When ESET cybersecurity researcher Lukas Stefanko detected a fake MyEtherWallet app on the GooglePlay store, he took the opportunity to conduct a brief, but effective social experiment on Twitter.
Stefanko asked his followers to choose which of two Android apps they would install on their device, one being the official MEWconnect app and the other — a fake with a subtly changed name and slightly different color scheme, but the same logo and the same 5-star rating.
The poll gathered 563 responses over 24 hours, with 40% of the participants choosing the fake app based on first impression. On the other hand, when MEW retweeted the poll on its own page, many users left comments indicating that they declined the choice entirely — they would never install any crypto app on their device because “mobile apps and security don’t go together.”
So, should you never use any mobile apps for crypto management? By extension — should you refrain from using mobile apps in any context where security is important? Are desktop software applications much safer? And how are there so many fake apps anyway?
We are going to try and bring some clarity to the safety of mobile crypto apps generally, and the protections built into MEWconnect specifically.
Safety in Pounds?
There’s something about the computer that just makes it feel more secure than the guilty-pleasure-app-machine in your pocket. The computer sits on your desk, solid, unmoved by the bustle and rush of the day.
Even if it’s a laptop that you travel with, there’s a significantly lower chance of it slipping out of your pocket on the way to work. I mean, there’s simply much more room in there for safety measures of all sorts than inside a phone…
In all seriousness, though: when smartphones were first introduced, their security safeguards were poorly developed compared to the personal computer. Today, however, smartphones ARE our personal computers. Often we spend more time and accomplish more tasks on the smartphone than on our laptops or desktops, and mobile developers are giving devices new functionality every day.
The good news is that by now, some aspects of mobile device software arguably make them safer than personal computers. Lukas Stefanko agrees: “Mobile apps are both convenient and safer to use, because there are less attack scenarios in mobile compared to the PC. In my opinion, users will move from PC to mobile with most apps — including finance apps—so it’s great for them to understand how safe they really are.”
The Nested Doll
What does it mean for mobile devices to have less vectors for attack? Some factors are: fewer doorways to malware, sandboxed apps that have limited rights outside their specific functions, and multiple levels of password protection and encryption.
Really, a secure mobile app is similar to a Matryoshka, the Russian nested doll, and the phone’s operating system is like a padlocked chest full of Matryoshkas (because clearly, if you had a spectacular collection of rare Matryoshkas, you would need to keep it in a padlocked chest).
For a mobile crypto wallet, how many levels would you need to hack through to get to the actual private key inside the tiniest little doll?
- The PIN, password or face/touch ID to the mobile device
- The password to the app
- iOS Keychain or Android KeyStore encryption (*Keychain and KeyStore are not exactly the same, and KeyStore may work differently on different devices — but both structures provide additional encryption)
- Encryption of the private key itself
Even if someone was able to obtain one or two passwords, they would need to brute force two levels of encryption, which is far beyond the resources of most Matryoshka hunters. The secondary level of Keychain/KeyStore encryption in the mobile operating system is the additional layer of security compared to web interfaces.
The MEW Connection
Keeping in mind the Matryoshka model, mobile crypto wallets are doing alright in terms of security — but not as well as a hardware wallet, of course.
Now, MEWconnect is actually not a mobile wallet. MEWconnect is an alternative way of accessing the wallet through the MEW web interface — like a hardware wallet without the additional hardware.
MEWconnect is a Matryoshka with an extra trick up its… scarf? Bear with us here.
In a mobile crypto wallet, keys are stored in the same location where transactions occur. That means that your private keys do come in contact with the internet, though with encryption protections in place.
The reason hardware wallets are considered the safest way to access Ethereum addresses is that they separate the transactions from the location of the private key storage. The hardware device never exposes the keys — the computer interface receives a signed transaction that can be sent to the blockchain, but it never “sees” how the transaction is being signed.
MEWconnect works similarly to the hardware wallet. The smallest Matryoshka in the center of the nested security doll is super secretive (maybe she’s got trust issues, but who wouldn’t in this high-risk environment…) So, the key is inside, but the casing never opens, only accepting unsigned transactions and returning signed transactions through a tiny window.
The design of this inner vault is what keeps private keys secure, even in the context of a mobile device that is continuously connected to the internet. Also, this is why MEWconnect can’t be used without the MEW web interface. It’s meant to make the functionality of the hardware wallet more accessible and convenient by placing it into your phone, rather than replacing the web interface entirely. In fact, using not one but two devices to send transactions is an additional security factor.
The Double-Edged Source
Of course, all these wonderful security features will be moot if the app you download is a phishing fake…
As far as fakes go, mobile apps may actually be safer than websites, because both the AppStore and, more recently, GooglePlay have a review process before they allow the app to be released. Nevertheless, fakes do pop up, and one of the reasons may be the policy of open-source code.
Many modern technology companies choose to make the code of their products available to the public, open-sourcing it. There are many wonderful benefits to this: sharing technological progress for better collaboration, for one, as well as allowing the community to audit the algorithms and ensure that their data or funds are handled in the way they expect.
The downside of open-source is that anyone can download the code and make a duplicate of the interface, with the addition of scamming functions (such as sending funds to a different address or copying private keys). So, if you are using open-source software or apps, be aware that phishers will keep trying to trick users with copycats.
The best practices for staying safe while using mobile crypto apps are the same as general cybersecurity practices. You have to build your own MSF (Matryoshka Security Framework)!
- Create strong passwords and use them in secure environments.
- Write down important access information on paper and keep it in multiple secure locations.
- Always do lots of research prior to making any financial decisions.
- Keep up with news about your investments.
- Double and triple check website addresses, SSL certificates, link directions, and mobile app credentials.
- Don’t share private keys anywhere with anyone.
- Go ahead and have trust issues when it comes to cybersecurity! You don’t have to miss out, but you do have to take care!
Always here to demystify crypto,