Topic: Do not use a wallet that do not bring out virtual keyboard (Read 249 times)

If you are ever going to import a wallet to your new phone make sure you scan the old wallet bar code instead, this will neutralise the need to import recovery seed by yourself, also its more safer not to install any keyboard on your phone at all, stick with the factory keyboard.

If someone often uses his phone as a wallet, to protect him from these text predictors, AFAIK there's a way to turn them off. That's what I did with my smartphone years ago but after buying a new phone, I've forgot to turn off this feature. No prediction words.

Actually, this is a good reminder for those folks that are to trustful with their smartphones that are being used as a wallets.

This will serve as a warning to them to be vigilant and as much as they can, don't use their phone when they're about to use their seed phrases.

That will be a problem for people who will have no idea that it could be used like that. It's still hard to predict the right words and the correct order, but already having initial possible words is scary. I stay away from mobile wallets and retyping them to the app itself.

I remember that you only select the words anywhere in the app, correct? Like it will show you the seed you have and just click it. So it won't be typed anymore.

I disagree with idea to avoid wallet without it's own virtual keyboard. User always could use different keyboard which doesn't collect user data or at least have option to disable predictive feature. I would recommend AnySoftKeyboard[1] for most people and Simple Keyboard[2] for those who only need most basic feature.

[1] https://anysoftkeyboard.github.io/
[2] https://github.com/rkkr/simple-keyboard

If you've turned predictive text and similar off, then this kind of attack will be impossible on your phone.

Ugh! One more reason to add to the list of reasons of why Coinomi is an awful wallet to choose.

Most (all?) phones automatically disable predictive text in password fields, for obvious reasons.

I think I have turned all those predictive text suggesting thingies off when I initially set up my phone. But I just wanted to test it out on two different mobile wallets to see what will happen.

I used Electrum mobile and Coinomi since they are installed on my phone already.

Electrum gives you a 12-word seed. You have to write it down because the wallet doesn't allow you to copy-paste and save the words digitally.
For verification, the wallet displays a virtual keyboard. All good. The only time you use your phone's standard keyboard is when you set up a password.

Coinomi is a bit different. it generates 24-word seeds and the app gives you an option to copy and paste these words during the wallet creation process. Not good. When you want to verify the seed, you don't have to type them in. Instead, the wallet displays all of the words randomly and you have to click on them and place them in the correct sequence. The password is also typed in using the phone's standard keyboard.

In both cases, I wasn't able to get the phone to predict the seed. I tried typing them into Viber one by one, but nothing. I typed the seed words as my password using the phone's standard keyboard. Went back to Viber, but no text predictions. 
It would be good if the article mentioned a few wallets without a virtual keyboard that could be vulnerable to this.

The problem isn't with the keyboard auto-completing the word which you are typing (which is possible for all BIP39 words after a maximum of 4 characters have been entered, since the first 4 characters of every BIP39 word are unique), but rather with it automatically suggesting the next word in your seed phrase based on what you have previously entered. Someone else who has access to your phone (physically or who can remotely access your phone's memory and copy your custom dictionary) can simply start entering words on the BIP39 wordlist one by one until your phone starts suggesting another BIP39 word, and then another, and then another, and then they have your entire seed phrase.

Very very handy when it comes to chatting and typing (though most keyboard apps already have this feature afaik), very bad in terms of privacy (it obviously uses predictive text and stores stuff in their database).

I used to use SwiftKey years ago prior Microsoft
's acquisition, nothing comes close to it in terms of word prediction - it's like privacy or comfort. You could type without even pressing a single letter.

Partly true, because there's nothing wrong with using a hot wallet (for a small minority of your holdings, of course) if you need bitcoin/crypto to be easily accessible when you're out and about.

All such problems can be solved by using cold storage, which everyone should do either with a hardware wallet or an airgapped PC. Smartphones or online computers should only hold small amounts that could be afforded to get lost.

As for this particular problem, you can import master private key via QR code in certain wallets like Electrum, that shouldn't leave any trace on your smartphone.

