases. This prevents non-privileged users or applications from accessing the storage file directly. However, the storage file must be decrypted when the application starts, and a privileged user or application can inject into the wallet and capture the encryption password. This can allow them to dump the key storage file and decrypt it locally.

To demonstrate the potential vulnerability of using S1 level protection, we conducted a test by installing the popular open-source wallet Samourai on a rooted Android device. Using Frida, a popular instrumentation tool, we were able to reveal the encryption password and further access the user's private keys and mnemonic phrases. It's worth noting that although the Samourai wallet attempts to detect if the device is rooted, it was not effective in our experiments.

Samourai Application Injection Attack Demonstration

S2 (Keystore (Trustzone))

To prevent the key storage file encryption key from being compromised by malicious actors, some wallet apps, such as Metamask, use the Android Keystore System to generate and use the encryption key. The Keystore system is backed by a trusted application that runs in the Trusted Execution Environment (TEE) on the Android system. This environment is isolated from the main operating system and is protected by hardware-based security features. By using the Keystore System, the encryption/decryption of the storage file happens in the TEE, making it less likely for the encryption key to be leaked. However, the Keystore System does not provide the blockchain-associated APIs, such as transaction signing or verification. As a result, the wallets still need to have the decrypted user's private keys in memory, making it vulnerable to privileged attackers who can dump the application memory and extract the private keys.

S3 (Keystore (Trustzone) + Root Detection)

To improve the security of S2 level protection, some wallet apps add an additional layer of security by checking if the mobile device has been rooted. This helps ensure the integrity of the device, as a rooted device may have been compromised by a malicious attacker. For example, the Airgap Vault wallet uses the Keystore System to protect the user's encryption key, but also checks if the device has been rooted while it runs. If the device is found to be rooted, the Airgap Vault wallet refuses to run, maximizing the protection level. This added layer of security provides an extra level of protection against malicious attackers who may have gained root access to the device.

Airgap Vault Root Detection

S4 (Dedicated TEE TA)

The highest level of security practice in the mobile wallet apps is the use of a dedicated Trusted Execution Environment (TEE) to store and handle private key information. This is implemented by installing a specialized TEE-based Trusted Application (TA) on the device. For example, this protection method is currently used by Samsung Blockchain App on certain high-end Samsung smartphones. This approach provides an extra layer of protection, as the private key information is stored in and handled by the TEE, which is isolated from the main operating system and can only be accessed by vendor-approved code. Even a privileged user or application cannot directly access this information. However, the limitation of this approach is that it requires the smartphone manufacturers to provide specific interfaces for wallet developers to utilize the TEE.

Some Additional Thoughts on Mobile Wallet App Security

In S3 level protection, we mentioned root detection can be used in conjunction with the Keystore System to protect user’s private information. Note that we believe root detection is an important aspect in ensuring the device remains in its basic integrity, and should be implemented in conjunction with any security practice to ensure higher level of protection. However, it's important to note that root detection techniques can vary and may not always be effective. For example, while the Airgap Vault root detection worked well on our test device, the Samourai wallet failed to detect the rooted environment.

Furthermore, this study covers only the software wallet apps on mobile devices without any additional hardware implementation. Both hardware-based web3 wallets and cold wallet security offer attractive security features, and they both worth a separate article to cover.

In practice, we believe mobile wallet apps will continue to increase their user base due to their ease-of-use. Wallet developers should leverage the TrustZone design (which exists on most Android mobile devices) already to provide the maximum level of security to wallet users.

Summary

In this blog, we analyzed the threats that Web3 wallet apps face on mobile devices. In particular, we focused on private keys are stored and associated potential threats. We analyzed nine different popular wallet apps and revealed the level of security each adopts. We found that most major wallets use hardware backed key protection techniques to resolve the key storage issue, such as the Keystore System on Android.

However, we noticed that most wallets do not check if devices are rooted, which may result in security issues while performing private key operations in memory. Apart from the five levels of security practices we summarized in this blog, we believe the wallet developers also should pay attention to how to fully utilize the TrustZone design on Android systems to better mitigate the common risks. We will continue to cover this topic in future blogs and assist developers to better protect users’ assets.

