WARNING when using mobile device wallets (Android, iOS) - page 3.

DaveF

legendary

Activity: 3500

Merit: 6320

Crypto Swap Exchange

Quote from: o_e_l_e_o on August 01, 2023, 07:08:18 AM

Quote from: Synchronice on August 01, 2023, 05:49:07 AM

What about Samsung keyboard?

The same as I described above - closed sourced and operated by a huge corporation which makes large amounts of money from your data. I wouldn't trust it.

Gboard: https://reports.exodus-privacy.eu.org/en/reports/com.google.android.inputmethod.latin/latest/
SwiftKey: https://reports.exodus-privacy.eu.org/en/reports/com.touchtype.swiftkey/latest/

All of these keyboards require internet access. I wonder why? Roll Eyes

Minor nitpick but all of them USE the internet none of them REQUIRE it.

I have a 100% offline phone that I use as a 2fa device and a couple of other things. All apps have been side loaded on it and even though all wireless is broken, Gboard and Swiftkey and the stock Samsuck keyboard (when it was installed) worked fine.

You loose some features, but it's not 100% needed.

But, as I have been saying ALL PHONES NO MATTER WHAT THE BRAND ARE NOT SECURE. PERIOD. FULL STOP.

-Dave

satscraper

hero member

Activity: 714

Merit: 1298

Wallet on Android device is like a cheesecake for those who create malicious programs because it indicates that user of given mobile is interested in crypto thereby his interest can be exploited to make a convenience of attacker, for instance, for cryptocurrency mining. One of the latest case is discovering of CherryBlos and FakeTrade, ^{"involved in cryptocurrency-mining and financially-motivated scam campaigns targeting Android users".}

Upgrade00

legendary

Activity: 2114

Merit: 2248

Playgram - The Telegram Casino

Quote from: tech30338 on August 01, 2023, 07:10:36 PM

This is why others prefer desktop, and Hardware wallet for additional security,

Just like your mobile wallet, your desktop wallet can also be compromised with malware's or virus if you install a corrupted file on the device. As far as the device is not airgapped than it's at risk of any danger which is available on the internet, limiting the applications you install and only doing that through the official websites reduce the risk but does ko eliminate it.

As a hot wallet you can use your regular device, as long as the amount you store there is small in comparison to how much it costs to buy a hardware wallet.

Quote from: tech30338 on August 01, 2023, 07:10:36 PM

That is why if you are using you phone with wallets you should be very careful opening links, installing applications, and also scan your phones to be sure.

And if you can don't actively use your phones that have your Bitcoin wallet.

_act_

legendary

Activity: 1064

Merit: 1298

Lightning network is good with small amount of BTC

Quote from: Yamane_Keto on August 01, 2023, 10:32:20 AM

Electrum keyboard on mobile phones is a virtual keyboard which is safe than the mobile phone keyboard. That is true but I noticed that you are using the old Electrum wallet. Electrum virtual keyboard looks different now and it does not allow screenshot.

For update, it is https://electrum.org/#download

Dr.Bitcoin_Strange

hero member

Activity: 770

Merit: 538

Leading Crypto Sports Betting & Casino Platform

My hot wallet is on my mobile, and I don't usually keep a huge amount of asset in it for this kind of reason. I have read a similar warning like this before about downloading and using a third-party keyboard, and many of those apps are built by hackers with inbuilt malware that can be used to hack and steal someone's assets. After reading that information about a year ago, I had to uninstall about two of the ones I had on my phone. The reason I even had them was because of the fancy designs they had and also because they could allow one to pin numerous messages on the keyboard, but I never knew it was even going to cause more harm to me.

tech30338

full member

Activity: 644

Merit: 139

Defend Bitcoin and its PoW: bitcoincleanup.com

Thanks op for the information, there is a reason why i dont use mobile phone and install wallet, since one of my friend got hack and lost his coins.
Just want to add to OP post, sometimes our phone are already infected or compromise without knowing, when we install app, we allow or authorize them to access information in our phone, maybe a malware has already there in the first place, this malware are sometimes attach to an application, without us knowing, and is just waiting for the right time to strike, and steal our funds.
This is why others prefer desktop, and Hardware wallet for additional security, but others who are more careful in installing applications, and wallet on mobile phones, especially those who experience and witness it before.
That is why if you are using you phone with wallets you should be very careful opening links, installing applications, and also scan your phones to be sure.

