At first glance, the concept of a smartphone-based hardware wallet is an attractive one. Due to the ubiquity of mobile devices, such solutions could give crypto adoption a massive boost. But even for fully-sold proponents, the issue comes with some obvious security questions.
Samsung says that their smartphones have the best features for crypto security. In a blog post last year, the company described its devices as “the best approach to short-term and medium-term storage” for cryptocurrency private keys. However, experts (and common sense) should raise some serious doubts.
Are “Trusted Environments” really secure?
With cryptocurrency wallets, security effectively boils down to the availability of secure storage for the private key combinations associated with transactions.
This is where Trusted Execution Environments come into the picture. A TEE is a hardware-based, isolated computing environment, featuring its own memory and storage space, which cannot be accessed by the OS of the smartphone. TEEs can only be accessed through a secure API, which makes use of “trustlets,” tiny applications contained within the TEE.
By using these trustlets for private key management, smartphone wallets can theoretically achieve a high degree of security.
Smartphone complexity is no friend of security
TEEs may not be vulnerable to compromised operating systems, but due to the nature of the platform on which they operate, they are still exposed to a daunting number of potential attack vectors.
Dedicated apps can be compromised and they can be programmed to make payments from the TEE, when the user actually accesses them. After all, apps do after all have to be able to communicate with the TEE in order for it to be of any use.
The addition of a password requirement in the security chain also fails to eliminate the threat. “A particularly sophisticated piece of malware can just wait for you to enter the password in order to make a legitimate transaction,” and then re-use your password for fraudulent ones, wrote Matthew Green, a cryptography professor at Johns Hopkins University, in an email to Hard Fork.
Furthermore, the issue of quality cannot be ignored either. Security problems have been discovered in the TEEs of some of the top manufacturers.
Many users also keep their mobile devices connected to cellular and WiFi networks around the clock, opening even more avenues for potential exploits.
Can blockchain seal the security holes?
One answer to these security problems could involve supplementing legacy systems with blockchain-based security. HTC’s first attempt at a blockchain-powered phone, Exodus, put the privacy-linked powers of DLT to use through the addition of a second Operating System, running in parallel with Android.
Exodus runs dApps, which – at least in theory – could completely eliminate the security holes of traditional apps. However, it bears pointing out that dApp security depends entirely on the goals and intentions of those who create these applications.
In Exodus’ case, the hardware wallet, Zion, comes with the phone, so it should be completely immune to exploits. Users who lose their private keys can still call upon a Social Recovery Function to regain their funds.
Blockchain in full effect
Pundi X’s XPhone takes this approach one step further. Powered by Function X, a blockchain-based OS, the phone itself is a blockchain node, no longer relying on centralized mobile carriers to perform its functions. For now, the XPhone can be used for calls through legacy cellular networks, but it sports a blockchain call feature, which may become the go-to option for private calls in the future.
XPhone may not be as revolutionary as its creators hope, but it could still offer significant advantages. A platform like Function X eliminates the security vulnerabilities of a fully fledged legacy mobile OS, such as Android, greatly enhancing the feasibility of smartphone crypto wallets. The capabilities of Function X also include private messaging and data transmission, positioning the XPhone as a potential host-platform for applications as complex as security tokenization and trading.
In its infancy, blockchain technology may still be in search of a problem to solve, but with blockchain phones and full data ownership, one of its first proper, real-world applications could be just around the corner.
The author is invested in digital assets.