Mobile wallets are critical to the safety of user assets in the Web3 era. However, our past audit and research experiences have revealed that many mobile wallets have weak designs that can result in significant losses to users.
In this talk, we show the common security risks found in mobile wallets, classify them by security level, and provide solutions and enhancements for protection. We will give examples of specific risks such as centralized wallets pretending to be decentralized, leaking mnemonics, and vulnerabilities on application servers. We will also show how malicious wallets pretend to be legitimate mobile apps and their attacking activities.
To improve mobile wallet security, we will explore the use of hardware secure elements, Trustzone, NFC cards, and secure protocols such as Zero Knowledge and MPC. With real-world examples, we will demonstrate the importance of understanding and addressing these security risks to ensure the safety and security of mobile wallet users.
Zhaofeng Chen: security researcher at Certik