sheenshane

legendary

Activity: 2492

Merit: 1232

IMO, I'm using a mobile wallet for how many years I never experience hacking or someone getting access to my wallet and it might be because, upon creation, I used my old laptop in generating a private key and then export the key into my mobile wallet. I used Electrum which has its own keyboard inside as explained above, so I think even if you're using 3rd party keyboard it didn't affect you if you also disable permissions for the 3rd party app, it's a good idea to review and restrict permissions to ensure that the keyboard doesn't have unnecessary access to sensitive data.

The most that should be avoided is jailbreaking (iOS) or rooting (Android) your device, as it can weaken the device's security and make it more susceptible to attacks.

However, I highly discourage someone from using a mobile wallet app storing for the long term, isn't a good idea because the wallet app has low-security features.

sokani

sr. member

Activity: 658

Merit: 441

Quote from: Findingnemo on August 01, 2023, 06:27:17 AM

I found fleksy also available on playstore and they clearly mentioned that app doesn’t collect user data and we can trust them since its UK-registered company[1].

1. Privacy Policy of Fleksy by Thingthing Ltd.

I took some time to do some findings about Fleksy and it is not completely open source: Fleksy Acquired by Pinterest; Will Open-Source Some Components for the Benefit of the Blind. With the latest mobile wallet hack update, I'm no longer comfortable using the stock android keyboard to import my seed phrase, so even the idea of using a third-party keyboard app like Fleksy is a no go area for me. I think the best thing is to stick with wallets that support inbuilt virtual keyboard like electrum wallet to avoid this kind of hack.

Yamane_Keto

hero member

Activity: 406

Merit: 443

Quote from: NotATether on August 01, 2023, 02:50:57 AM

Mobile wallets are not exactly the most secure wallets in the world, but in case you really have to use them, please keep in mind one very important piece of information.

Thanks for the tips, I might add to them:

Make sure that the keyboard does not get permissions to read files or clipboards, as your privacy such as addresses or even the private key can read them.
Cancel the permissions for this keyboard to connect to the Internet, as it does not need to connect to the Internet.
Use open source sources.

Do not complete your wallet seed word, as by choosing the first two letters, the wallet can suggest several words and choose from them. I think that even if the keyboard is connected to the Internet, not completing the word will complicate the task for them a lot.

Quote from: NotATether on August 01, 2023, 02:50:57 AM

Somebody has already been robbed (https://bitcointalksearch.org/topic/m.62613622) because of this. You must only use the stock Android or Apple keyboard, and no others. Better if you uninstall all 3rd party keyboards completely.

Good wallets give you a keyboard inside the wallet. For example, I tried to create a new electrum wallet on my phone, and this is the keyboard.

Upgrade00

legendary

Activity: 2114

Merit: 2248

Playgram - The Telegram Casino

Quote from: Synchronice on August 01, 2023, 06:59:17 AM

I'm saying that if we don't trust Swiftkey which is owned by Microsoft, then we shouldn't trust stock Android (Google), stock Apple, stock Samsung and other keyboards.

As long as the keyboard can access your data and you cannot verify what they do with that data cause they are a close source service then you are at risk. It doesn't matter if it's a third party keyboard or a custom one, you don't trust; you should always verify what's going on.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: Synchronice on August 01, 2023, 07:29:13 AM

It is very unlikely that that person got robbed because of this, so, to my mind, there is no connection between Swiftkey and lost coins.

I say as much in that thread. OP made a number of other mistakes which are more likely the cause of his lost coins. However, he did use SwiftKey to enter his seed phrase, and SwiftKey does sync everything you type in it to the cloud, meaning his seed phrase is absolutely stored on at least one (although more likely several) unknown servers in unknown locations with unknown security and accessible by unknown persons. That is a massive security risk.

Quote from: Synchronice on August 01, 2023, 07:29:13 AM

So, to sum up, even stock keyboards aren't a good option to my mind!

Agreed. Hence my FOSS recommendations.

Quote from: BitMaxz on August 01, 2023, 08:06:10 AM

-snip-

My bad. I've removed the link. I searched for keyboard on the site you linked however and found nothing useful. And if it were actually open source, then why isn't the source available? Privately requesting source code is meaningless - they could send you any code they like and you cannot verify that the code they send matches the code running their devices.