From what I know, some wallets base on the standard English dictionary, which is a group of words that you should enter minus misspelling any of them. So the words that appear on the screen do not actually mean the person who created the non-malicious wallet (dev) knows what your seeds are, it (the wallet software) is simple suggesting to you the next possible word based on the first letters you typed.

If you want to prove this, download a truly open source wallet like elect um and try importing your seed to the wallet minus any internet connectivity. The wallet will still try to suggest to you the words. How is the dev going to know what you just typed in, minus any internet connectivity?

I guess members who constantly use their phones when dealing with cryptocurrency should be taking notes or at least be more cautious, especially the people who have just recently started with cryptocurrency.

yep, and other than your recovery seed being at risk, other important information like password, personal information, etc... would also be at risk.

This is why I hate importing my recovery seed after uninstalling, I don't always like it because you have to type it out into the new wallet, there are wallets that only requires you to pick the recovery seed on the screen to verify you wrote down the correct seed, those wallets dev know what they are doing.

I know the risk if using default keyboard whenever we are using it for entering passwords or more important like while logging into our bank accounts, entering private keys of cryptocurrency wallets but most wallets provide virtual keyboard even they don't allow copy paste of the entries in it but yeah this is important advice and warning for someone who doesn't know it.

Yeah, avoid virtual keyboards, although I personally wouldn't touch the default keyboard (unless replacing it for a open source version) i.e installing addon packs or emoji's. Also, disable any sort of feature that can predict or memorise your words. I don't use phones as a way of storing Bitcoin, but I don't have the prediction text on either way for this exact reason. Delete your personal dictionary, and get rid of anything that's collecting your data.

Also, on a side note, I'd be looking for an alternative to Gboard if you're entering anything sensitive on it. I'd seek a open source alternative that you can verify yourself. This is mainly from a privacy stand point, as I'm sure a lot of people rely on Google products, although if you don't want them using your data to serve you cryptocurrency apps, in my mind it'll be worth seeking the alternative.

If you want a mobile wallet, you have to create it somehow, and this is not a problem if we are aware that such a wallet is extremely vulnerable and should not be used to store any major values. Given how the average user treats the security of their computer, smartphones are even lower on that list of priorities, and this should always be kept in mind.

HWs that can be connected to smartphones (wireless or via cable) is one of the choices as we can further protect ourselves while on the go and we need a crypto wallet. Of course, the question will always be whether it is smart, but with the fact that we can have two independent HWs, we can have multiple protected accounts on the same device in case a physical attack occurs or we lose the wallet.

It's why using a third party keyboard is wrong, if you are using a Xiaomi phone make sure you stick with the keyboard that comes with this phone or risk getting your recovery seed stolen, after installing any third-party keyboard you will always get a warning that your words will be saved probably into cloud, this is wrong.

There have been plenty of cases of seed phrases being stolen after being typed in to a phone, even with a virtual keyboard. There are plenty of malicious apps out there which will capture your keyboard entries or your screen and send that off to an attacker. I've read reports of users who installed some emoji pack or similar keyboard customization which had a keylogger embedded in it.

Whenever you generate a wallet on a mobile wallet or enter a seed phrase on any mobile device, you should consider the security of that seed phrase to be very low. You should only be using mobile wallets for small amounts of coins you need immediate access to when you are away from home, and absolutely not for storing large amounts of funds. Consider anything in a mobile wallet analogous to hard cash you carry around in your pocket - you might carry around $100 in cash, but you are not going to carry around $10,000 in cash. This amount of coins belongs in a hardware wallet or cold storage, not in a mobile wallet.

I'll blame it on the user for creating a wallet on a mobile device. Hardware wallets have been around for a while, and as part of the security measures for holders to accept the use of hardware wallets has been one of the problems that have been solved. Word suggestions aren't just the only problems with mobile wallets, there is the possibility that you may get attacked by keyloggers and malware that can change anything copy, it could be an address.

I've tested some software wallets and can state that some developers do deactivate this word prediction, as well as the ability to copy and paste recovery phrase/seed, but looking at all of this, it's very simple to fall victim to a wallet breach, that is why hardware wallets don't have these issues.