Topic: WARNING when using mobile device wallets (Android, iOS) (Read 693 times)

I can only speak for myself here and I don't think I would have to remember it to switch to a privacy oriented keyboard app when I have to enter some sensitive data. My mobile phone makes it easy to switch between installed keyboards and I'm used to do it, too. If you care about confidentiality of sensitive data, then it should be a no-brainer to switch to the proper keyboard.

As libert19 said, you can color Simple Keyboard mostly to your liking.

By clicking 'keyboard' icon at bottom right, this icon will appear whenever you are in text input field [1]. You can disable default keyboard, I have Google keyboard in my device but it's disabled, so it doesn't appear in keyboard list [1].

Simple keyboard supports themes [2].

---

[1] https://www.talkimg.com/image/MEflf

[2] https://www.talkimg.com/image/MEJ6Z

That would be the ideal solution for wallets that do not utilize their own keyboards. But the only problem at this point would be, how do you remember to use the simple keyboard for the wallet, if you were using the default keyboard for the past two hours inside other apps? Let's assume there are no other 3rd party keyboards. As far as I know, the default keyboard can't be disabled, so maybe if there was the ability to change the color of this simple keyboard, which should be possible since it's open source, then it would be easier to remember which one to use it for wallets.

This is important and preferable as long as the software wallet itself is also open-source. Electrum does this on Android devices. I haven't checked other common and reputable software wallet apps for Android like Bluewallet or Unstoppable with respect to private virtual keyboard usage yet. (I try to avoid having a hot wallet on my mobile phone for more than pocket money amounts).



Here's the open-source code on Github for Simple Keyboard and the app is also available on F-Droid.

On mobile devices that use some sort of input method apps, aka keyboard apps, it's crucial to have a secure keyboard app that doesn't spread input data all over the manufacturer's cloud or backend (or Google's/Apple's). Probably every current modern mobile phone has a too fancy keyboard apps that likely don't respect your input's privacy at all. I wouldn't want to enter any important and valuable wallet's mnemonic words for setup/recovery with any pre-installed keyboard app that has typing correction or swipe features.
(Yes, such features can all be implemented locally and securely, but can or do you trust big companies?)

Keyboard can collect and share data if it's granted Internet access, block it using firewall app like NetGuard [1] (some android skins have this functionality built-in). Of course this will restrict the functionality and some keyboard apps might even refuse to open until you grant Internet access.

Or you may use barebone keyboard apps like Simple Keyboard [2] which doesn't require Internet acess in first place.

---

[1] NetGuard

[2] Simple Keyboard

I don't think sticking to the default or stock keyboard app of the smartphone would be the best piece of advice. For example, Google also collects all kinds of data. That's why those keyboard apps can even try to predict the word you wanted to type but misspelled it, and what you might type next.

I would rather suggest one only chooses to use software wallets that have their own virtual keyboards for typing in passwords, seeds...

That's interesting. I never thought those cool font changing keyboards could be disaster like this? I believe this has got something to do with the key loggers type of application where one can remotely watch what is being typed on the other devices if they have those tracking software's installed.

Obviously if we are installing these keyboards then they will give us notifications that what permission to set and let me guess reading and writing data on the device would be first requisite since it is a keyboard.

I am pretty sure one can only be cautious about the app authenticity but the audacity is they will have five star reviews and let me guess they are also from cheap paid task sites and mostly bought one. Definitely no other way but to stick to original apps within our smartphones OR lets just switch to the Hardware Wallet and Paper Wallets. Best on the market so far. 

No i only mention one browser like an example nothing to do with Opera.


[/quote]
Yeah i tried it when it was released and..... i never try something worst, also normal pages cant be accessed. THe speed? we normally can expect lower speed on VPN, but this its beyond low.

 I dont know that fact about chinesse consortium, but any VPN its something shady, one day i see some video who show 90% of the VPN are owned by ex Mossad and IDF guys.....

Somewhat off topic, but Opera have a built in free VPN which is absolute trash (just like every other free VPN), not to mention being owned by a Chinese consortium with links to the CCP. I wouldn't trust it for a second.

Some browsers like Chrome and Opera spy on you constantly, sure, but not all browsers. Just use Tor or Firefox instead.

