In the last article, we explained the importance of mnemonics for Web3, and our mnemonics will definitely need to be placed in the wallet. At this time, the security of the wallet is very critical.&nbsp;<a href="https://blog.kryptogo.com/web-3-%E6%99%82%E4%BB%A3%E5%BF%85%E5%82%99%E7%9A%84%E9%87%91%E8%9E%8D%E8%B3%87%E5%AE%89%E5%B8%B8%E8%AD%98-%E5%8A%A9%E8%A8%98%E8%A9%9E-%E7%A7%81%E9%91%B0-%E9%8C%A2%E5%8C%85-%E5%B8%B3%E8%99%9F-de8a0dc77d89">Financial Security in the Web 3 Era: Tokens/Private Keys/Wallets (Accounts) - KryptoGO</a>Unlike banks, there is no anti-fraud detection system like banks in the blockchain, and there is no customer support to immediately cancel or restore transactions when problems occur. Compared to the same banking APP on the mobile phone, the security of encryption wallets is more vulnerable to quick theft and transfer if a problem occurs.&nbsp;Encrypted wallet security is tricky, and all the hard-to-discover vulnerabilities and potential problems usually exist at the intersection of multiple flaws: cryptography, access to local storage, lack of application authentication, and lack of input validation. Each problem point is relatively small in real time, but when combined, they can expose more unexpected&nbsp;<a href="https://zh.wikipedia.org/zh-tw/%E6%94%BB%E5%87%BB%E8%A1%A8%E9%9D%A2">attackable surfaces</a>.<h1 style="margin-left:0cm;">Check the security of encrypted wallet APP</h1>If we differentiate by software and hardware wallets, the choice of hardware wallets is relatively simple, basically choosing the first market share is usually no problem, but the development of software wallets is quite fast, especially in this era of multiple chains, there are all kinds of software wallets for us to choose from.Software wallets include browser wallets and cell phone wallets, browser wallets are usually open source and are audited by multiple people, and most are currently monopolized by a few wallets manufacturers.<h1 style="margin-left:0cm;">1. Ownership of Assets</h1><a href="https://blog.kryptogo.com/%E9%8C%A2%E5%8C%85%E7%9A%84%E5%85%A9%E5%A4%A7%E9%A1%9E%E5%9E%8B-%E8%A8%97%E7%AE%A1%E8%88%87%E9%9D%9E%E8%A8%97%E7%AE%A1-%E6%B2%92%E6%9C%89%E7%A7%81%E9%91%B0%E5%B0%B1%E4%B8%8D%E7%AE%97%E7%9C%9F%E6%AD%A3%E6%93%81%E6%9C%89%E5%8A%A0%E5%AF%86%E8%B3%87%E7%94%A2-d4e43c02e207">There are two main types of wallets: custodial and non-custodial – Without a private key, you don't really own a crypto asset - KryptoGO</a>The first and most important step in using a wallet is to check if it is really a custodial wallet or not. The way to check is simple: when you send any transaction, go directly to the blockchain browser by Tx ID to see if the address of your wallet is unique or shared like the entire exchange.If it is a custodial wallet, it means that the assets are not available for your own use. All you can do is to trust the company and do due diligence on the company and the team behind it: whether the team members have a bad track record, past industry experience, company credit, team technical capabilities, whether they have obtained relevant certification standards, etc.Because custodial wallets are more about the company and the team's credit. Of course, the basic technical skills must still be there, if not, the following common low-level errors may occur.1 Poor key management: storing encryption key and data together in plaintext; lack of key rotation, revocation, expiration; using encryption key for different purposes.2&nbsp;Poor memory management: Tampering with sensitive data in application code instead of limiting its lifecycle on memory, hard disk, and UI.3 Even storing sensitive data in plaintext that will be used by wallets.<h2 style="margin-left:0cm;">KryptoGO Wallet is a non-custodial encrypted wallet</h2>Founded in 2019, KryptoGO was recognized by Etherscan as a recommended vendor for smart contract auditing and information security back in 2019. The team has many years of blockchain experience and has been recognized by governments, banks, and international authority accreditation for its technical capabilities.