BitMaxz

legendary

Activity: 3374

Merit: 3095

Playbet.io - Crypto Casino and Sportsbook

Quote from: o_e_l_e_o on August 01, 2023, 07:08:18 AM

The same as I described above - closed sourced and operated by a huge corporation which makes large amounts of money from your data. I wouldn't trust it.

Gboard: https://reports.exodus-privacy.eu.org/en/reports/com.google.android.inputmethod.latin/latest/
Samsung Keyboard: https://reports.exodus-privacy.eu.org/en/reports/com.samsung.keyboard.themes/latest/
Swiftkey: https://reports.exodus-privacy.eu.org/en/reports/com.touchtype.swiftkey/latest/

All of these keyboards require internet access. I wonder why? Roll Eyes

The link you provided above for Samsung is the fake one it contains Facebook ads and that's not the official one they don't have a Samsung keyboard on Google Playstore you can only download them on Galaxy store.

And According to Samsung if you are afraid of your privacy you can request a source code of their keyboard directly at https://opensource.samsung.com/

I'm using Samsung all permission is denied and I disabled smart typing and other features. It only requires the internet when there is a new update or you enable other 3rd party content like Google and Emoji.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: Synchronice on August 01, 2023, 06:59:17 AM

Okay, Swiftkey is owned by Microsoft and is not a random trojan keyboard that you find in play store. They may collect some of your data but personally, I don't think that Microsoft tries to steal seed phrases of their keyboard users. I don't want to look like I trust Microsoft, no, I know how shady they are but I believe their aim is not to steal my coins because it turn into a huge scandal and ruin their business (Okay, people don't care about privacy but they care when someone steals their money).

By the way, that's what I wanted to say in my post but I forgot. Electrum is an ideal wallet for android users and it comes with built-in keyboard, that's a way to go.

I'm not trying to imply that Microsoft steals seed phrases, but rather, that it is possible that some of the people whose job it is to analyze such collected data could have malicious intentions.

Quote

I'm saying that if we don't trust Swiftkey which is owned by Microsoft, then we shouldn't trust stock Android (Google), stock Apple, stock Samsung and other keyboards.

Ideally, your keyboard should not be sending any kind of data to 3rd party servers at all, whether it's spelling, predictive data or whatever. So if there is some setting in the keyboard you can find which disables all telemetry, then toggle it on and you should be OK. But there are many keyboards out there that collect such data and do not have such a switch. That's why I said you should stick to stock keyboards because I know they do have said switches you can turn off.

And maybe Swiftkey has such as switch too (I don't know, as I've never used it). But you wouldn't want to use some keyboard like Grammarly for example, which literally sends your keystrokes to them as advertised.

Synchronice

hero member

Activity: 882

Merit: 792

Watch Bitcoin Documentary - https://t.ly/v0Nim

Quote from: o_e_l_e_o on August 01, 2023, 07:08:18 AM

Quote from: Synchronice on August 01, 2023, 05:49:07 AM

What about Samsung keyboard?

The same as I described above - closed sourced and operated by a huge corporation which makes large amounts of money from your data. I wouldn't trust it.

Gboard: https://reports.exodus-privacy.eu.org/en/reports/com.google.android.inputmethod.latin/latest/
Samsung Keyboard: https://reports.exodus-privacy.eu.org/en/reports/com.samsung.keyboard.themes/latest/
Swiftkey: https://reports.exodus-privacy.eu.org/en/reports/com.touchtype.swiftkey/latest/

Okay, I'll be more concrete about my view:
OP says that somebody has already been robbed because of using 3rd party keyboard, in this case, Swiftkey. It is very unlikely that that person got robbed because of this, so, to my mind, there is no connection between Swiftkey and lost coins.
But this view of mine doesn't mean that I'm saying we should use 3rd party apps. I don't even agree with OP about using custom Android/Apple keyboards because if we think that Swiftkey is a reason of his loss, then Apple or Google aren't any different from Microsoft. So, to sum up, even stock keyboards aren't a good option to my mind!

Definitely I agree with OP about using wallet that comes with built-in open-source keyboard!

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: Synchronice on August 01, 2023, 05:49:07 AM

What about Samsung keyboard?

The same as I described above - closed sourced and operated by a huge corporation which makes large amounts of money from your data. I wouldn't trust it.

Gboard: https://reports.exodus-privacy.eu.org/en/reports/com.google.android.inputmethod.latin/latest/
SwiftKey: https://reports.exodus-privacy.eu.org/en/reports/com.touchtype.swiftkey/latest/

All of these keyboards require internet access. I wonder why? Roll Eyes

Quote from: Findingnemo on August 01, 2023, 06:27:17 AM

I found fleksy also available on playstore and they clearly mentioned that app doesn’t collect user data and we can trust them since its UK-registered company[1].

This is next to meaningless. Every big corporation has been caught breaching their privacy policy. They all gather data they aren't supposed to.

Quote from: Synchronice on August 01, 2023, 06:59:17 AM

They may collect some of your data but personally, I don't think that Microsoft tries to steal seed phrases of their keyboard users.

No, I don't think Microsoft are deliberately trying to steal seed phrases. But if your keyboard is syncing what you type with random third party servers, then that is a massive security risk and you have no idea who else is going to be able to access that data.

Quote from: Synchronice on August 01, 2023, 06:59:17 AM

I'm saying that if we don't trust Swiftkey which is owned by Microsoft, then we shouldn't trust stock Android (Google), stock Apple, stock Samsung and other keyboards.

Correct. If it's closed, then don't use it.

There are FOSS alternatives such as Openboard, AnySoftKeyboard, and Florisboard.

Synchronice

hero member

Activity: 882

Merit: 792

Watch Bitcoin Documentary - https://t.ly/v0Nim

Quote from: NotATether on August 01, 2023, 06:23:32 AM

Quote from: Synchronice on August 01, 2023, 05:49:07 AM

What about Samsung keyboard? Samsung smartphones come with it. Windows Phones came with Microsoft's Word Flow keyboard app and Swiftkey belongs to MS too. While I absolutely agree with the advice that you give here, I still don't think that that would be an issue for that person.

The person I quoted in the OP was robbed while using Swiftkey, so I really do mean it when I say only use those keyboards that ship in stock Android and iOS. And as o_e_l_e_o said, built-in open-source keyboards in wallet apps are even better - although you should NOT be storing crypto on a Windows Phone, because those devices don't get security updates anymore.

Okay, Swiftkey is owned by Microsoft and is not a random trojan keyboard that you find in play store. They may collect some of your data but personally, I don't think that Microsoft tries to steal seed phrases of their keyboard users. I don't want to look like I trust Microsoft, no, I know how shady they are but I believe their aim is not to steal my coins because it turn into a huge scandal and ruin their business (Okay, people don't care about privacy but they care when someone steals their money).

By the way, that's what I wanted to say in my post but I forgot. Electrum is an ideal wallet for android users and it comes with built-in keyboard, that's a way to go.

Quote from: _act_ on August 01, 2023, 06:24:40 AM

Quote from: Synchronice on August 01, 2023, 05:49:07 AM

What about Samsung keyboard? Samsung smartphones come with it. Windows Phones came with Microsoft's Word Flow keyboard app and Swiftkey belongs to MS too. While I absolutely agree with the advice that you give here, I still don't think that that would be an issue for that person.

What are you saying? When you go to app store and download a cloned one would be when you will realize that you are wrong. If you are good to know the right one, not everyone knows the right one. NotATether said you should not download third party keyboard which is the right thing to say. Or what are you expecting from him again? All phones comes with their own keyboard.

I'm saying that if we don't trust Swiftkey which is owned by Microsoft, then we shouldn't trust stock Android (Google), stock Apple, stock Samsung and other keyboards.

Quote from: _act_ on August 01, 2023, 06:24:40 AM

Quote from: Synchronice on August 01, 2023, 05:49:07 AM

If one doesn't download malicious apps, doesn't visit unknown websites, doesn't connect to public wi-fi, doesn't root smartphone, doesn't install custom ROMs without research and doesn't give unlocked smartphone to friends or strangers, then I think you won't get any problem, especially if you don't own a lot of bitcoins.

You must be joking. If you are using a mobile phone and it is connected online, store just little amount of bitcoin on it, the rest should be on cold wallets.

I don't say that you should use an internet-connected phone as a cold wallet. I'm saying that it's pretty safe to hold some coins on your smartphone and it's not necessary to worry if you follow some rules of what to do and what not to do.

Findingnemo

hero member

Activity: 2366

Merit: 793

Bitcoin = Financial freedom

Quote from: Charles-Tim on August 01, 2023, 03:17:25 AM

I am using Android keyboard. I use to report some posts with the same sentence like 'not bitcoin discussion related, move to trading discussion. Did you know that only what I just need to put down is 'not bitcoin, and all other words will be suggested and I just need to click on them one by one to make the complete sentence. Third party key boards are the worst, but those ones that come on the phones should not be trusted. I have heard something like this before used to compromised someone's wallet too. One of the best way to verify seed phrase is virtual keyboard.

If I am not wrong Gboard is the stock keyboard comes with most of the android devices and we all knows that what Google loves to do with the users privacy so definitely it can't be trusted. However Google claims that

Quote from: https://www.helpnetsecurity.com/2016/05/16/gboard-privacy/#:~:text=What%20Gboard%20doesn't%20send,any%20apps%20other%20than%20Gboard.

What Gboard doesn’t send to Google:

Everything else. Gboard will remember words you type to help you with spelling or to predict searches you might be interested in, but this data is stored only on your device. This data is not accessible to Google or to any apps other than Gboard.

Keep in mind that privacy policies can change, so Google might opt for more tracking in the future.

I found fleksy also available on playstore and they clearly mentioned that app doesn’t collect user data and we can trust them since its UK-registered company[1].

1. Privacy Policy of Fleksy by Thingthing Ltd.

_act_

legendary

Activity: 1064

Merit: 1298

Lightning network is good with small amount of BTC

Quote from: Synchronice on August 01, 2023, 05:49:07 AM

What about Samsung keyboard? Samsung smartphones come with it. Windows Phones came with Microsoft's Word Flow keyboard app and Swiftkey belongs to MS too. While I absolutely agree with the advice that you give here, I still don't think that that would be an issue for that person.

What are you saying? When you go to app store and download a cloned one would be when you will realize that you are wrong. If you are good to know the right one, not everyone knows the right one. NotATether said you should not download third party keyboard which is the right thing to say. Or what are you expecting from him again? All phones comes with their own keyboard.

Quote from: Synchronice on August 01, 2023, 05:49:07 AM

If one doesn't download malicious apps, doesn't visit unknown websites, doesn't connect to public wi-fi, doesn't root smartphone, doesn't install custom ROMs without research and doesn't give unlocked smartphone to friends or strangers, then I think you won't get any problem, especially if you don't own a lot of bitcoins.

You must be joking. If you are using a mobile phone and it is connected online, store just little amount of bitcoin on it, the rest should be on cold wallets.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: Synchronice on August 01, 2023, 05:49:07 AM

What about Samsung keyboard? Samsung smartphones come with it. Windows Phones came with Microsoft's Word Flow keyboard app and Swiftkey belongs to MS too. While I absolutely agree with the advice that you give here, I still don't think that that would be an issue for that person.

The person I quoted in the OP was robbed while using Swiftkey, so I really do mean it when I say only use those keyboards that ship in stock Android and iOS. And as o_e_l_e_o said, built-in open-source keyboards in wallet apps are even better - although you should NOT be storing crypto on a Windows Phone, because those devices don't get security updates anymore.

mk4

legendary

Activity: 2870

Merit: 3873

Paldo.io 🤖

Quote from: Synchronice on August 01, 2023, 05:49:07 AM

Quote from: mk4 on August 01, 2023, 03:37:22 AM

And ultimately, only use mobile (and desktop) wallets on personal devices as hot wallets. Imagine storing your life savings on a device that could easily be compromised!

For 99% of people: Desktop wallets < Mobile wallets < Hardware wallets

Regular mobile and desktop wallets? Sure, definitely but airgapped computer is one of the most secure way to store bitcoins.

Yes, hence I said "for 99% of people" — because only a very small minority actually knows how to correctly setup an air-gapped device, and they most definitely don't need my security advice.

Topic: WARNING when using mobile device wallets (Android, iOS) - page 3. (Read 755 times)