No one can guarantee that. The difference is that if you want to and know how to, you can check what the software does and what was changed in the newer versions. There are no guarantees that the code is safe or free of bugs and vulnerabilities. Turn off automatic updates and download those that you want manually. Most people don't have the skills to check and read code. The best you can do then is to wait with installing the newer versions until some weeks or even months have passed. If no one reports anything suspicious, go ahead and upgrade. I doubt keyboard apps have many updates anyways. There isn't much to update. 

I don't think that's news though. Browsers always collect user data regardless of what keyboard apps you are using. I don't recall any popular Android/iOS browser having its own secure keyboard. Even if they do, we can't tell if they really keep no log or just log you as usual. You can probably avoid extensive logging with open-source and privacy-oriented browsers or keyboard apps just like mentioned before. CMIIW.

Google used to be strictly "don't be evil". We all know how that went.

Assume that all data being collected and sent over the network is being stored somewhere where it can either be hacked or sold to third parties, who will basically do whatever they want with it.

But why is Opera included in the mix? I'm curious, since they just have a browser AFAIK (and might track you through that, rather than through a keyboard).

Yes indeed, also this its really easy to check to anyone, when you start to type or type in the Gboard in your cellphone you can see the three words recomendation to autofill by Gboard and..... yes that words are the words you sometimes write, so they are really know what you are typing.

One time i made a experiment and start to write seed words (not real ones) and after that when i put that word on other things not related, i can see in the suggestion of Gboard the next words.... nothing more to say.

And plus now with the IA integration, with dont have so much run to run, because with AI they are gonna say, "to help you we learn what are you typing and bla bla bla" and the regular people are gonna still gift their privacy even more.

One last thing i have to say or noted, maybe its only me in conspiracy, but the explorers on mobiles are also tracking us in the keyboard?, i mean they also read what we are typing no matter the keyboard its from other source? Example its Opera collecting what im typing asides o using a Gboard? i think YES. What its you point of view?

On desktops, the keyboard is hardware and cannot be rewired to do other stuff.

But on phones and tables, the keyboard is software based, and not only that, but developers can make their own keyboards, some of which violate privacy by collecting all kinds of data about you to sell. And it may just so happen that that they sell this data to malicious entities, where even anonymizing your key strokes will not protect you, because other people don't need to know who was typing it, just what was typed.

You mean open source keyboards? o_e_l_e_o already mentioned three in the first page of this thread: Openboard, AnySoftKeyboard, and Florisboard.

I will rather have the problem of needing to check the source code than having no clue what goes on whatsoever.
Even if you cannot check the codes directly, following regular updates will give you a heads up if anything changes, but with closed source keyboards or platforms in general you have no clue.

- Jay

I think yes and no at the same time, you ended up in a cul de sac. Can you please say some third reliable keyboard partie? Also if you can, you can use them, b ut in  the long run who can assure you they are not gonna change something and make a backdoor in one update? and yes you can check that, but are you gonna be always checking every update in a cellphone? most people no.

Yes, they are closed source and collect user information based on what you type presenting a security risk.
Go for free and open source alternatives.

Yuu should always. Not just a quick glance at the first and last few words, but a whole look at the two addresses, i.e, where you are copying from and where you are pasting too.

- Jay -

Does google keyboard(gkeyboard) and swiftkey keyboard counts on what to avoid for 3rd party keyboards. I’m using wallet software most of the time and I’m not aware that there’s still a possibility to hack my wallet through the use of tools outside the wallet.

I rarely check my wallet address that I copy when using mobile phone. Thanks for the heads up.

If a hot wallet is all you can use, then they can still be relatively secure if you take all the sensible precautions. One of those precautions is not importing your seed phrase in to multiple different pieces of software. Choose a good piece of wallet software such as Electrum, use it to generate a new wallet and write down your seed phrase, and then never enter that seed phrase in to any other wallet unless you are recovering your coins in an emergency.

And yes, that hardware will be absolutely fine with Cinnamon.

Because I may be a newbie who doesn't have enough knowledge about hot,cold,hardware wallet. I'm still new to this. And secondly I don't own any hardware wallet, where I live I don't think I can get my hands on these kind of tools. (If they support international purchase and stuff then I think I can buy those)

I'll try to follow the advice you gave about 'creating a new address and sending coins'.

Specs: core i5 9gen 8gb ram 250gb ssd ( I think I have enough hardware to support cinnamon, I'll give it a try.)

The real question is: Why are you importing it?

I have a mobile hot wallet, for which I accept the poor security of hot wallets because of the convenience they bring. In this wallet I store a small amount of bitcoin I can afford to lose. That's my only hot wallet. I don't need to import it anywhere else, because it's already on my phone. If I needed to change phones, then I'll set up a new wallet and send the coins across.

For every other wallet I own, of which there are many, there is almost no scenario in which I would ever import the seed phrase on to a phone. These are a variety of cold wallets, paper wallets, hardware wallets, etc. I have never imported one of these wallets to a phone, and if I ever did, then that wallet is immediately compromised and insecure.

If you are looking for the closest feel to Windows, and your computer isn't ancient, then Cinnamon. If you need something light on resources for older devices, then MATE or Xfce will be better.

No, no, it's not like that, you can feel very safe and secure. You have to ask yourself questions like how many bitcoins you hold, you have to know your neighborhood, friends, etc. If you don't live near Silicon Valley and your friends aren't top hackers or scammers or thieves, then you can feel safe and secure with your coins. You guys love too much drama, if you follow basic security advices, your wallet and coins will be very secure. Use airgapped computer, nothing will happen. I even bet, if you connect to internet with your computer and only visit websites like Youtube, twitter, facebook, instagram, won't click on ads and won't visit malicious/unknown websites, won't download pirated software and so on, I bet your wallet will be secure. It won't be a cold wallet anymore but even if you take care of hot wallet, you can feel very secure.

And tip! Follow o_e_l_e_o's advices, he is a great guy and knows what he says.

o_e_l_e_o is suggesting not to enter your seed phrase on a non-airgapped device.
If you create your wallet on an airgapped device using a safe tool and never enter your seed phrase on a non-airgapped device, you can be sure that there's no way for hackers to gain access to your seed phrase.

Then how am I suppose to import the wallet? Little confused here. I have to type in the passphase, don't it?


There are 3 version of mint? Which one did you use or prefer?

There is a much simpler solution to all the issues being raised here about keyboard apps: Don't type your seed phrase in anywhere. Simple. If I type any seed phrase in to any non-airgapped device ever, I immediately consider it compromised.

Moving from Windows to Linux is always a good idea, but as I said above, don't think that making this one change suddenly makes all your wallets secure. If you have a bit of technical knowledge, then I would suggest using Debian. If you don't, then I would suggest Mint since it is the closest in look and feel to Windows and relatively easy to set up and use.

By the looks of it now I think I need to be a software developer. That way I can build my own keyboard and use it to import export my keys. Without this I have no other ways. I will always be in risk of being hacked. Currently I'm using stock keyboard with Custom Rom installed on my phone (Not stock OS). And you guys talking about security over a simple keyboard!! Now I think even the OS isn't even secure enough. Yes Android maybe Open source but many company doesn't use pure Android os, rather they would modify it and give it a custom skin job as they prefer.

BTW anyone use any linux distro? I was thinking to shift from Windows to Linux. Any suggestion?

Not at all. There are plenty of secure ways to store your keys, but a hot wallet is never one of them.

So use a hardware wallet where all the hardware and software is open source, such as Passport. Should they come under pressure to implement backdoors or similar, that will be viewable in the code.

A good Linux distro will be safer than Windows or MacOS, but simply using Linux does not make your wallets magically impenetrable. It is a single part of a good security set up.

That means our bitcoins are never safe even when we store them in the most secure ways. Even hardware wallets because they are produced and distributed by centralized companies, and they can come under pressure from the government at any time.

I've never used Linux before, but I've heard people say it's an open source operating system. So is it safe for me to use Electrum in conjunction with the Linux operating system?

If Linux is really secure, then setting up an air-gapped wallet is the safest for us.

This is a completely false sense of security. Any decent malware can just wait until internet access is reestablished in order to transmit data. Devices are either airgapped or they are not. There is no such thing as this temporary airgap that people talk about.

The stock OSs which come pre-installed on phones are almost all closed source, so the answer is generally no, unless you are one of the few people using phones such as PinePhone or Librem.

You are right when you say that mobile phones are, to put it mildly, not the safest. If possible, you should minimize the interaction with cryptocurrencies using mobile devices. If you store crypto on it, then only for pocket expenses, which you are ready to part with at any moment.

If desktop devices can be customized at your own discretion (choose an OS, programs and check their code), then in mobile devices the OS is preinstalled and all that remains is to believe the manufacturer's security assurances.


There are no guarantees that stock Android devices (especially from Chinese manufacturers) don't collect data either.