<img src="https://storage.googleapis.com/kryptogo-website.appspot.com/public/cms/image_56fb0c2260/image_56fb0c2260.png"><a href="https://etherscan.io/directory/Smart_Contracts/Smart_Contracts_Audit_And_Security?q=KryptoGO">Ethereum Directory for Smart Contracts — Smart Contracts Audit And Security | Etherscan</a><h1 style="margin-left:0cm;">2. The security mechanism of the encrypted wallet application</h1>Encrypted wallets need to be protected in many ways, such as: checking if the device is trusted, if it is Rooted or jailbroken, if potentially harmful applications are installed, or reverse engineering tools. (Now there are <a href="https://en.wikipedia.org/wiki/Pegasus_(spyware)">malicious APPs</a> that can be used to steal user's credentials, mnemonic phrase or private keys). This part can be protected by reverse engineering and tampering as recommended by <a href="https://github.com/OWASP/owasp-masvs/blob/master/Document/0x03-Using_the_MASVS.md#masvs-r-resiliency-against-reverse-engineering-and-tampering">OWASP MASVS L2</a>.Mobile platforms (iOS, Android) provide many hardware-level security controls, and requiring users to set passwords is a relatively easy feature to implement. This kind of protection creates an additional layer of the obstruction for the attacker. If a password is not installed, anyone can unlock the phone and steal the wallet data, or even access the keychain/keystore.It's also a good idea to encrypt sensitive data before putting it into the Keychain/Keystore, so that even if the phone is attacked and an attacker can access the Keychain/Keystore, all he or she will get is the encrypted data.<h2 style="margin-left:0cm;">KryptoGO Wallet protects all aspects</h2>1 No old devices or legacy versions with security risks are supported. The operating system's native secure storage is being adopted to limit the lifecycle of sensitive data, thus reducing the risk of successful attacks and data leakage.2 Keep all sensitive data in the secure storage provided by the native system.3 Do a complete code review during the development phase, with each person submitting a merge request to be reviewed by at least a second person.4 Protect the developer's equipment and work environment from social attacks.5 Do a thorough penetration test before submitting for review to ensure there are no vulnerabilities caused by code logic.6 We consider various scenarios in the Wallet App usage process, including losing your phone, changing your number, or temporarily lending your phone to someone else, and we make sure that every aspect of usage is accounted for.<h1 style="margin-left:0cm;">3. Local Storage for Non-Custodial Wallets</h1>Since non-custodial wallets require local storage of mnemonic phrase, seeds and private keys, it is important to understand how local storage works and the common attacks against it.Here are some things developers can check.<ul><li>What kind of storage should be used to provide the best security?</li><li>Can the storage be accessed as a file? Can it be accessed by other applications?</li><li>Can you verify the authenticity of this storage? Is it possible to "steal" storage space from one wallet and put it in another wallet without problems?</li><li>Are there any integrity checks? Or can anyone change the data in the storage and the encrypted wallet won't notice anything.</li><li>Does the storage provide other encryption (e.g., hardware-supported encryption), or is the data stored in plaintext?</li><li>Should application-level encryption be used to encrypt data before it is placed in storage? If so, where will the encryption key be stored and how will the private key be derived?</li></ul><h2 style="margin-left:0cm;">KryptoGO uses the native operating system security zone to protect the helpers</h2>We use <a href="https://developer.apple.com/documentation/security/keychain_services#//apple_ref/doc/uid/TP30000897-CH203-TP1">iOS Keychain</a> and <a href="https://developer.android.com/training/articles/keystore">Android Keystore</a> to encrypt and store AES encrypted data.The AES encryption algorithm is an advanced encryption standard in cryptography that uses a symmetric grouping cipher system with a minimum key length of 128, 192, 256 and a group length of 128 bits. This encryption algorithm is the block encryption standard adopted by the U.S. federal government, and the AES standard is used to replace the original DES, which has been analyzed by many parties and is widely used worldwide.