Pages:
Author

Topic: WARNING when using mobile device wallets (Android, iOS) - page 2. (Read 766 times)

legendary
Activity: 2268
Merit: 18771
Then how am I suppose to import the wallet?
The real question is: Why are you importing it?

I have a mobile hot wallet, for which I accept the poor security of hot wallets because of the convenience they bring. In this wallet I store a small amount of bitcoin I can afford to lose. That's my only hot wallet. I don't need to import it anywhere else, because it's already on my phone. If I needed to change phones, then I'll set up a new wallet and send the coins across.

For every other wallet I own, of which there are many, there is almost no scenario in which I would ever import the seed phrase on to a phone. These are a variety of cold wallets, paper wallets, hardware wallets, etc. I have never imported one of these wallets to a phone, and if I ever did, then that wallet is immediately compromised and insecure.

There are 3 version of mint? Which one did you use or prefer?
If you are looking for the closest feel to Windows, and your computer isn't ancient, then Cinnamon. If you need something light on resources for older devices, then MATE or Xfce will be better.
hero member
Activity: 882
Merit: 792
Watch Bitcoin Documentary - https://t.ly/v0Nim
That means our bitcoins are never safe even when we store them in the most secure ways. Even hardware wallets because they are produced and distributed by centralized companies, and they can come under pressure from the government at any time.
No, no, it's not like that, you can feel very safe and secure. You have to ask yourself questions like how many bitcoins you hold, you have to know your neighborhood, friends, etc. If you don't live near Silicon Valley and your friends aren't top hackers or scammers or thieves, then you can feel safe and secure with your coins. You guys love too much drama, if you follow basic security advices, your wallet and coins will be very secure. Use airgapped computer, nothing will happen. I even bet, if you connect to internet with your computer and only visit websites like Youtube, twitter, facebook, instagram, won't click on ads and won't visit malicious/unknown websites, won't download pirated software and so on, I bet your wallet will be secure. It won't be a cold wallet anymore but even if you take care of hot wallet, you can feel very secure.

And tip! Follow o_e_l_e_o's advices, he is a great guy and knows what he says.
legendary
Activity: 2380
Merit: 5213
Then how am I suppose to import the wallet? Little confused here. I have to type in the passphase, don't it?
o_e_l_e_o is suggesting not to enter your seed phrase on a non-airgapped device.
If you create your wallet on an airgapped device using a safe tool and never enter your seed phrase on a non-airgapped device, you can be sure that there's no way for hackers to gain access to your seed phrase.
sr. member
Activity: 322
Merit: 318
The Alliance Of Bitcointalk Translators - ENG>BAN

There is a much simpler solution to all the issues being raised here about keyboard apps: Don't type your seed phrase in anywhere. Simple. If I type any seed phrase in to any non-airgapped device ever, I immediately consider it compromised.

Then how am I suppose to import the wallet? Little confused here. I have to type in the passphase, don't it?

Quote from: o_e_l_e_o
Moving from Windows to Linux is always a good idea, but as I said above, don't think that making this one change suddenly makes all your wallets secure. If you have a bit of technical knowledge, then I would suggest using Debian. If you don't, then I would suggest Mint since it is the closest in look and feel to Windows and relatively easy to set up and use.

There are 3 version of mint? Which one did you use or prefer?
legendary
Activity: 2268
Merit: 18771
That way I can build my own keyboard and use it to import export my keys.
There is a much simpler solution to all the issues being raised here about keyboard apps: Don't type your seed phrase in anywhere. Simple. If I type any seed phrase in to any non-airgapped device ever, I immediately consider it compromised.