Updates on Windows Phone are no longer released, but this may play into the hands. There are relatively few such devices, and therefore, will attackers want to spend time and effort creating malicious programs for outdated, unpopular, moreover, dead operating systems? It seems to me that it is easier for them to concentrate on Android and iOS, where, due to the mass character, they will be able to find their victims. And Windows Phone, at best, is used by one and a half Johns around the world, and even those who don't have cryptocurrencies on these phones.

What are your thoughts on feature phones, like the blackberry with an external keyboard and the like? Astro Slide 5G Transformer, for example (although who knows what apps will be preinstalled here).

You are not trusting that either, rather you are trusting verifying that electrum does not remotely store your private keys which will leave it exposed to be stolen. Even if the OS says they are not monitoring your data, they most likely are, what you have to do is limit to a minimum the amount of data they can access.

But as suggested above using an airgapped device or an open source hardware wallet like Passport is your safest option, cause the OS plays a huge role in the security of the applications that are run on them.

- Jay -

Hot wallets are very prone to hacking, even if you use an open source OS only a small amount of funds should be held in a hot wallet. You should use either a hardware wallet to store your main funds or a properly set up air-gapped wallet that will never be connected to the internet, with a Linux based OS installed. If you use a cold storage set-up to store your funds, you can then install apps you want on your online device because it does not hold any of your funds, except maybe a small amount of it for daily transactions.

I use Gboard with all my mobile devices, both iOS and Android driven. I suppose Apple doesn’t even know what I type. Probably it’s even a little bit safer than using different stock keyboards with different mobile devices.

I have a question, if we can't trust the stock Android or Apple keyboard, can we trust their operating system or hardware product? Because we are also using their phone or computer to install Electrum. I am using Iphone, and everytime I install 3rd party app, they ask me if I allow the app to track me or not. Maybe Apple is trying to protect their customers' privacy from 3rd parties, but when I download their apps I don't see any warning. I suspect that it is entirely possible that they secretly collect user data.

You are describing an online web wallet here, which is unsafe to begin with and one should not even think of using a web wallet to store their BTC. In a web wallet you do not control your keys and your funds can be easily be hacked because it is online, there are enough open source software and hardware wallets like Electrum, Sparrow and Passport that you can use to hold your coins. And if you are using a good self custody wallet, it is obvious that you should not use your seed phrase or private key to import you wallet into any unsafe device or one that is not yours.

I'm glad you now know the harm they can cause you because they are not worth it. One of the ways hackers get access to your phone and wallet is through malware-infested apps and google playstore is good place where most of these apps are dumped by hackers. Stay clear off fancy keyboards and launchers, only use stock android keyboard, limit the way you give permissions to third party apps and when importing your seed phrase make sure your phone is not connected to the internet

Add it to what the op has said, don't use third party desktop, laptop and mobile phone to login your wallet accounts because most of those guys, your friends, and family members set their devices autofill, that is automatically saved the username and the password so even though you logout from the device at the moment, once the person went to the browser/app and a click in the login box, all your details appear and once he clicks the username, the password would automatically refill in the box and the person will login to your wallet. I have heard this one before but for the keyboard this is the first time I am hearing it. Thank you op for the information. Caution must be taken and will be extent to friends and families.

Right right. But unless you have rooted your phone (which brings a whole host of other security risks) and can individually block specific permissions or specific apps, is there anyway to prevent these keyboard apps from accessing the internet any time you are connected? I suspect not.

Smart phones in general are awful for your privacy and security. Everyone should go in to their phone's permissions at some point and take a look at just how many apps can access your camera, your microphone, your files, your messages, your location, and so on. And for lots of these apps, if you try to disable these unnecessary permissions they will just refuse to work.

I think its more easy to think and use the corrects tools.

1- Never use a mobile wallet like your saves wallet.

2- Use mobile wallet only to and when you need to do some transfer or if you are gonna travel, and send from other wallets the X ammount you think you are gonna spend, nothing more and nothing less.

So, in the worst case scenario of a hacking you are not gonna lose so much or also nothing.

Anyways asides of my explanation, really good info you are spreading about the problem of third parties keyboard, people tends to trust so much in all.