<img src="https://storage.googleapis.com/kryptogo-website.appspot.com/public/cms/1_Kmosu_U_Nt6h6_ZLQ_7_U_Gb_G_Mag_4a1c4435bd/1_Kmosu_U_Nt6h6_ZLQ_7_U_Gb_G_Mag_4a1c4435bd.gif" alt="1*KmosuUNt6h6ZLQ7UGbGMag.gif">How AES worksThe following is the way we encrypt the mnemonic phrase. From this formula you can see how we encrypt the mnemonic phrase (not all of them are public, so as to avoid exposing unnecessary attack surfaces), all transmission links are ciphertext instead of plaintext:<img src="https://storage.googleapis.com/kryptogo-website.appspot.com/public/cms/1_3ii_Kwv_O_Oij_R5_Mhj_Lp_Xc9w_ad27057304/1_3ii_Kwv_O_Oij_R5_Mhj_Lp_Xc9w_ad27057304.png" alt="1*3iiKwvOOij_R5MhjLpXc9w.png" srcset="https://storage.googleapis.com/kryptogo-website.appspot.com/public/cms/thumbnail_1_3ii_Kwv_O_Oij_R5_Mhj_Lp_Xc9w_ad27057304/thumbnail_1_3ii_Kwv_O_Oij_R5_Mhj_Lp_Xc9w_ad27057304.png 245w,https://storage.googleapis.com/kryptogo-website.appspot.com/public/cms/small_1_3ii_Kwv_O_Oij_R5_Mhj_Lp_Xc9w_ad27057304/small_1_3ii_Kwv_O_Oij_R5_Mhj_Lp_Xc9w_ad27057304.png 500w,https://storage.googleapis.com/kryptogo-website.appspot.com/public/cms/medium_1_3ii_Kwv_O_Oij_R5_Mhj_Lp_Xc9w_ad27057304/medium_1_3ii_Kwv_O_Oij_R5_Mhj_Lp_Xc9w_ad27057304.png 750w," sizes="100vw">KryptoGO Wallet's encryption protection for mnemonics<h1 style="margin-left:0cm;">Frequently Asked Questions</h1>Q1: Why do we need to fill in our phone number if it is a non-custodial wallet?The phone number is to simplify the process of creating wallets.We've observed that most wallets today are not intuitive and friendly to the average person, and that logging in with a Google or Facebook account password is one way to do this, but it doesn't fit in with Web3. It's like using Clubhouse, you don't need to register for an account password, you can retrieve all your blockchain wallets each time with a verification code and a password that only you know for your wallet.<img src="https://storage.googleapis.com/kryptogo-website.appspot.com/public/cms/1_s_EU_9l_Sd_Nn_MU_Urw_Y1qo_F_1g_9fcf9e27fd/1_s_EU_9l_Sd_Nn_MU_Urw_Y1qo_F_1g_9fcf9e27fd.png" alt="1_sEU9lSdNnMUUrwY1qoF_1g.png" srcset="https://storage.googleapis.com/kryptogo-website.appspot.com/public/cms/thumbnail_1_s_EU_9l_Sd_Nn_MU_Urw_Y1qo_F_1g_9fcf9e27fd/thumbnail_1_s_EU_9l_Sd_Nn_MU_Urw_Y1qo_F_1g_9fcf9e27fd.png 235w,https://storage.googleapis.com/kryptogo-website.appspot.com/public/cms/small_1_s_EU_9l_Sd_Nn_MU_Urw_Y1qo_F_1g_9fcf9e27fd/small_1_s_EU_9l_Sd_Nn_MU_Urw_Y1qo_F_1g_9fcf9e27fd.png 500w,https://storage.googleapis.com/kryptogo-website.appspot.com/public/cms/medium_1_s_EU_9l_Sd_Nn_MU_Urw_Y1qo_F_1g_9fcf9e27fd/medium_1_s_EU_9l_Sd_Nn_MU_Urw_Y1qo_F_1g_9fcf9e27fd.png 750w,https://storage.googleapis.com/kryptogo-website.appspot.com/public/cms/large_1_s_EU_9l_Sd_Nn_MU_Urw_Y1qo_F_1g_9fcf9e27fd/large_1_s_EU_9l_Sd_Nn_MU_Urw_Y1qo_F_1g_9fcf9e27fd.png 1000w," sizes="100vw">The KryptoGO Wallet is designed with various aspects in mind and can be used without our escrow key.Using our custodial mnemonic phrase is an option, and if you are unsure about using it for the first time, you may not choose to import it and create a brand new wallet. The same is true for other wallets. The power of the Wallet App is very large, so you must be very careful when using it to avoid phishing attacks. You can create a wallet first or use watch mode to observe the logic of that wallet and the protection mechanism of the APP, and then put in the mnemonic phrase if the wallet is trustworthy.Q2: Will our wallets be open source?Open source is a double-edged sword. From an attacker's point of view, if the encrypted wallet code is open source, it is not difficult to combine 3-4 vulnerabilities and hackers can read the implementation details and try to find the program vulnerability and use it to attack.Therefore, we prefer not to open source for the time being, but we will do <a href="https://www.guru99.com/black-box-testing.html">black-box and gray-box penetration testing</a>. At the same time, we will prevent security vulnerabilities by proper security design, improving the security level of developers, writing programs in the best suitable cryptographic primitives, using proven modules and libraries and integrating them properly.In addition, we have invested heavily in following the Secure Software Development Life Cycle (SSDLC) and are one of the few blockchain companies in the world to have achieved dual ISO certification (Information Security &amp; Personal Privacy). (See: <a href="https://blog.kryptogo.com/%E8%B3%87%E8%A8%8A%E5%AE%89%E5%85%A8%E8%88%87%E5%80%8B%E8%B3%87%E9%9A%B1%E7%A7%81%E7%9A%84%E8%AA%8D%E8%AD%89-iso-27001-%E8%88%87-iso-27701-%E4%BB%8B%E7%B4%B9-217b5a881178">Information Security and Personal Privacy Certification - ISO 27001 and ISO 27701 Introduction - KryptoGO</a>)<h2 style="margin-left:0cm;">Extended Reading</h2><a href="https://www.cossacklabs.com/blog/crypto-wallets-security/#local-data-storage">Crypto wallets security as seen by security engineers — Cossack Labs</a><a href="https://www.infoq.com/articles/ale-software-architects/">Application Level Encryption for Software Architects</a>

