Dear MEW, Security

Dear MEW: Are Mobile Crypto Wallets Safe?

All DearMEW articles are based on real user questions, edited for privacy, clarity, and flow.

Dear MEW,

I am thinking about using the MEWconnect app, but I am concerned about the security of a mobile wallet. What if someone keylogs my phone, gets my password and copies the encrypted key file? Could they decrypt my private key?

And if MEWconnect has to access the website to make transactions, could hackers use malware to clone my phone, keylog my password, and use the MEWconnect app on the cloned phone to access my wallet?

Imagining Super Hackers in Black Hoodies Targeting My Crypto


Dear ISHBHTMC,

First of all, let us say that your comprehensive exploration of possible mobile wallet vulnerabilities is quite impressive. Staying skeptical and detail oriented is a great advantage in the crypto space. Besides, understanding the way technologies and security features actually work goes a long way towards ensuring the safety of your funds.

Overall, it seems that your concern about MEWconnect begins with your concern about mobile apps generally. As it turns out, the security measures implemented by mobile applications are much more solid than many people believe.

When smartphones were a new product, the security frameworks of mobile operating systems and apps were underdeveloped compared to those of the personal computer. Today, mobile apps have not only advanced substantially in terms of security, but they may actually be safer to use because there are less attack scenarios in mobile compared to the PC. (Read in more detail about the security of mobile apps in general, and crypto wallets in particular, in this article).


Now, to address the specific scenarios that you describe: someone keylogging your phone, getting the password and decrypting the private key, or using a ‘cloned’ MEWconnect to access your wallet via the website.

To be honest, you are assuming that a lot of resources are available to the hacker! While it’s good to be cautious, consider the layers of security an attacker would need to get through before being able to access your funds directly:

  1. The PIN, password or biometric recognition of the smartphone.
  2. The PIN, password or biometric recognition of the app.
  3. iOS Keychain or Android KeyStore encryption.
  4. The encryption and management of the private key itself.

Let’s talk about each of these layers in more detail.

Smartphone access

Modern mobile devices are protected by multiple security measures, precisely to prevent the kind of access that would allow a hacker to install malware that can introduce keylogging and collect your information. So, how is a hacker going to keylog the phone in the first place?

Unless you are suspecting that someone in your circle of relatives, friends, and colleagues might choose to compromise your phone’s security (which is a different issue altogether), you can take measures to prevent random attacks.

Don’t download apps when you are not sure of their source, don’t click on suspicious links, and don’t ‘jailbreak’ or ‘root’ your mobile OS. If you are using a password or pin, make sure you are making them as strong as possible (for reference, take a look at this guide by MEW’s hardware wallet partner Trezor for making a strong passphrase). In addition, consider turning on biometric access.

What about SIM swapping? For services that implement 2FA (two-factor authentication), explore the possibility of using authenticator apps like Google Authenticator and Authy instead of a text message. Avoid tying a lot of services to a single email address, and find a useful guide (something like this one) about responding quickly to a SIM hijacking situation.

App access

Most mobile applications that are related to finance, banking, or crypto use an additional password and/or biometric check for app access. In addition, many of such apps require more than just password entry when re-installed on a different mobile device. With banking apps, it might be a two-factor check (see above about using an authenticator app for this), and with MEWconnect, you would need to restore wallet access with the mnemonic recovery phrase.

This means that even if an attacker knew your app password through keylogging, that wouldn’t be enough to access your wallet once they installed the app on their phone. Even if they got access to your full phone backup in the cloud, the app would require the recovery phrase after installation – and that recovery phrase, if used correctly, should never be entered manually online or stored with internet services (like email, Dropbox, GoogleDrive, cloud-based notes apps, etc.)

iOS Keychain/Android KeyStore encryption

This layer of security is one of the features that differentiate mobile apps from web interfaces. The memory of mobile devices is more difficult to ‘hack’ than that of personal computers, and decrypting passwords from mobile OS encryption mechanisms is a formidable task in itself. So, if you don’t store your access information in a Google Doc on a Google Drive, your phone will take good care of the sensitive information entrusted to it.

It’s worth keeping in mind that Apple’s Secure Enclave chip can’t be used for crypto wallet keys at the moment, for various reasons having to do with the private key algorithm and Secure Enclave design. (See a detailed explanation of this on MEW’s subreddit here.) So when wallets say they use Apple’s Secure Enclave, they actually mean iOS Keychain encryption (which still keeps your info safely encrypted).

Private key management

On top of security measures applicable to mobile devices and mobile apps in general, crypto wallets implement specialized technology to safeguard the users’ private keys. In terms of key management, MEWconnect is actually more like a hardware wallet than the standard mobile wallet app.

For most mobile crypto wallets, the keys are stored in the same ‘location’ where transactions occur, allowing the keys to come in contact with the internet, though with encryption protections in place. MEWconnect, on the other hand, acts like a hardware wallet by never exposing the private keys. The signing of the transaction takes place in a secure environment, keeping keys safe even in the context of a mobile device that is continuously connected to the internet.


At the current state of digital technology, it turns out a PC is not inherently safer than a smartphone. Rather, it’s all about best security practices (which are pretty much the same across devices, when it comes to crypto) and making sure your apps come from trusted creators. As many desktop applications move to the browser, PWAs (progressive web apps) become more widely used, and browsers introduce updates to accommodate decentralized applications, the lines between PC and mobile become more and more blurred.

Globally, internet use has long been shifting towards mobile devices, and that trend will only gain momentum, especially since new users of internet services tend to come from geographic regions where ownership of a smartphone is much more accessible than ownership of a PC. Given this reality of mobile domination, developers must (and do) use the best available security features when building mobile apps.

Having said all this, if you intend to store large amounts of crypto for long periods of time, cold storage methods like hardware and paper wallets are still the highest standard of security. Mobile wallets are probably best suited for keeping smaller amounts of funds for payments, daily transactions, swaps, and dapp interaction.

Hopefully, this exploration into the workings behind mobile app security can help soothe some of the worries about using a mobile device to access your crypto!

Keeping you safe from hackers, whether they are wearing black hoodies or not,

MEW


Author image

About MEW

MyEtherWallet (our friends call us MEW) is a free, client-side, open-source, easy-to-use interface helping you interact with the Ethereum blockchain.