What! Is this also applicable?
This is why one needs to be generally visiting most of the various section of this forum because, if I am not mistaken never posted over here or even have to come read things over here that much, opening this section and I found this topic make me feels I am missing a lot of things. But nevertheless, I won't enable any other keyboard from my phone apart from in-build keyboard, although I do love using customized theme just as a Go-Launcher with various style of theme color displayed including keyboard but with this post I won't dear to allow that happened again. Truly they said "Knowledge is power"!

Minor nitpick but all of them USE the internet none of them REQUIRE it.

I have a 100% offline phone that I use as a 2fa device and a couple of other things. All apps have been side loaded on it and even though all wireless is broken, Gboard and Swiftkey and the stock Samsuck keyboard (when it was installed) worked fine.

You loose some features, but it's not 100% needed.

But, as I have been saying ALL PHONES NO MATTER WHAT THE BRAND ARE NOT SECURE. PERIOD. FULL STOP.

-Dave

Wallet on Android device  is  like a cheesecake for those who create malicious programs because it indicates that user of  given mobile is  interested in crypto thereby his interest can be exploited to make a convenience of attacker, for instance, for cryptocurrency mining. One of the latest case is discovering of CherryBlos and FakeTrade, ^{"involved in cryptocurrency-mining and financially-motivated scam campaigns targeting Android users".}

Just like your mobile wallet, your desktop wallet can also be compromised with malware's or virus if you install a corrupted file on the device. As far as the device is not airgapped than it's at risk of any danger which is available on the internet, limiting the applications you install and only doing that through the official websites reduce the risk but does ko eliminate it.

As a hot wallet you can use your regular device, as long as the amount you store there is small in comparison to how much it costs to buy a hardware wallet.

And if you can don't actively use your phones that have your Bitcoin wallet.

Electrum keyboard on mobile phones is a virtual keyboard which is safe than the mobile phone keyboard. That is true but I noticed that you are using the old Electrum wallet. Electrum virtual keyboard looks different now and it does not allow screenshot.

For update, it is https://electrum.org/#download

My hot wallet is on my mobile, and I don't usually keep a huge amount of asset in it for this kind of reason. I have read a similar warning like this before about downloading and using a third-party keyboard, and many of those apps are built by hackers with inbuilt malware that can be used to hack and steal someone's assets. After reading that information about a year ago, I had to uninstall about two of the ones I had on my phone. The reason I even had them was because of the fancy designs they had and also because they could allow one to pin numerous messages on the keyboard, but I never knew it was even going to cause more harm to me.

Thanks op for the information, there is a reason why i dont use mobile phone and install wallet, since one of my friend got hack and lost his coins.
Just want to add to OP post, sometimes our phone are already infected or compromise without knowing, when we install app, we allow or authorize them to access information in our phone, maybe a malware has already there in the first place, this malware are sometimes attach to an application, without us knowing, and is just waiting for the right time to strike, and steal our funds.
This is why others prefer desktop, and Hardware wallet for additional security, but others who are more careful in installing applications, and wallet on mobile phones, especially those who experience and witness it before.
That is why if you are using you phone with wallets you should be very careful opening links, installing applications, and also scan your phones to be sure.

IMO, I'm using a mobile wallet for how many years I never experience hacking or someone getting access to my wallet and it might be because, upon creation, I used my old laptop in generating a private key and then export the key into my mobile wallet.  I used Electrum which has its own keyboard inside as explained above, so I think even if you're using 3rd party keyboard it didn't affect you if you also disable permissions for the 3rd party app, it's a good idea to review and restrict permissions to ensure that the keyboard doesn't have unnecessary access to sensitive data.

The most that should be avoided is jailbreaking (iOS) or rooting (Android) your device, as it can weaken the device's security and make it more susceptible to attacks.

However, I highly discourage someone from using a mobile wallet app storing for the long term, isn't a good idea because the wallet app has low-security features.

I took some time to do some findings about Fleksy and it is not completely open source: Fleksy Acquired by Pinterest; Will Open-Source Some Components for the Benefit of the Blind. With the latest mobile wallet hack update, I'm no longer comfortable using the stock android keyboard to import my seed phrase, so even the idea of using a third-party keyboard app like Fleksy is a no go area for me. I think the best thing is to stick with wallets that support inbuilt virtual keyboard like electrum wallet to avoid this kind of hack.

Thanks for the tips, I might add to them:

• Make sure that the keyboard does not get permissions to read files or clipboards, as your privacy such as addresses or even the private key can read them.
• Cancel the permissions for this keyboard to connect to the Internet, as it does not need to connect to the Internet.
• Use open source sources.

Do not complete your wallet seed word, as by choosing the first two letters, the wallet can suggest several words and choose from them. I think that even if the keyboard is connected to the Internet, not completing the word will complicate the task for them a lot.

Good wallets give you a keyboard inside the wallet. For example, I tried to create a new electrum wallet on my phone, and this is the keyboard.

As long as the keyboard can access your data and you cannot verify what they do with that data cause they are a close source service then you are at risk. It doesn't matter if it's a third party keyboard or a custom one, you don't trust; you should always verify what's going on.

I say as much in that thread. OP made a number of other mistakes which are more likely the cause of his lost coins. However, he did use SwiftKey to enter his seed phrase, and SwiftKey does sync everything you type in it to the cloud, meaning his seed phrase is absolutely stored on at least one (although more likely several) unknown servers in unknown locations with unknown security and accessible by unknown persons. That is a massive security risk.

Agreed. Hence my FOSS recommendations.

My bad. I've removed the link. I searched for keyboard on the site you linked however and found nothing useful. And if it were actually open source, then why isn't the source available? Privately requesting source code is meaningless - they could send you any code they like and you cannot verify that the code they send matches the code running their devices.

The link you provided above for Samsung is the fake one it contains Facebook ads and that's not the official one they don't have a Samsung keyboard on Google Playstore you can only download them on Galaxy store.

And According to Samsung if you are afraid of your privacy you can request a source code of their keyboard directly at https://opensource.samsung.com/

I'm using Samsung all permission is denied and I disabled smart typing and other features. It only requires the internet when there is a new update or you enable other 3rd party content like Google and Emoji.

I'm not trying to imply that Microsoft steals seed phrases, but rather, that it is possible that some of the people whose job it is to analyze such collected data could have malicious intentions.


Ideally, your keyboard should not be sending any kind of data to 3rd party servers at all, whether it's spelling, predictive data or whatever. So if there is some setting in the keyboard you can find which disables all telemetry, then toggle it on and you should be OK. But there are many keyboards out there that collect such data and do not have such a switch. That's why I said you should stick to stock keyboards because I know they do have said switches you can turn off.

And maybe Swiftkey has such as switch too (I don't know, as I've never used it). But you wouldn't want to use some keyboard like Grammarly for example, which literally sends your keystrokes to them as advertised.

Okay, I'll be more concrete about my view:
OP says that somebody has already been robbed because of using 3rd party keyboard, in this case, Swiftkey. It is very unlikely that that person got robbed because of this, so, to my mind, there is no connection between Swiftkey and lost coins.
But this view of mine doesn't mean that I'm saying we should use 3rd party apps. I don't even agree with OP about using custom Android/Apple keyboards because if we think that Swiftkey is a reason of his loss, then Apple or Google aren't any different from Microsoft. So, to sum up, even stock keyboards aren't a good option to my mind!

Definitely I agree with OP about using wallet that comes with built-in open-source keyboard!

The same as I described above - closed sourced and operated by a huge corporation which makes large amounts of money from your data. I wouldn't trust it.

Gboard: https://reports.exodus-privacy.eu.org/en/reports/com.google.android.inputmethod.latin/latest/
SwiftKey: https://reports.exodus-privacy.eu.org/en/reports/com.touchtype.swiftkey/latest/

All of these keyboards require internet access. I wonder why?

This is next to meaningless. Every big corporation has been caught breaching their privacy policy. They all gather data they aren't supposed to.

No, I don't think Microsoft are deliberately trying to steal seed phrases. But if your keyboard is syncing what you type with random third party servers, then that is a massive security risk and you have no idea who else is going to be able to access that data.

Correct. If it's closed, then don't use it.

There are FOSS alternatives such as Openboard, AnySoftKeyboard, and Florisboard.

Okay, Swiftkey is owned by Microsoft and is not a random trojan keyboard that you find in play store. They may collect some of your data but personally, I don't think that Microsoft tries to steal seed phrases of their keyboard users. I don't want to look like I trust Microsoft, no, I know how shady they are but I believe their aim is not to steal my coins because it turn into a huge scandal and ruin their business (Okay, people don't care about privacy but they care when someone steals their money).

By the way, that's what I wanted to say in my post but I forgot. Electrum is an ideal wallet for android users and it comes with built-in keyboard, that's a way to go.