In the last article, we explained the importance of mnemonics for Web3, and our mnemonics will definitely need to be placed in the wallet. At this time, the security of the wallet is very critical. 

Checking the Security of a Crypto Wallet - Taking KryptoGO Wallet as an example

The Insiders Among Us: June 18th, 2025

The Press F Experiment: June 4, 2025

It’s a Date! Vibe Coding Workshop: May 22, 2025

Unlocking Web3 Potential: Real-World Applications of KryptoGO Wallet

Meet KryptoGO Pay: April 30, 2025

Yua Mikami Ignites Solana Meme Coin $MIKAMI – The Ultimate Guide 

Create Your Crypto Payment Link: No Code Required, Accept Payments Globally!

One-Click Integration of Crypto Payments into Your App

The Future is Universal: April 9, 2025

The Signals Update: March 26, 2025

The Pump Hound Update: March 12, 2025

Escape Exchange Risks: Why KryptoGO Self-Custody Wallet is the Ultimate Choice for Web3 Users

Handle Login and Group Chats Update: February 26, 2025

Evolution of Taiwan's VASP Regulation: From Declaration to Licensing

Beginner's Guide to Hyperliquid ft. KryptoGO App: Feb 12, 2025

Refining the Waves with Ocean v3: January 22, 2025

Biweekly Update: January 8th, 2025

The '25 Roadmap Preview: December 18, 2024

“The King of Tron” Update: December 4, 2024

Biweekly Update: November 20, 2024

The 'Pulse' Update: November 6, 2024

In-Depth Technical Analysis: Why Choose a Mature Crypto Wallet Service Instead of Building Your Own

Five Stages of Evolution for Crypto Wallets

Biweekly Update: October 23, 2024

Biweekly Update: October 09, 2024

Biweekly Update: September 25, 2024

Send Via Link campaign and "Gimme more wallets" Update :  September 11, 2024

The “Send Crypto via Link” Update: August 28, 2024

KryptoGO's Award-Winning Innovations at ZK Hack Montreal, ETHDenver, and ETHTaipei