BTW anyone use any linux distro? I was thinking to shift from Windows to Linux. Any suggestion?
Moving from Windows to Linux is always a good idea, but as I said above, don't think that making this one change suddenly makes all your wallets secure. If you have a bit of technical knowledge, then I would suggest using Debian. If you don't, then I would suggest Mint since it is the closest in look and feel to Windows and relatively easy to set up and use.
sr. member
Activity: 322
Merit: 318
The Alliance Of Bitcointalk Translators - ENG>BAN
By the looks of it now I think I need to be a software developer. That way I can build my own keyboard and use it to import export my keys. Without this I have no other ways. I will always be in risk of being hacked. Currently I'm using stock keyboard with Custom Rom installed on my phone (Not stock OS). And you guys talking about security over a simple keyboard!! Now I think even the OS isn't even secure enough. Yes Android maybe Open source but many company doesn't use pure Android os, rather they would modify it and give it a custom skin job as they prefer.

BTW anyone use any linux distro? I was thinking to shift from Windows to Linux. Any suggestion?
legendary
Activity: 2268
Merit: 18771
That means our bitcoins are never safe even when we store them in the most secure ways.
Not at all. There are plenty of secure ways to store your keys, but a hot wallet is never one of them.

Even hardware wallets because they are produced and distributed by centralized companies, and they can come under pressure from the government at any time.
So use a hardware wallet where all the hardware and software is open source, such as Passport. Should they come under pressure to implement backdoors or similar, that will be viewable in the code.

I've never used Linux before, but I've heard people say it's an open source operating system. So is it safe for me to use Electrum in conjunction with the Linux operating system?
A good Linux distro will be safer than Windows or MacOS, but simply using Linux does not make your wallets magically impenetrable. It is a single part of a good security set up.
legendary
Activity: 2184
Merit: 1024
Vave.com - Crypto Casino


I have a question, if we can't trust the stock Android or Apple keyboard, can we trust their operating system or hardware product?
The stock OSs which come pre-installed on phones are almost all closed source, so the answer is generally no, unless you are one of the few people using phones such as PinePhone or Librem.

That means our bitcoins are never safe even when we store them in the most secure ways. Even hardware wallets because they are produced and distributed by centralized companies, and they can come under pressure from the government at any time.

I've never used Linux before, but I've heard people say it's an open source operating system. So is it safe for me to use Electrum in conjunction with the Linux operating system?

If Linux is really secure, then setting up an air-gapped wallet is the safest for us.
legendary
Activity: 2268
Merit: 18771
when importing your seed phrase make sure your phone is not connected to the internet
This is a completely false sense of security. Any decent malware can just wait until internet access is reestablished in order to transmit data. Devices are either airgapped or they are not. There is no such thing as this temporary airgap that people talk about.

I have a question, if we can't trust the stock Android or Apple keyboard, can we trust their operating system or hardware product?
The stock OSs which come pre-installed on phones are almost all closed source, so the answer is generally no, unless you are one of the few people using phones such as PinePhone or Librem.
legendary
Activity: 1792
Merit: 1296
Playbet.io - Crypto Casino and Sportsbook
Mobile wallets are not exactly the most secure wallets in the world, but in case you really have to use them, please keep in mind one very important piece of information.
You are right when you say that mobile phones are, to put it mildly, not the safest. If possible, you should minimize the interaction with cryptocurrencies using mobile devices. If you store crypto on it, then only for pocket expenses, which you are ready to part with at any moment.

If desktop devices can be customized at your own discretion (choose an OS, programs and check their code), then in mobile devices the OS is preinstalled and all that remains is to believe the manufacturer's security assurances.

Somebody has already been robbed because of this. You must only use the stock Android or Apple keyboard, and no others. Better if you uninstall all 3rd party keyboards completely. They collect all data you type on the keyboard at all times, which is a requirement for them to function properly, and there is no telling who is at the other end of the server!

There are no guarantees that stock Android devices (especially from Chinese manufacturers) don't collect data either.


What about Samsung keyboard? Samsung smartphones come with it. Windows Phones came with Microsoft's Word Flow keyboard app and Swiftkey belongs to MS too. While I absolutely agree with the advice that you give here, I still don't think that that would be an issue for that person.

