Every hardware wallet needs to communicate with a companion app so it can sign transactions and send them to the blockchain, and a companion app has to be on a device connected to the internet. Currently, most companion apps are desktop or web-based applications, but there are a number of reasons mobile apps are safer for hardware wallets. In traditional banking, mobile apps did not take long to overtake web apps as the secure option for online banking. Many of the same benefits for online banking carry over for hardware wallet companion apps. In this article, we will explain why mobile apps are generally safer and why the Cobo Vault only connects to the internet through a mobile companion app.
“Your smartphone is probably the device that is the most secure device you have. Modern smartphone operating systems are extremely secure if you keep up with the updates, have set a pin and are careful about what apps you download. They are extremely secure, more secure than a laptop or desktop device.”
- Andreas Antonopoulos, Bitcoin Q/A
Mobile App Stores
Mobile phones are safer because Apple and Google vet application code before they release applications on their app stores. They principally vet for two things — access to the operating system and access to the data of other apps. All apps by default have no access to the OS or to other apps except for the specific points of access they have applied for and were granted by Apple or Google during the vetting process. In the case of Apple, if your phone is not jailbroken, you cannot download apps that have not been approved for release on the App Store. Android phones can still download apps that have not been published on the Google Play store even if your device is not rooted, but if you only download from the store, a lot of security benefits are enabled by default.
With app stores, you have to download apps by manually searching them. On desktop, it is possible malicious code could be downloaded without you even knowing unless you have strong antivirus software. Both Android and iOS require application signature verification, which ensures all app downloads and updates can only come from their verified publisher, who is able to produce the application’s valid signature. While even app updates have to be verified for phones, on desktop users are not required to take the extra steps to verify the hash or signature themselves for software they download. This means attackers could fake a desktop app to look the same as a hardware wallet companion app and insert it into a user’s computer without having to pass app publisher verification.
The mechanism that Apple and Android require mobile apps to adopt for security is called sandbox. According to the Android Open Source Code Project, sandbox restricts permissions so “by default, apps can’t interact with each other and have limited access to the OS.” Even if malicious code were to enter a jailbroken or rooted device, the potential of an attack is severely limited because sandbox will isolate the companion app as long as it was downloaded from the official app store. While you wouldn’t want to expose yourself to the unnecessary risk of running a companion app on a jailbroken or rooted device, such a device might still be safer than desktop, which does not typically have a sandbox function built-in.
Full file encryption is enabled by default on Android and iOS. OSX does the same on computers, but on Windows, bitlocker is not enabled by default. Desktops are in general more flexible, allowing users to change the system settings and bypass security mechanisms, which may open the door to hackers.
Apple and Android both have built-in cryptographic hardware chips that function like Secure Elements for security verification purposes. Apple calls their proprietary chip the Secure Enclave and Android has Trusted Execution Environment (TEE), both of which are separated at the hardware level. These encryption chips generate keys or do cryptographic operations, such as signing into a mobile banking app or authorizing a transaction on a wallet app. Secure Enclave, which was originally designed for security functions like mobile banking works, powerfully in combination with a companion app to add an extra, cryptographically secure layer of protection for hardware wallets. Read our article on air-gapped devices if you are wondering why if phones are so secure, you need a hardware wallet at all.
Apple manufactures its chips so that when the device is booted, all the firmware is verified as having come from Apple. Android also ensures all executed code comes from a trusted source like a device OEM. An attacker can bypass computer login passwords by dismantling the machine and attaching the hard disk to another system, but boot level verification makes it so you cannot read a phone’s data by taking out chips and connecting them to another system. Phones are designed to have one primary user and are more securely designed as a result. A mobile banking app can readily verify personal identity through fingerprint scanner or face ID biometrics, but computers are not necessarily built to do that. Human factors play a role in overall device security too, as we are much more likely to neglect the whereabouts of a computer than our mobile phone.
Cons for Web Apps
Web applications have an incomparably larger attack surface. Web app data may be cleaned by a trash cleaner operation, sites might not have HTTPS enabled, browsers are vulnerable to man-in-the-middle attacks or bugs that leak data, and web apps are easier targets for phishing attacks. Ledger Live this year and Trezor more notably before have already had to warn their users to be more skeptical when using web-based companion apps after users were targeted by phishing attacks.
Should Companion Apps Be Mobile-Only?
Mobile-only apps are not a silver bullet but are in general more secure hardware wallet companion apps. However, there are certain trade offs such as the lack of flexibility to customize privacy settings in a more limited system. Due to the strict limitations on app access to the OS level, it’s very hard to run Tor on an iOS device.
Moving from desktop and web apps to mobile will make it easier to perform trades on the go, and accessibility is a core function hardware wallets should have. However, it should be noted that you do not want to use public Wi-Fi when you are running your hardware wallet companion app, as it is possible your network traffic could be intercepted in a man-in-the-middle attack. Be mindful of staying on encrypted Wi-Fi or cellular networks when you trade or transact, and the security Apple and Google provide should give you more peace of mind when connecting your hardware wallet to a mobile app.