Mobile Bitcoin Wallet Security - Andras Mendik

100 %
0 %
Information about Mobile Bitcoin Wallet Security - Andras Mendik

Published on March 31, 2014

Author: BitcoinBarcamp



In Andy's technical talk on Mobile Bitcoin Wallet Security: Security is everyone's responsibility, he gives a great overview on wallet storage and then deep dive on how encryption works as well as the gaps to be aware of.

While Andy works for Sophos, these thoughts are his own.

This was first presented at the Bitcoin Barcamp in Sydney on 15th March 2014. To view the full talk or find more presentations from Australia's first pop-up unConference on cryptocurrency innovation, go to

1 András  Mendik   Threat  Researcher   Mobile  Bitcoin  Wallet   Security   Security  is  Everyone’s  Responsibility  

2 Mobile  Bitcoin  Wallet  Security   •  Bitcoin  Storage   ○  Desktop  Wallet   ○  Mobile  Wallet   ○  Web  Wallet   •  Compare  Mobile  Wallets   ○  Bitcoin  Wallet   ○  Wallet   •  Security  is  Everyone’s  Responsibility   ○  Mobile  wallet  aBack  vectors   •  Live  Demo   ○  Setup  and  secure  your  wallet   ○  How  to  steal  some  Bitcoins  from  the  ‘Bitcoin  Wallet’  

3 Bitcoin  Storage   Desktop  Wallets   Mobile  Wallets   Web  Wallets   Desktop  wallets  are  installed  on   your  computer.  They  give  you   complete  control  over  your  wallet.   You  are  responsible  for  protecHng   your  money  and  doing  backups.   Mobile  wallets  allow  you  to  bring   Bitcoin  with  you  in  your  pocket.   You  can  exchange  bitcoins  easily   and  pay  in  physical  stores  by   scanning  a  QR  code  or  using  NFC   "tap  to  pay".   Web  wallets  allow  you  to  use   Bitcoin  on  any  browser  or  mobile   and  oNen  offer  addiHonal  services.   However,  you  must  choose  your   web  wallet  with  care  as  they  host   your  bitcoins.  

4                  Bitcoin  Wallet  -­‐  Google  Play   •  No  registraHon,  web  service  or  cloud  needed!   This  wallet  is  de-­‐centralized  and  peer  to  peer.   •  Display  of  Bitcoin  amount  in  BTC  and  mBTC.   •  Conversion  to  and  from  naHonal  currencies.   •  Sending  and  receiving  of  Bitcoin  via  NFC,  QR-­‐ codes  or  Bitcoin  URLs.   •  Address  book  for  regularly  used  Bitcoin   addresses.   •  When  you're  offline,  you  can  sHll  pay  via   Bluetooth.   •  System  noHficaHon  for  received  coins.   •  App  widget  for  Bitcoin  balance.  

5          -­‐  Google  Play   •  Client  Side  Wallet  EncrypHon   •  Open  Source   •  Server  assisted  PIN  ProtecHon   •  AutomaHc  and  Manual  Wallet  backups   •  Paper  Wallet  Support   •  Scan  Private  Keys   •  Quick,  Custom  and  Shared  Send   •  Local  Currency  Conversion   •  Add  Notes  to  transacHons   •  Push  NoHficaHons   •  P2P  Fallback  mode  if  the  centralised  server   is  offline.  

6                  Bitcoin  Wallet  -­‐  Security   •  Private  Keys  only  exist  on  your  Android  Device   •  AES  256  Encrypted  Backups  (Manual  Only)   Wallet  stored  on  your  device  is   un-­‐encrypted!  

7          -­‐  Security   •  Open  Source   •  AutomaHc  and  Manual  Wallet  backups   ○  Email   ○  Dropbox  /  Google  Drive   ○  Paper   •  Client  Side  AES  256  Double  EncrypHon   ○  Wallet  encrypted  with  Main  Password   ○  Private  Key  encrypted  with  Second  Password   •  Client  Side  Password/Keys   ○  Password  is  never  sent  to  their  server  in  any  way  shape  or  form   ○  Un-­‐encrypted  private  keys  are  never  shared  with  their  server   hBps://  

8 •  Two  Factor  AuthenHcaHon   ○  SMS   ○  Email   ○  Yubikey   ○  Google  AuthenHcator   •  Block  TOR  ip  address   •  Lock  to  ip  address   •  InacHvity  Logout   hBps://            -­‐  Security  

9 AES  256  -­‐  Decrypted  Wallet   {          "guid"  :  "ef577e17-­‐490c-­‐4840-­‐85e3-­‐852f97e39891",          "sharedKey"  :  "a4071684-­‐bd5e-­‐4454-­‐9a3b-­‐a69123e14eb2",          "opHons"  :  {                  "pbkdf2_iteraHons":10,                  "fee_policy":0,                  "html5_noHficaHons":false,                  "logout_Hme":600000,                  "tx_display":0,                  "always_keep_local_backup":false,                  "transacHons_per_page":30,                  "addiHonal_seeds":[]          },          "keys"  :  [  {                  "addr":"136dDyVaR3S5zv96fdznw2V1SL6EQhNVn",                  "priv":"NxQBXB1YpUVr75i1He1SXCTWd7KdgZp79TC1EBfAcnV",                  "created_Hme":0,                  "created_device_name":"javascript_web",                  "created_device_version":"1.0"          }  ]   }   AES  256  -­‐  Encrypted  Wallet   + K t T P A B o G y H j W n M N 1 R x F U 6 K g 9 8 K 5 m p B +qmULalluU0JF1HXTGIERPudvxNSM2y0onYsGNFILhsTIn2Qoz4b1+lYm3iTV4g9TlW7dVUvKYsir0sWEh u m d E n t A s F v d 7 c x u z h 1 F / a s F q E s r v s 1 k p g F p M S i p V v / y x 2 q f 1 L 5 j h q P L H T n o / e i + N v Z H L S I X C j R 2 b f e 0 Y c 1 3 C G U K B u / +lzBTOIsliXMinHdm7KMj5Qy4bkr5Sd7nRKn8uhqVVHBGhKLICgXivLlLYt8jOTHXJpMafQJYNakxwzx4mb L o 8 o r v t o j 7 l 4 a E 6 / e u s T Q 5 Y M V y N m p F 4 j C d T V Y K O Z X Z T E s Z I C 0 m q z Y 8 / k p f Q x K D L 3 t 2 S 3 v d P E F f K 6 o k a l e F N K M r M S M h g W y e t +HpCkNCR7y4eJrV1VT8yGnPVE9Nn5rbUb1Ul098JYnhL9otA9P3QEH4+S/2m0HMuiuni/YMnx/uPrg + y R l 0 g 9 U I H Z r 6 F 8 / C2zGvyVwohlwCQv5+MnNhF51ZPNBajxE4kdSaktrgbZB3r63Xj5TTrDcaFfGKOstMl3KV5jeagQSbiS7jtLLL xJmD2z9yFG3J4vpp3+HNKvLvJMYdQwZ8EXclxMJ6YkdN3iBK2rlUT0e1GDrAp+SoX3t+ +v4vIXxafcKYZ7nDGUqxb+uIWpZqn9pZiwHSoX3SAO6fBqBzhZjeu00O06+mJBo6SEFtcMOGo+e    

10 AES  256  -­‐  Decrypted  Wallet   {          "guid"  :  "ef577e17-­‐490c-­‐4840-­‐85e3-­‐852f97e39891",          "sharedKey"  :  "a4071684-­‐bd5e-­‐4454-­‐9a3b-­‐a69123e14eb2",          "double_encrypBon"  :  true,          "dpasswordhash"  :  "641468e16aa0aecf00f383bc28378636ad78c2c0ebde8b6cc7af6166285ea99f",          "opHons"  :  {                  "pbkdf2_iteraHons":10,                  "fee_policy":0,                  "html5_noHficaHons":false,                  "logout_Hme":600000,                  "tx_display":0,                  "always_keep_local_backup":false,                  "transacHons_per_page":30,                  "addiHonal_seeds":[]          },          "keys"  :  [  {                  "addr":"136dDyVaR3S5zv96fdznw2V1SL6EQhNVn",                  "priv":"mXZEqzNHIQ14HbLt5b9Zj68YkW2CudYiYQ9Oisb7UPW9Tuz32evQ83vr3G89KPqyio51yDwhK2fgMsnRgqvFvA==",                  "created_Hme":0,                  "created_device_name":"javascript_web",                  "created_device_version":"1.0"          }]   }   AES  256  -­‐  Encrypted  Wallet   s en Q O h 1 q J S Z h C p Up L X C Z ec u + c rw T F X B w y8 KE h I i rB 0 j Ni 1 c / X + u vm S m 0 Nx vB Q c g / 3H7UDM40Onz2NoGlFiLJN83d48DS8009zh5sHdbOnnN6geXPDVoXqFDhMdxxQ1Swae/qKWZDI8Et/ D Y x 2 q U t K L y Y 9 W K A c U j w 1 5 m R N g q z 8 y Y o U y z / 9 L K X J Q / k g f 5 Y r 6 / QasoEwmJM0dqyEmvKjYsaGOKhvIuIsQHtG5joLONC9pnkzynhWHktAt2mFX5iewVRanvU5vdr +yQZm1esYN7gs+hqMHh6/X3XrL/vtHRmoNTDz4MrhpHDr6fl0kPCYjPb+SX9YRx2AM7uYn6PNMF +1lgAiX98tHKJD6yWldH8hcWyEdXEfx6++nWmwN4B2Vaj0tyn53LkxEeI6ktn0u4hf4hdTvS/ p y O Q w D i r l 7 a v K s L C i d g o 0 a o o F M V f Y K M V Q U 7 I A 3 D q M H S c q 3 / NxGPB4Evh4rn1Bpou6WIRbm9+0fiK3C6prtcFDYz5imQKLgEDi/Du6ZNxB7lyVgGkNr46db21RGOX/ 6 R e I a W K U m L l O q t 4 t h r k u 9 k a / tlQNYkzT8MK4wYbe0xsXhUqApIYQM34GKvuuQwjeJj5u6lU5OPzQpxkJB3kWrBG8Ye3+usZ/ flGlwO8BxcF2RoMD1yORaA93I52Ca5RCu9LzXkpvCoRMH4RMcNPhqWsf4NAt5+pFhXGXLE1IWWqhT7 O v D j R L a 6 p X M D A V / B n 0 6 4 V Z E O 6 w e K T 9 Z 6 Z C T K n 4 d 4 Y L 6 r K R p z k T O x / b 5 / U y V u i X 8 9 h g 6 J A Q h k y x 1 O w J R e P J B W o e v z s 4 X V S Y 2 0 n 8 A e U + k B a 4 d i D 3 4 d e b U Y 6 8 3 Q z L u j e C N D R 2 8 j g u y K v c c r E m A r l a N Y G v v T / KmMheHFC7fGS7oWgsJ3oId9guOmGjAS0/VnhrpqOQ6R+lihd+7XQ==   AES  256  -­‐  Decrypted  Private  Key   NxQBXB1YpUVr75i1He1SXCTWd7KdgZp79TC1EBfAcnV  

