Security

The Wallawallet mobile application code for Android and iOS have passed thorough security audits, administered by Tarski Technologies. The audits are meant to ensure users of Wallawallet that their private keys are securely stored and managed on the mobile device without ever leaving the device.

Best security practices were followed and the example reference project mentioned at the following site was used as a foundation for our own security implementation on Android devices:

For the data storage the best solution will be to use a keystore key protected by a fingerprint which will be used to… decrypt a secondary symmetric key (so a user is not prompted every time a cryptographic operation needs to take place).

https://labs.f-secure.com/blog/how-secure-is-your-android-keystore-authentication/

This is essentially what we are doing to protect the user’s private keys. Whenever a user’s private key is stored or retrieved, the encrypted key must be unlocked with another unique application key which itself can only be retrieved using the crypto object returned from the Android biometric API call, ensuring that the user’s fingerprint itself is used to secure the application key. The application key is cached in memory until it is determined that the authentication timeout period as defined in the application’s settings has expired.

Wallawallet on the Android requires the use of a fingerprint to provide such a high degree of security and peace of mind for the user. Nevertheless, an optional application 6-digit PIN code is also provided and encouraged. The PIN can only be engaged by clicking on the lock icon in the user interface, but doing so will time out the fingerprint authentication as well as lock the application until the correct PIN is entered. You can find out more about our security best practices here: https://wallawallet.com/best-practices/