worth read...and be careful with cell wallets
Security Issue for Android Wallets
by karlcoin
https://www.reddit.com/r/Qtum/comments/7yk8nq/security_issue_for_android_wallets/This security issue could be applied to any wallet on a phone with a mnemonic passphrase - but I found it when restoring my QTUM wallet on my Samsung J1-mini.
Rather than type it all out again, here is the information that I pm'd to @earlz on the QTUM discord:
Hey, I got your invite - but I don't think I'm ever going to get around to submitting this security issue and I'm not after any reward.
Basically what I found was this. When I installed the QTUM wallet app on my samsung SM-J105Y I was given a lengthy pass phrase (many words, I'm sure you know what I mean). This pass phrase can be used to recreate the wallet if, say, my phone is destroyed. That's all good. So, before putting any money into the wallet I wanted to see if the pass phrase worked. So, I uninstalled the app and then reinstalled it again. Instead of creating a new wallet address, I elected to recreate my old one with the pass phrase. This worked fine.
The alarming thing, though, was that. After entering the first word of my pass phrase, my phone auto suggested every other word in the exact same order!! To me, this means that the intelligent predictive text feature of the keypad has, inadvertently, stored my wallet pass phrase. How did it get into the keypad log?? I think it must have been when I copied the originally produced version and then pasted it into my note pad.
Of course, I have no idea how long it stays in the keypad log - obviously not for ever as I have restored the wallet a couple of times since and not had the auto suggest predict my pass phrase since. So, it must get overwritten in time. Still, I think this needs to be looked into. If someone else discovered this, it could be bad news for a few people out there.
I will also post this in reddit, just to let the general public know.