The person I quoted in the OP was robbed while using Swiftkey, so I really do mean it when I say only use those keyboards that ship in stock Android and iOS. And as o_e_l_e_o said, built-in open-source keyboards in wallet apps are even better - although you should NOT be storing crypto on a Windows Phone, because those devices don't get security updates anymore.
Updates on Windows Phone are no longer released, but this may play into the hands. There are relatively few such devices, and therefore, will attackers want to spend time and effort creating malicious programs for outdated, unpopular, moreover, dead operating systems? It seems to me that it is easier for them to concentrate on Android and iOS, where, due to the mass character, they will be able to find their victims. And Windows Phone, at best, is used by one and a half Johns around the world, and even those who don't have cryptocurrencies on these phones.

What are your thoughts on feature phones, like the blackberry with an external keyboard and the like? Astro Slide 5G Transformer, for example (although who knows what apps will be preinstalled here).
hero member
Activity: 644
Merit: 661
- Jay -
I have a question, if we can't trust the stock Android or Apple keyboard, can we trust their operating system or hardware product? Because we are also using their phone or computer to install Electrum.
You are not trusting that either, rather you are trusting verifying that electrum does not remotely store your private keys which will leave it exposed to be stolen. Even if the OS says they are not monitoring your data, they most likely are, what you have to do is limit to a minimum the amount of data they can access.

But as suggested above using an airgapped device or an open source hardware wallet like Passport is your safest option, cause the OS plays a huge role in the security of the applications that are run on them.

- Jay -
legendary
Activity: 994
Merit: 1089
I have a question, if we can't trust the stock Android or Apple keyboard, can we trust their operating system or hardware product? Because we are also using their phone or computer to install Electrum. I am using Iphone, and everytime I install 3rd party app, they ask me if I allow the app to track me or not.
Hot wallets are very prone to hacking, even if you use an open source OS only a small amount of funds should be held in a hot wallet. You should use either a hardware wallet to store your main funds or a properly set up air-gapped wallet that will never be connected to the internet, with a Linux based OS installed. If you use a cold storage set-up to store your funds, you can then install apps you want on your online device because it does not hold any of your funds, except maybe a small amount of it for daily transactions.
legendary
Activity: 1610
Merit: 2026
If I am not wrong Gboard is the stock keyboard comes with most of the android devices
I use Gboard with all my mobile devices, both iOS and Android driven. I suppose Apple doesn’t even know what I type. Probably it’s even a little bit safer than using different stock keyboards with different mobile devices.
legendary
Activity: 2184
Merit: 1024
Vave.com - Crypto Casino
Ideally, you should only use open source wallet apps which use their own virtual keyboard for entering seed phrases, where you can verify exactly what the keyboard is doing. Electrum is one such example. Even using the stock Android or Apple keyboard isn't completely safe. These stock apps are usually not open source and are so deeply embedded in the phone's firmware that it is near impossible to verify if anything suspicious is happening in the background. And neither Google nor Apple exactly have a great reputation when it comes to privacy, data harvesting, and spying on users/collecting data they promised they wouldn't.

