Crypto Wallet Security: Mobile vs. Desktop
Hello! We’ve written this blog post to help our users understand the differences between mobile and desktop security, how applications access your data, the different types of malware and how they target your data, and how VESPR Wallet secures your data (seed phrases/private keys) to keep your assets safe.
While no platform is immune to malware, the risks are significantly lower on mobile devices compared to desktops. Mobile-based risks are primarily associated with online scamming and phishing, not with the software itself.
Let’s dive right in, shall we?
How Apps Access Your Data
Desktop (macOS, Windows, Linux):
On your desktop - macOS, Windows, or Linux - applications pretty much have free rein with your data. They can look for information anywhere: browser caches, browser extension data, saved emails, and so forth. Google Chrome browser extensions have a slightly tighter leash. They operate in a slightly more controlled, sandbox-like environment that protects their data from other extensions, but are still quite vulnerable. If an unfriendly program/app makes its way onto your PC, it can still easily read all the data from your Chrome extensions.
Mobile (Android, iOS):
On mobile devices, accessing your phone’s data is significantly harder to achieve. Each app operates in its own isolated sandbox enforced by the operating system (OS) making data extraction, for all practical purposes, impossible, even with physical access to the device. The only caveat is if the device is rooted or jailbroken (usually the case when people install cracked games/applications).
Screen Monitoring/Keylogging Malware
Desktop:
With desktops, the risk of malware is high and screen monitoring/keylogging malware is the single most common trait found in malware. These types of malware wait silently to steal your credentials. If malware lands on your machine, regardless of the crypto wallet you use, you're potentially at risk as soon as you enter your seed phrase. A single malware might send your encrypted wallet data to a hacker and intercept your spending password the moment you approve a transaction. Even if you installed the malware after you entered the seed phrase/spending password (whether it be one month or years later), you are still at risk of exposing your private data and someone else getting full access to your wallet and your funds.
Mobile:
On mobile devices, instances of screen monitoring and keylogging are virtually nonexistent. The operating system’s security is significantly tighter on mobile devices and generally doesn’t allow for such applications to exist on the phone, or they might require you to explicitly allow risky data accessing permissions on your phone. Generally, the only applications that may be able to do this are custom keyboard apps, which is why it's recommended to steer clear of them.
The Odds of Getting Malware
Desktop:
While security measures have undoubtedly improved over the years, a significant amount of functional malware still exists, particularly on Windows. This is especially apparent on Windows since it’s the most popular desktop platform and security is not as tight therefore it’s more “cost-effective” to try and exploit its users. With macOS and Linux, security measures are only marginally better.
Mobile:
Malware incidents on mobile devices are relatively rare, especially on iOS. Typically, the only malware cases on mobile involve the user installing a malicious application by falling for scams and other deceptive advertisements. However, even if malware does infiltrate a device, it's extremely difficult to extract data due to the robust security measures of the OS, which in turn disincentivizes the creation of such malware (due to their usefulness/profit margins).
Do You Have Any Malware?
Just because your wallet hasn’t been drained doesn't mean you're malware-free. Some malware operates more like a sleeper agent, remaining dormant and not actively hunting for your private keys or data immediately. However, via future updates, these dormant threats could be awakened and repurposed to target your data. This is relevant for both mobile and desktop so it is important to choose a platform (desktop or mobile) that minimally exposes you to the risk and impact of malware.
Data Security Measures
Desktop:
For all desktop wallets, seed phrases or private keys are (hopefully) encrypted with the spending password. If the password is weak, and the encrypted data is leaked via malware or physical access, your wallet could easily be brute-forced open (a trial-and-error method to crack the password/encrypted keys). In the case of a targeted attack, having a weak password doesn't always equate to a short one - although length is certainly a key consideration. It's worth noting that numerous hacking tools exist with the primary function of cracking passwords. These tools operate intelligently, using every bit of information they can glean about you - be it your name, family member names, birth dates, hometown, favorite hobbies, and even pet names. They then try to concoct combinations of these details along with common passwords in an attempt to crack open your wallet.
Mobile:
On mobile devices, things are different. Modern devices contain a dedicated piece of hardware for storing encryption keys. Android has StrongBox and iOS has Secure Enclave. These special vaults serve no other purpose in your phone except for securing the encryption keys used by your app, making it impossible to brute-force, even if someone manages to extract the encrypted data. Securing the application’s data with only a spending password instead of utilizing this hardware on your phone makes the app less secure.
VESPR's Security Measures
On VESPR, a key is immediately generated and encrypted when the app is installed. This encrypted key is then wrapped in yet another layer of encryption and stored in the security-dedicated vault on the device (mentioned in the previous section). This double layer of encryption is what secures your private keys/seed phrases and ensures that they never leave the device. Therefore, whether or not the application employs a spending password, PIN, or biometric authentication, the double layer of encryption still applies and takes precedence, making it impossible for any data to be extracted. In other words, in the extremely unlikely event that someone actually manages to obtain your application data (including your spending password), your keys will remain encrypted and secure.
Thanks for reading, cheers!