Topic: Q re Android wallet security (Read 1341 times)

FYI the Developer Options are only visible if you've gone through the unhiding procedure. If they're not visible, then USB debugging is disabled, and you're safe from this attack vector.


This is a good list IMO. To help you decide:

Some wallets do strong (server-assisted) encryption of the wallet stored on your phone. If you lose your phone, a determined thief who is able to root your phone can steal wallets without strong encryption.

Strong encryption: GreenBits, Hive Wallet. Brute-forcible encryption (takes longer than no encryption, but still stealable): Bitcoin Wallet. No encryption (just a PIN check): Mycelium

Some wallets offer better privacy than others. Bitcoin Wallet is the best in this category; the other three share your transaction history with a centralized service as part of their operation.

Some wallets need to trust a centralized service to tell them about new inbound transactions, and to broadcast outbound transactions on the wallet's behalf. A centralized service could theoretically lie to the wallet -- it could withhold an inbound transaction or make up a fake inbound transaction. Mycelium and Hive Wallet fall into this category. Bitcoin Wallet and GreenBits do not depend on a centralized service for transaction verification.

Of those listed, only GreenBits offers two-factor authorization. (Of course, for 2FA to be effective you'd need a second device, e.g. a different phone or a laptop.)

All of the listed wallets are shared source, i.e. their source code is published and viewable. However Mycelium is not open source, you may not modify it nor redistribute it yourself. The other three are open source.

Sorry! You won't find an option named "Android debugging" in Settings. Correct name is "USB debugging"*.

* Settings -> Developer Options -> Debugging -> USB debugging.


Coinbase isn't a good wallet because you can't access to private keys. You will have to trust them and if their server is down, you can't access your Bitcoin. They can easily steal your Bitcoin if they want to.

Recommended wallets are

• Bitcoin Wallet
• Mycelium Bitcoin Wallet
• GreenBits
• Hive Wallet

Not sure if "Android debugging" is enabled or not.  I use Coinbase on Android - what are the problems you're referring to with this setup?

Like all OS, it has many risks. Java is worst in most languages.


If you don't install any suspicious app, you are safe.


Thief maybe able to do a brute-force attack and also, if you have enabled 'Android debugging', thief can easily remove the lock. I highly recommend you to lock your phone and Bitcoin wallet. An additional app locker will be great too.

No, you can't. If you use Android app of an online wallet like Blockchain.info, Coinbase etc..., you can access your wallet from anywhere. I suggest not to use such wallets as many problems are there. If you really want to use one, Blockchain.info is the best.

You should always make a backup of your private_key/wallet, so that you can recover it if your phone is lost or damaged. If your phone is stolen or lost in a public place, you should move all the BTC to a new address ASAP.

Can someone outline the potential security risks associated with a wallet on Android?

Couple example questions:
1) What are the risks if the phone is in my possession the entire time (non-rooted Nexus 5)?
2) If the phone is stolen - there is still a password lock on the phone, so Bitcoin can't be sent out unless the phone is unlocked.  But in this event, can I not just access my Bitcoin account online via website on my laptop?

Just trying to better understand what to do in these situations.

Don't mention it! The last thing that I would want to hear is that somebody lost hundreds of dollars on a mobile wallet.

+1

Any kind of typing is a nightmare on a mobile and leads to mistakes.

Mycellium is a great option for android. Just save your words in a safe place and you'll be fine. It's so much more convenient to be able to scan qr codes and is way more fun 

I never sideload; only use Play Store apps (and I know they're not guaranteed safe). From what I've heard Google does what they can to keep malware out of the Play Store, but some will always sneak through.

I've thought about rooting my Nexus to see what extra features and functionality I could get from that. But I'm so busy with all my regular work that there's no time to sit down and learn the details. And I've been loving my Nexus just as it is, great phone and I love stock Android. I'm also exploring the Android Coinbase wallet since I have a Coinbase account. Thanks,

Very good reminder to only keep small amounts on the Android. I forgot about that. Cheers,

Good method to use is Mobile Phone carrying less than $100 like you'd do your leather wallet in your back pocket.