I have a question, if we can't trust the stock Android or Apple keyboard, can we trust their operating system or hardware product? Because we are also using their phone or computer to install Electrum. I am using Iphone, and everytime I install 3rd party app, they ask me if I allow the app to track me or not. Maybe Apple is trying to protect their customers' privacy from 3rd parties, but when I download their apps I don't see any warning. I suspect that it is entirely possible that they secretly collect user data.
legendary
Activity: 994
Merit: 1089
Add it to what the op has said, don't use third party desktop, laptop and mobile phone to login your wallet accounts because most of those guys, your friends, and family members set their devices autofill, that is automatically saved the username and the password so even though you logout from the device at the moment, once the person went to the browser/app and a click in the login box, all your details appear and once he clicks the username, the password would automatically refill in the box and the person will login to your wallet.
You are describing an online web wallet here, which is unsafe to begin with and one should not even think of using a web wallet to store their BTC. In a web wallet you do not control your keys and your funds can be easily be hacked because it is online, there are enough open source software and hardware wallets like Electrum, Sparrow and Passport that you can use to hold your coins. And if you are using a good self custody wallet, it is obvious that you should not use your seed phrase or private key to import you wallet into any unsafe device or one that is not yours.
sr. member
Activity: 658
Merit: 441
I won't enable any other keyboard from my phone apart from in-build keyboard, although I do love using customized theme just as a Go-Launcher with various style of theme color displayed including keyboard but with this post I won't dear to allow that happened again. Truly they said "Knowledge is power"!
I'm glad you now know the harm they can cause you because they are not worth it. One of the ways hackers get access to your phone and wallet is through malware-infested apps and google playstore is good place where most of these apps are dumped by hackers. Stay clear off fancy keyboards and launchers, only use stock android keyboard, limit the way you give permissions to third party apps and when importing your seed phrase make sure your phone is not connected to the internet
legendary
Activity: 1106
Merit: 1372
Mobile wallets are not exactly the most secure wallets in the world, but in case you really have to use them, please keep in mind one very important piece of information.

DO NOT use third-party keyboards while you are using the wallet app!

Somebody has already been robbed because of this. You must only use the stock Android or Apple keyboard, and no others. Better if you uninstall all 3rd party keyboards completely. They collect all data you type on the keyboard at all times, which is a requirement for them to function properly, and there is no telling who is at the other end of the server!
Add it to what the op has said, don't use third party desktop, laptop and mobile phone to login your wallet accounts because most of those guys, your friends, and family members set their devices autofill, that is automatically saved the username and the password so even though you logout from the device at the moment, once the person went to the browser/app and a click in the login box, all your details appear and once he clicks the username, the password would automatically refill in the box and the person will login to your wallet. I have heard this one before but for the keyboard this is the first time I am hearing it. Thank you op for the information. Caution must be taken and will be extent to friends and families.
legendary
Activity: 2268
Merit: 18771
Minor nitpick but all of them USE the internet none of them REQUIRE it.
Right right. But unless you have rooted your phone (which brings a whole host of other security risks) and can individually block specific permissions or specific apps, is there anyway to prevent these keyboard apps from accessing the internet any time you are connected? I suspect not.

Smart phones in general are awful for your privacy and security. Everyone should go in to their phone's permissions at some point and take a look at just how many apps can access your camera, your microphone, your files, your messages, your location, and so on. And for lots of these apps, if you try to disable these unnecessary permissions they will just refuse to work.
sr. member
Activity: 630
Merit: 314
CONTEST ORGANIZER
I think its more easy to think and use the corrects tools.

1- Never use a mobile wallet like your saves wallet.

2- Use mobile wallet only to and when you need to do some transfer or if you are gonna travel, and send from other wallets the X ammount you think you are gonna spend, nothing more and nothing less.

So, in the worst case scenario of a hacking you are not gonna lose so much or also nothing.

Anyways asides of my explanation, really good info you are spreading about the problem of third parties keyboard, people tends to trust so much in all.
hero member
Activity: 882
Merit: 800
Mobile wallets are not exactly the most secure wallets in the world, but in case you really have to use them, please keep in mind one very important piece of information.

DO NOT use third-party keyboards while you are using the wallet app!

Somebody has already been robbed because of this. You must only use the stock Android or Apple keyboard, and no others. Better if you uninstall all 3rd party keyboards completely. They collect all data you type on the keyboard at all times, which is a requirement for them to function properly, and there is no telling who is at the other end of the server!

What! Is this also applicable?
This is why one needs to be generally visiting most of the various section of this forum because, if I am not mistaken never posted over here or even have to come read things over here that much, opening this section and I found this topic make me feels I am missing a lot of things. But nevertheless, I won't enable any other keyboard from my phone apart from in-build keyboard, although I do love using customized theme just as a Go-Launcher with various style of theme color displayed including keyboard but with this post I won't dear to allow that happened again. Truly they said "Knowledge is power"!
Pages:
Jump to: