Security Experts Disagree with Samsung’s ‘Bitcoin is Safest on Phone Storage’ Claim
Samsung is in all praise for smartphones being the safest for cryptocurrency. Last week, in a blog post published on its Insights platform last month, Samsung suggested that “smartphones have the best security for blockchain and cryptocurrency.” The research went mostly unnoticed, until last week when it was suddenly picked up by several cryptocurrency news sites. But while the research certainly makes for strong headlines, is that buzz around the security of smartphones justified? We decided to find out.
Why Are Smartphones Good For Cryptos?
Smartphone wallets such as Blockchain and Jaxx are the go-to applications the majority of cryptocurrency users utilize to send and receive payments with digital assets. Joel Snyder, a senior IT consultant, a contributor to Samsung Insights, explained in a recent paper that smartphones are significantly more secure than laptops and other devices, because of the presence of the Trusted Execution Environment (TEE).
Most smartphones have a native environment called the TEE, which operates as a separate execution environment with its own memory and storage, isolated from the device. Hence, not even the operating system (OS) like Android can reach into the TEE and potentially initiate alterations in its memory. In an event of a hacking attack or a security breach, attackers cannot possibly break into the TEE and attempt to steal data such as the private keys of cryptocurrency wallets because the TEE exists completely independent of the device.
Snyder goes on to say,
“This is why smartphones have an edge over laptops and desktops for cryptocurrency wallets: without the benefits of the hardware-based TEE, the keys are more vulnerable. There is a significant caveat: a naïve wallet developer might choose to simply store the keys on the normal internal storage of the phone, in which case there’s little additional protection from using the smartphone platform. Or the wallet itself might be malware, in which case all bets are off. But with the right wallet leveraging the benefits of smartphone TEE, there’s no place safer to store your money.”
This is ultimately what sets smartphones apart from laptops. Laptops don’t have TEEs which makes wallet software much more susceptible to malware.
Where Do Smartphones Fail?
Even though TEE provides a platform with heightened security, smartphones by no means are immune to attacks.
Jameson Lopp, a Bitcoin developer agrees that TEEs give security benefits, but that attacks can happen elsewhere in the software stack. Lopp says:
“Malware can affect other critical components of the wallet operation while creating a transaction, resulting in the funds being sent to an attacker’s address.”
Lopp would only keep as much cryptocurrency in a single signature smartphone wallet as he’d keep in a conventional cash wallet.
Matthew Green, a Johns Hopkins cryptography professor, also agrees that TEEs are a “good thing” and make “hacker’s jobs more difficult.” But, when an application makes a request to a TEE like “send Bitcoins to a specific person,” the TEE protects the keys. But, all that is required to compromise the application is a sophisticated malware.