Read more: https://www.certik.com/resources/blog/4YByvvbbq8vCj1dxdulTXr-web3-mobile-wallet-apps-a-secret-key-protection-perspective

Comments

All Comments

Recommended for you

  • U.S. consumer confidence improves again in November, reaching a two-year high

    Dana M. Peterson, Chief Economist of the World Large Enterprises Federation, said, "US consumer confidence continued to improve in November, reaching the highest level in the past two years. The growth in November was mainly due to consumers' more positive assessment of the current situation, especially in the labor market. Compared with October, consumers' optimism about future employment opportunities has also greatly increased, reaching the highest level in nearly three years. At the same time, consumers' expectations for future business conditions have not changed, while their optimism about future income has slightly declined." Earlier, the US Conference Board Consumer Confidence Index for November recorded 111.7, a new high since July 2023.

  • Starknet: Phase 1 of STRK staking is now live on the mainnet

    Starknet announced that the first stage of STRK staking has officially launched on the mainnet.

  • CZ: Not trying to end the meme craze, just encouraging more builders

    CZ posted on X platform today, saying: "I am not against Meme coins, but Meme coins have become 'a little' strange now. Let's use blockchain technology to build practical applications." Some community users said that even Musk is a supporter of Meme coins, and it is very difficult to end this frenzy. CZ responded that "there is no attempt to end anything, everyone has the right to choose to invest or hold what they want. Just encourage more builders."

  • Talus Network Completes $6 Million Strategic Round of Financing with a Valuation of $150 Million

    decentralized AI protocol Talus Network raised $6 million in a strategic financing round led by Polychain Capital, valuing the company at $150 million. This funding will help further develop the Talus ecosystem, including the Protochain, Nexus framework, and "AI dating experience" application.

  • AXIOS: Trump is considering appointing a secretary of state for artificial intelligence

    according to AXIOS, Trump is considering appointing an AI minister to coordinate federal policies and government use of emerging technologies.

  • Coinbase International has launched COW perpetual contracts

     Coinbase International has launched COW perpetual contracts. COW-PERP market limit, market, stop loss, and stop loss limit orders are now all available.

  • Schuman Financial Completes $7.36 Million Seed Round, Led by RockawayX

    Schuman Financial has completed a $7.36 million seed round of financing, led by RockawayX, with participation from Lightspeed Faction, Kraken Ventures, Nexo Ventures, Gnosis VC, Delta Blockchain Fund and Bankless Ventures. In addition, Schuman Financial has launched a euro stablecoin, EURØP, which complies with the MiCA standard.

  • Web3 data and AI company Validation Cloud completes $10 million in new round of financing

     Web3 data and AI company Validation Cloud announced a $10 million financing round from True Global Ventures. The company plans to use the funds to expand its AI products and achieve seamless access to Web3 data.

  • ZachXBT: Suspected insiders made $3.8 million in profits on RTR

    On August 10th, Chain Detective ZachXBT posted on social media that 4 addresses made a profit of $3.8 million in the RTR sell-off, with the 9G1ELG and GHoW2 addresses belonging to the same person and receiving 500 SOL in new funds within minutes after the TGE. Previously, it was reported that Restore The Republic (RTR) had its TGE on the evening of August 8th, with rumors circulating in the community that it was related to a new project by the Trump family. The RTR token reached a high of $0.156 on August 9th at midnight. Afterwards, Eric Trump, the current Executive Vice President of the Trump Organization and son of Donald Trump, warned on social media to "be careful of false tokens" and that the only official Trump project has yet to be announced and will be announced on Twitter first. After the statement was released, RTR quickly dropped by about 95%, with a trading volume of $164 million within just 15 hours of its creation.

  • The U.S. Internal Revenue Service has released a new draft of the crypto tax form, which no longer requires filling in wallet addresses and transaction IDs

    The US Internal Revenue Service (IRS) released an updated draft version of tax form 1099-DA for cryptocurrency brokers and investors to report certain transaction income. The public has 30 days to provide feedback to the IRS on this version. Starting in 2026, cryptocurrency investors who use brokers (currently mainly Coinbase and Kraken, among others) will receive 1099-DAs from these brokers to report certain cryptocurrency sales and trades as taxable events to the IRS. IRS officials say this form will "bring more convenience and clarity" to users who pay US cryptocurrency taxes.