Hi my name is David I'm penetration tester at securing and today we'll talk about mobile crypto wallet security enjoy obviously talking about crypto World applications will have to compare to the banking applications let's quickly look at differences between walladap and banking application in case of wallet you are in fullControl of your funds but there is no support if something goes wrong second factories are not server-side which means no protection if private key gets leaked or fished private key be stolen it is possible if the device is compromised and the key is not stored properlyWhat do I mean by saying properly stored iOS applications should store its Secrets inside the keychain where all keys are encrypted normally rest of the files and informations can be stored inside application sandbox as the Apple definition says app sandbox provides protection to system resources and userData by limiting your app's access to resources requested through entitlement what it means is that one application cannot simply read files of the other application unless there is a system vulnerability knowing that I just had to look at a few apps and see how they implemented itI've downloaded around 10 apps and it didn't take long the second Wallet app that appears after searching Solana in app store had exactly this issue it stored private key outside keychain in simple database file in the sandbox there's one more thing that we have to bear in mind that not only the privateKey is the thing that we have to protect but also the mnemonics that are used to generate this private key many of the developers related their homework here and most of the applications that I've checked had big splash screen informing user about consequences of sharing and losing private keySome descriptions were better than the other but some had some silly issues look here big splash screen a lot of informations this is how you do it this is the same application write the private key is a copy button see that there is also an information to record offline by handThis is how big oopsie might look like you copy your private key want to store it in some safe place you switch between the apps and immediately see that some other app copied your clipboard allowing to copy private key or mnemonics was quite a common issue butThere was one application that went a step further they were verifying whether you screenshot private key or mnemonics but there was a button to export private key and it was exported as a QR code and when you press the button you it was saving this QR code in your photo galleryDoes that make sense quick threat modeling reveals another problem what if someone knows passcode to your phone it may be someone from your family or some stranger at the bus who saw your passcode and pickpocket your phone how does the application protect itself how potential attacker can access your fundsAfter opening the application they may click random buttons trying to brutalize the passcode if it's something simple like 111 they may easily get access if there is no passcode there is no protection so we should ensure that application does not allow users to set simple passcode or at least inform about consequences butThere have to be a simpler way right what if attacker abuses biometric functionality application should verify whether biometric settings has been changed how does the attack look in reality first attacker obtains your device passcode and gets access to your phone in this case app uses biometric verification instead of passcodeThe attacker adds their fingerprint in settings and by that get access to your wallet in this scenario applications should verify whether biometric settings have been changed disabled biometric authentication and request a passcode this trick worked even on the big boys like high budget Phantom wallet after obtaining system passcode youCould disable biometric settings on your phone and therefore disable any protection in the application because the application did not have any passcode protection during the app development process banks have to follow Street rules regarding protection of user privacy and their funds every feature has to be implemented with critica and verified multiple timesBefore being released to the public crypto Wallets on the other hand can be made by anyone and that means that best security practices are not always in place because wallets should ultimately be treated like a banking application they should also include quality of life features like hiding balance andJailbreak verification to inform the user about the potential risk one less sin of wallets is trackers it is really important to verify the data sent to other companies does not contain the private key that concludes our video hope you like it and see you next time