For larger than $100, you'd use your PC or laptop wallet.

For anything in the $1000s or higher, you'd use a paper wallet or Hardware wallet like Ledger or Trezor.

So once again:

Less than $100 = Mycellium
Greater than $100 = Electrum
Greater than $1000 = Paper wallet, Ledger, Trezor

Physical theft is an issue (as I mentioned above), but if you don't understand the security model used by mobile devices, you really shouldn't be offering advice on the subject....

Very good point on being more careful.  With a phone wallet I would not keep a lot of BTC in it.   Remember cold wallets for majority of your bitcoins.

I would be much more carefull with mobile wallets, than i am with pc wallets, simply because, on a pc you have somewhat more security.
First off, noone is going to steal your PC, i mean the chances are much smaller, and you have antivirus,anti mallware, firewall protection and what not, whereas on android
you have no such advantages, and there are increasing amounts of bitcoin  stealing mallwares on mobile phones. You can easily get infected by some app that u install etc..

cheers

Generally speaking, Android wallets are a bit more secure than PC-based wallets because they're generally less vulnerable to malware. On the other hand, they're easier to lose (so make sure you have a copy of your Mycelium seed somewhere safe).


Lots of people claim that a rooted phone is something terrible. It's actually not, if you're careful. A rooted Android phone will ask you before giving an app root permissions (and if you use SuperSU it can even be configured to prompt you for a PIN). If you're the type of person (and you don't sound like it ) that always clicks "Yes" whenever they see a prompt, then rooting isn't for you. But aside from that, as long as you're careful with only installing very popular/trusted root-using apps, and you make sure any root security prompts are from a trusted app that you're expecting, you'd be fine.

The real issue isn't is your phone currently rooted, but rather can your phone be rooted? In other words, is there a known Linux kernel vulnerability that makes it possible to root your phone? If the answer is yes, then you have to be very careful about all apps that you install (it sounds like you already are), because any one of them could root your phone without your knowledge, and then it would be free to steal your btc. Practically speaking, this type of attack doesn't seem very prevalent today, but I suspect that will change as Bitcoin becomes more popular....


I do, I use GreenBits / GreenAddress.it (same devs, GreenBits is their newer semi-beta app; GreenAddress is their older one).

Honestly, the fact that you're asking these questions already puts you head and shoulders above many others....

IT is very convenient.

Hey there! 

Mobile wallets can be very convenient, with features that you can't do with your computer such as NFC and Bluetooth payments.

You seem to be doing the right things by keeping up with regular backups, I would just recommend that you don't keep more money on your mobile wallet than you can afford to lose.

Your mobile wallet is like a "spending wallet". I wouldn't keep your entire Bitcoin savings on your phone since it can be argued that your phone is more easily exploitable than your computer, especially when your computer has the option of utilizing tools such as Trucrypt, which your phone does not have.

Hi All,

Newbie here. I've got the Electrum btc wallet on my Win7 pc and it seems to work fine. I do daily backups to offline and remote media. I've also got a Nexus 5 Lollipop phone with Mycelium installed but I haven't sent any bitcoins to it. Is there anything that makes an Android wallet less secure than a wallet on a pc?

I follow the following security practices on my Nexus 5: * Not rooted. * Latest version of Android. * Only use Play Store to install apps. * Never sideload apps. * Do daily backups of important files on the Nexus. * Use a strong Pattern Lock.

So if I follow these practices and daily backup my Mycelium wallet to my pc, would that be considered pretty good security? Or is there something about having wallets on an Android that is inherently less secure?

Do you think Android wallets are fine? Or would you never use one?

I may get a diversity of opinions on this and that's good. Helps me learn various sides of the issue.

Thanks,

Advait