11 Encrypted  Private  Key   Second  Password   Encrypted  Wallet   Main  Password  

12 Un-­‐encrypted  private  keys  are  never  shared   with  the  server  

13 Access  your  Bitcoin  from  anywhere  

14 Security  is  Everyone’s  Responsibility  

15 Mobile  Wallet  AGack  Vectors   •  Weak  Password!   ○  How  many  Hmes  have  you  heard  this  one?   •  Social  Engineering   ○  Don’t  show  people  your  pin  code   •  Phishing   ○  Don’t  open  suspicious  emails   ○  Double  check  your  address  bar   ○  Check  your  SSL  cerHficates   •  Machine  /  Device  Compromise   ○  Keyloggers   ○  Malware  &  Backdoors   •  Lost  Device  

16 Live  Demo   Setup  and  secure  your  wallet  

17 Live  Demo   How  to  steal  some  Bitcoins  from  the  ‘Bitcoin  Wallet’  

18© Sophos Ltd. All rights reserved.

Add a comment

Related presentations

Les changements sur le marché du distressed aux Etats-Unis et en Europe

Main Sections of the Report 1) Nifty Technical View 2) 4 Large Cap Trade Ide...

This presentation consits the yearly results of Kinepolis Group

Related pages

Bitcoin Wallet - Android Apps on Google Play

Bitcoin Wallet is the first mobile Bitcoin ... Bitcoin balance. CONTRIBUTE. Bitcoin Wallet is ... Bitcoin wallet with advanced security ...
Read more

Securing your wallet - Bitcoin - Bitcoin - Open source P2P ...

Securing your wallet. ... with great security concerns. At the same time, Bitcoin can provide very ... your wallet after your mobile or computer was ...
Read more

Securing your wallet - Bitcoin Wiki

... this article has been discussing the security of a wallet file for Bitcoin ... Mobile wallet applications are ... // ...
Read more

Bitcoin Wallet Reviews – Ease Of Use And Security ...

Bitcoin Wallet Reviews – Ease Of Use And Security. by: ... Mobile Bitcoin wallets are specifically targeted for mobile ... Andreas Schildbach’s Bitcoin ...
Read more

What's Next for Bitcoin Wallet Security? - CoinDesk

Bitcoin wallets have become more secure thanks to ... and wallet security continues ... founder of Hive Wallet: "I imagine mobile phones will have a ...
Read more

How Rivetz Uses Your Smartphone to Secure Your Mobile ...

... solutions through a blend of hardware security and bitcoin. ... to Secure Your Mobile Bitcoin Wallet. ... Andreas Antonopoulos Takes ...
Read more

Bitcoin Wallet replaces bitcoin addresses with your name. We are the easiest to use and most secure bitcoin wallet service. Home: Create ... Security ...
Read more

Open Bitcoin Privacy Project's Top 5 Wallets of 2016 ...

The Open Bitcoin Privacy Project ... Bitcoin; Bitcoin Security; Bitcoin Wallet; News; ... “A prominent weakness for ArcBit and many other mobile wallets ...
Read more