Dear MEW, Security

Dear MEW: Are Mobile Crypto Wallets Safe?

All DearMEW articles are based on real user questions, edited for privacy, clarity, and flow.

Dear MEW,

I am thinking about using the MEW wallet app, but I am concerned about the security of a mobile wallet. What if someone keylogs my phone, gets my password and copies the encrypted key file? Could they decrypt my private key?

And if I use MEW wallet to access MEW web to make transactions, could hackers use malware to clone my phone, keylog my password, and use the MEW wallet app on the cloned phone to access my wallet?

How secure are mobile wallet apps, really?

Imagining Super Hackers in Black Hoodies Targeting My Funds


Dear ISHBHTMF,

First of all, let us say that your comprehensive exploration of possible mobile wallet vulnerabilities is quite impressive. Staying skeptical and detail oriented is a great advantage in the crypto space. Besides, understanding the way technologies and security features actually work goes a long way towards ensuring the safety of your funds.

Overall, it seems that your concern about MEW wallet begins with your concern about mobile apps generally. As it turns out, the security measures implemented by mobile applications are much more solid than many people believe.

When smartphones were a new product, the security frameworks of mobile operating systems and apps were underdeveloped compared to those of the personal computer. Today, mobile apps have advanced substantially in terms of security, and they may actually be safer to use because there are less attack scenarios in mobile compared to the PC.

What does it mean for mobile devices to have less attack scenarios? Some factors are: fewer doorways to malware, sandboxed apps that have limited rights outside their specific functions, and multiple levels of password protection and encryption. Mobile crypto apps like MEW wallet take advantage of mobile software architecture to provide maximum protection for your keys, keeping them in a secure location on your phone, separated from interaction with the internet.

Let’s take a closer look at how MEW wallet secures your information and how you can defend yourself from the specific attack scenarios you describe.

How your wallet information is secured

When you create a new wallet on MEW wallet app, your crypto keys are generated on device and go through several layers of encryption:

  1. Wallet keys are encrypted with master key.
  2. Master key is encrypted with access key which depends on your method of phone authorization (biometric, PIN).
  3. The access key is further encrypted with a key that is generated in the Secure Enclave (for iOS) or the Android KeyStore (for Android phones). This key is not known to the MEW wallet app or to any other app on the mobile device, because the enclave or keystore chip is architecturally separated from the rest of the system.
  4. After these encryption steps, the keys are stored in a local Keychain (for iOS) or in Shared Preferences (for Android phones). These are protected key storage layers separated from the rest of the system on the software level.

With these security measures in place, private keys are kept separate from transactions and never exposed, even in the context of a mobile device that is continuously connected to the Internet.

As a special case, some new phones are created with blockchain capabilities already built into the hardware. Two examples are the Finney smartphone, supported by MEW web, and Samsung’s blockchain devices which feature MEW wallet as a dapp. These types of phones have a special enclave chip that is designed to generate crypto keys, similarly to an actual hardware wallet.

Speaking of hardware wallets, MEW wallet can also be used with MEW web via the MEWconnect protocol, adding a second factor of security. With this setup, you will need to confirm the transaction on the mobile device before confirming in the browser, just as you would with a hardware wallet, giving you an additional opportunity to verify that all the information is correct and you are not sending funds to a phishing address.

But, what about keylogging, cloning, and losing my phone?

Seeing as there are multiple layers of protection involved when it comes to mobile wallets, and some of these security features are unique to mobile devices, a hacker would need a lot of resources, and/or access to the actual phone, to compromise your wallet.

If you are worried about remote hacking, you are assuming an attacker can bypass mobile operating system security, install malware on your phone, and brute-force multiple levels of encryption to get at the key. This is an extremely difficult task requiring a great deal of computing power.

Otherwise, the hacker would have to get the phone in hand, and break through the password/biometric protection of the phone, as well as the password/biometric protection of the app, before being able to use your wallet to transfer funds. Again, this is not a simple undertaking, and requires that your phone be in the hacker’s possession without your awareness.

In fact, most phishing happens when users unintentionally give their secure information away – through clicking on phishing links, installing fake apps, or failing to take proper precautions. Modern mobile devices and apps have built-in defenses against malicious attacks, but how do you play your part to keep your funds secure?

Best security practices

Unless you are suspecting that someone in your circle of relatives, friends, and colleagues might choose to compromise your phone’s security (which is a different issue altogether and one that we can’t really help with), you can take measures to defend yourself against random attacks.

Keylogging or cloning are only possible if malware is introduced into your phone. To prevent this, don’t download apps when you are not sure of their source, don’t click on suspicious links, and don’t ‘jailbreak’ or ‘root’ your mobile OS.

If you are using a password or pin, make sure you are making them as strong as possible (for reference, take a look at this guide by MEW’s hardware wallet partner Trezor for making a strong passphrase). If biometric access is available on your phone, consider turning it on.

What about SIM swapping? For services that implement 2FA (two-factor authentication), explore the possibility of using authenticator apps instead of a text message. Avoid tying a lot of services to a single email address, and find a useful guide about responding quickly to a SIM hijacking situation.

Most mobile applications that are related to finance, banking, or crypto use an additional password and/or biometric check for app access. They also require more than just password entry when re-installed on a different mobile device, in case you lose your phone. With banking apps, it might be a two-factor check (see above about using an authenticator app for this), and with MEW wallet, you would need to restore wallet access with the mnemonic recovery phrase.

This means that even if an attacker knew your app password through keylogging, it wouldn’t be enough to access your wallet once they installed the app on their phone. Even if they got access to your full phone backup in the cloud, the app would require the recovery phrase after installation – and that recovery phrase, if used correctly, should never be entered manually online or stored with cloud-based services like email, Dropbox, and GoogleDrive.

Which brings us to the most important part of mobile wallet security (or any crypto wallet security, for that matter) – key management. Make sure that you back up your wallet, write down your recovery phrase on paper, and keep it in a secure location. If you give your phrase to anyone, intentionally or not, they will have full, direct access to your wallet – no hacking necessary. If you lose access to the app and lose your phrase, no one can reset or restore it for you. Your funds will be inaccessible, forever.

Going mobile

Globally, internet use has long been shifting towards mobile devices, and that trend will only gain momentum, especially since new users of internet services tend to come from regions where ownership of a smartphone is much more accessible than ownership of a computer. Given this tendency, developers must – and do – integrate the best and most innovative security features when building mobile apps.

Having said this, if you intend to store large amounts of crypto for long periods of time, cold storage methods like hardware wallets are probably the best choice. But for regular payments, daily transactions, quick swaps and fun Dapps, a mobile wallet is both a convenient and secure solution – so enjoy it!

(And take good care of your recovery phrase.)

Keeping you safe from hackers, whether they are wearing black hoodies or not,

MEW




Author image

About MEW

MyEtherWallet (our friends call us MEW) is a free, client-side, open-source, easy-to-use interface helping you interact with the Ethereum blockchain.