I'm saying that if we don't trust Swiftkey which is owned by Microsoft, then we shouldn't trust stock Android (Google), stock Apple, stock Samsung and other keyboards.

I don't say that you should use an internet-connected phone as a cold wallet. I'm saying that it's pretty safe to hold some coins on your smartphone and it's not necessary to worry if you follow some rules of what to do and what not to do.

If I am not wrong Gboard is the stock keyboard comes with most of the android devices and we all knows that what Google loves to do with the users privacy so definitely it can't be trusted. However Google claims that

I found fleksy also available on playstore and they clearly mentioned that app doesn’t collect user data and we can trust them since its UK-registered company[1].

1. Privacy Policy of Fleksy by Thingthing Ltd.

What are you saying? When you go to app store and download a cloned one would be when you will realize that you are wrong. If you are good to know the right one, not everyone knows the right one. NotATether said you should not download third party keyboard which is the right thing to say. Or what are you expecting from him again? All phones comes with their own keyboard.

You must be joking. If you are using a mobile phone and it is connected online, store just little amount of bitcoin on it, the rest should be on cold wallets.

The person I quoted in the OP was robbed while using Swiftkey, so I really do mean it when I say only use those keyboards that ship in stock Android and iOS. And as o_e_l_e_o said, built-in open-source keyboards in wallet apps are even better - although you should NOT be storing crypto on a Windows Phone, because those devices don't get security updates anymore.

Yes, hence I said "for 99% of people" — because only a very small minority actually knows how to correctly setup an air-gapped device, and they most definitely don't need my security advice.

What about Samsung keyboard? Samsung smartphones come with it. Windows Phones came with Microsoft's Word Flow keyboard app and Swiftkey belongs to MS too. While I absolutely agree with the advice that you give here, I still don't think that that would be an issue for that person.

If one doesn't download malicious apps, doesn't visit unknown websites, doesn't connect to public wi-fi, doesn't root smartphone, doesn't install custom ROMs without research and doesn't give unlocked smartphone to friends or strangers, then I think you won't get any problem, especially if you don't own a lot of bitcoins.


Regular mobile and desktop wallets? Sure, definitely but airgapped computer is one of the most secure way to store bitcoins.

And ultimately, only use mobile (and desktop) wallets on personal devices as hot wallets. Imagine storing your life savings on a device that could easily be compromised!

For 99% of people: Desktop wallets < Mobile wallets < Hardware wallets

Thanks  for the security update. When using a mobile wallet connected to the internet, it's essential to know about some do's and don'ts to keep your funds safe. The internet has many harmful software like bugs or phishing attempts that can access your personal data without permission or even your consent. So we all have to be cautious with third-party software and carefully review the permissions they require before installing them.
For me, I see no reason why I would want to change my current keyboard and install another. Using the built-in keyboard is safer and avoids potential risks or issues that may affect your device's functionality. So please let's all stay safe and away from malwares.

I am using Android keyboard. I use to report some posts with the same sentence like 'not bitcoin discussion related, move to trading discussion. Did you know that only what I just need to put down is 'not bitcoin, and all other words will be suggested and I just need to click on them one by one to make the complete sentence. Third party key boards are the worst, but those ones that come on the phones should not be trusted. I have heard something like this before used to compromised someone's wallet too. One of the best way to verify seed phrase is virtual keyboard.

A wallet which generate seed phrase and not suggest virtual keyboard but requires you to click on the seed phrase to know if you backup the seed phrase correctly are also good. What can not make such wallet good is if they are close source and not reputed.

Ideally, you should only use open source wallet apps which use their own virtual keyboard for entering seed phrases, where you can verify exactly what the keyboard is doing. Electrum is one such example. Even using the stock Android or Apple keyboard isn't completely safe. These stock apps are usually not open source and are so deeply embedded in the phone's firmware that it is near impossible to verify if anything suspicious is happening in the background. And neither Google nor Apple exactly have a great reputation when it comes to privacy, data harvesting, and spying on users/collecting data they promised they wouldn't.

Mobile wallets are not exactly the most secure wallets in the world, but in case you really have to use them, please keep in mind one very important piece of information.

DO NOT use third-party keyboards while you are using the wallet app!

Somebody has already been robbed because of this. You must only use the stock Android or Apple keyboard, and no others. Better if you uninstall all 3rd party keyboards completely. They collect all data you type on the keyboard at all times, which is a requirement for them to function properly, and there is no telling who is at the other end of the server!