The security of private keys and mnemonic phrases is of paramount importance in the world of cryptocurrency, as they grant access to one's digital assets and their loss or theft can lead to financial ruin. With the rise of mobile wallet apps in the Web3 space, it's crucial to understand the various security mechanisms that are in place to protect these keys.
This blog summarizes the different levels of security protection offered by web3 mobile wallet apps, and examines how they are implemented in practice by looking at nine popular open-source mobile wallets. We explore the range of security measures, from simple passcode protection to hardware-supported trusted execution environments.
Through our research, we found that some of these security protection mechanisms can effectively address some common attack patterns towards private key stealing. However, we also found that threats from the system level, such as root-based exploitation, are largely ignored. This highlights the importance of users being cautious about trusting the levels of protection offered by wallet apps on mobile devices.
The Heart of Wallet Security: Private Key Protection
The most important asset that a mobile wallet app has is the private key or mnemonic phrase. Consequently, the most severe threat that a mobile wallet app faces is the leakage of their private key or mnemonic phrase as it represents the loss of all user’s assets. To properly mitigate such threats, a well designed mobile wallet app should have a systematic way to protect the private keys at both storage time and in-use time.
In particular, we summarize the common practices that cryptocurrency wallets use on Android mobile devices in the above table. The table provides a useful summary of the common practices used by cryptocurrency wallets on Android mobile devices to protect private keys and mnemonic phrases. Each level of security practice is listed in order of increasing security level and includes the corresponding threats that it cannot fully address. By studying nine popular open-source cryptocurrency wallets, we were able to categorize them into their associated security levels and gain a better understanding of how these practices are used in real-world applications. The figure below shows the name of these mobile wallet apps and the number of times they have been downloaded from the Google Play Store.
Wallet Security: From S0 to S4
In this section, we will provide a brief overview of each security practice and how they are implemented on different applications. This will include a discussion of the strengths and weaknesses of each practice, as well as an examination of how attackers can still bypass these mitigations with different attack vectors.
S0 (No Storage Protection)
The S0 level of security practice stores all user private information locally within the application’s storage space, including private key, mnemonic phrase, etc. This prevents non-privileged users or applications from accessing the storage file directly. However, S0 level protection does not encrypt the storage file at all, meaning the user's secret exists in the storage file as plain text. Any privileged user or application can access this storage file and extract the user's private key to fully control the user's wallet.
It is worth noting that gaining privileged access on Android devices is not an impossible task. Apart from users choosing to root their device actively and further get abused by malicious applications, cyber criminals leveraging vulnerabilities to gain privilege is also an emerging threat on Android devices. For example, in 2021, security researchers at the Lookout Threat Lab found Android malware “AbstractEmu”, which takes advantage of multiple vulnerabilities to obtain the root access to interact with finance applications. There are also multiple presentations from 360 Alpha Lab showing how to achieve one-click remote attack to gain root access on recent Android devices.
To demonstrate the potential vulnerability of using S0 level protection, we conducted a test by installing popular wallets like Bitcoin Wallet and Simple Bitcoin Wallet on a rooted Android device. With root access, we were able to easily read the key storage files of these wallets and extract the user's mnemonic phrase, as shown in the above screenshots.
S1 (Passcode Encryption)
The S1 level of security practice uses a user-defined passcode to encrypt the storage file containing private keys and mnemonic phrases. This prevents non-privileged users or applications from accessing the storage file directly. However, the storage file must be decrypted when the application starts, and a privileged user or application can inject into the wallet and capture the encryption password. This can allow them to dump the key storage file and decrypt it locally.
To demonstrate the potential vulnerability of using S1 level protection, we conducted a test by installing the popular open-source wallet Samourai on a rooted Android device. Using Frida, a popular instrumentation tool, we were able to reveal the encryption password and further access the user's private keys and mnemonic phrases. It's worth noting that although the Samourai wallet attempts to detect if the device is rooted, it was not effective in our experiments.
S2 (Keystore (Trustzone))
To prevent the key storage file encryption key from being compromised by malicious actors, some wallet apps, such as Metamask, use the Android Keystore System to generate and use the encryption key. The Keystore system is backed by a trusted application that runs in the Trusted Execution Environment (TEE) on the Android system. This environment is isolated from the main operating system and is protected by hardware-based security features. By using the Keystore System, the encryption/decryption of the storage file happens in the TEE, making it less likely for the encryption key to be leaked. However, the Keystore System does not provide the blockchain-associated APIs, such as transaction signing or verification. As a result, the wallets still need to have the decrypted user's private keys in memory, making it vulnerable to privileged attackers who can dump the application memory and extract the private keys.
S3 (Keystore (Trustzone) + Root Detection)
To improve the security of S2 level protection, some wallet apps add an additional layer of security by checking if the mobile device has been rooted. This helps ensure the integrity of the device, as a rooted device may have been compromised by a malicious attacker. For example, the Airgap Vault wallet uses the Keystore System to protect the user's encryption key, but also checks if the device has been rooted while it runs. If the device is found to be rooted, the Airgap Vault wallet refuses to run, maximizing the protection level. This added layer of security provides an extra level of protection against malicious attackers who may have gained root access to the device.
S4 (Dedicated TEE TA)
The highest level of security practice in the mobile wallet apps is the use of a dedicated Trusted Execution Environment (TEE) to store and handle private key information. This is implemented by installing a specialized TEE-based Trusted Application (TA) on the device. For example, this protection method is currently used by Samsung Blockchain App on certain high-end Samsung smartphones. This approach provides an extra layer of protection, as the private key information is stored in and handled by the TEE, which is isolated from the main operating system and can only be accessed by vendor-approved code. Even a privileged user or application cannot directly access this information. However, the limitation of this approach is that it requires the smartphone manufacturers to provide specific interfaces for wallet developers to utilize the TEE.
Some Additional Thoughts on Mobile Wallet App Security
In S3 level protection, we mentioned root detection can be used in conjunction with the Keystore System to protect user’s private information. Note that we believe root detection is an important aspect in ensuring the device remains in its basic integrity, and should be implemented in conjunction with any security practice to ensure higher level of protection. However, it's important to note that root detection techniques can vary and may not always be effective. For example, while the Airgap Vault root detection worked well on our test device, the Samourai wallet failed to detect the rooted environment.
Furthermore, this study covers only the software wallet apps on mobile devices without any additional hardware implementation. Both hardware-based web3 wallets and cold wallet security offer attractive security features, and they both worth a separate article to cover.
In practice, we believe mobile wallet apps will continue to increase their user base due to their ease-of-use. Wallet developers should leverage the TrustZone design (which exists on most Android mobile devices) already to provide the maximum level of security to wallet users.
Summary
In this blog, we analyzed the threats that Web3 wallet apps face on mobile devices. In particular, we focused on private keys are stored and associated potential threats. We analyzed nine different popular wallet apps and revealed the level of security each adopts. We found that most major wallets use hardware backed key protection techniques to resolve the key storage issue, such as the Keystore System on Android.
However, we noticed that most wallets do not check if devices are rooted, which may result in security issues while performing private key operations in memory. Apart from the five levels of security practices we summarized in this blog, we believe the wallet developers also should pay attention to how to fully utilize the TrustZone design on Android systems to better mitigate the common risks. We will continue to cover this topic in future blogs and assist developers to better protect users’ assets.
All Comments