Stake Your Stables! Biweekly update: August 14, 2024

The “Not Just A Wallet” Update: July 31, 2024

Biweekly Dev Update: July 17, 2024

Biweekly Dev Update: July 3, 2024

Biweekly Dev Update: June 5, 2024

Challenges and Solutions for Using Cryptocurrency in Business Operations

Biweekly Dev Update: May 22, 2024

Biweekly Dev Update: May 8th, 2024

Biweekly Dev Update: April 17th, 2024

Biweekly Dev Update: April 3rd, 2024

Biweekly Dev Update: March 20th, 2024

Making Sense of Decentralized Wallets: EOA and Smart Contract Explained

Biweekly Dev Update: March 6th, 2024

Centralized vs. Decentralized: The Ultimate Guide to Choosing the Right Crypto Wallet for Your Business

Navigating Compliance in Taiwan's Cryptocurrency Market: From Fraud Prevention to Enhanced Regulation

【Kind Reminder】Please be vigilant against scams. KryptoGO will never proactively ask you to make investment transactions.

Biweekly Dev Update: February 21th, 2024

Biweekly Dev Update: February 7th, 2024

Web3 Business Operations: Future Trend or Current Necessity?

Biweekly Dev Update: January 24th, 2024

Biweekly Dev Update: January 10th, 2024

Biweekly Dev Update: December 27th, 2023

Biweekly Dev Update: December 13th, 2023

Biweekly Dev Update, November 29th, 2023

Biweekly Dev Update, November 15, 2023

Biweekly Dev Update: November 1st, 2023

Biweekly Dev Update: October 19th, 2023

Biweekly Dev Update: Oct 4th, 2023

The Chatroom and Social Update: September 20th, 2023

Play-to-Earn vs. Blockchain Gaming: Rediscovering the Joy of Play

Product Launch Update: September 6th, 2023

KryptoGO Launches AI-Powered One-Stop Web3 Cloud Solution

Biweekly Update: August 23rd, 2023

The Keyless Wallet Update: August 9th, 2023

Biweekly Update: July 26th, 2023

Biweekly Update: July 12th, 2023

Biweekly Dev Update: June 7th, 2023

Unlock the Future: Passkey + DID + FIDO - Exploring the Next Generation of Digital Wallets and Identities

Biweekly Dev Update: May 24th, 2023

Biweekly Dev Update: May 10th, 2023

Biweekly Dev Update: April 26th, 2023

KryptoGO team wins three ETHGlobal Tokyo Hackathon Awards! Join hands with YGG Japan and IVC to lay out GamiFi industry

Biweekly Dev Update: April 12th, 2023

Help enterprises enter the Web3 world painlessly! What is WaaS?

Biweekly Dev Update: March 22th, 2023

How Much Does It Cost to Develop a Cryptocurrency Wallet on Blockchain?

How to Navigate the Metaverse: A Guide to 7 Different Types of Crypto Wallets

Virtual asset transaction service KYC, AML demand increased! KryptoGO Compliance work with Gaia Information  pioneered regulatory investigation engine

Biweekly Dev Update: March 8th, 2023

DeFi and KYC: Conflict or Coexistence?

Biweekly Dev Update: February 22nd, 2023

KryptoGO Wallet Updates: Supports Ronin chain, Personal Profile, Wallet Connect 2.0

Biweekly Dev Update: February 8th, 2023

Biweekly Dev Update: January 18th, 2023

Coinbase, the most compliant exchange, has been fined $100 million by the government and given a deadline to fix it.

Biweekly Dev Update: January 4th, 2023

Biweekly Dev Update: December 21, 2022

Biweekly Dev Update: December 7th, 2022

Biweekly Dev Update: November 23rd, 2022

Why can't you get your crypto assets back when the FTX exchange collapses? – Not Your Key, Not Your Coin

Biweekly Dev Update: November 9th, 2022

Biweekly Dev Update: October 26th, 2022

Biweekly Dev Update: October 12th, 2022

Biweekly Dev Update: September 28th, 2022

Things you should know about financial security in the Web3 era: How does token, private key, and wallet (account) work?

Collaboration for Web3 Game Wallets: YGG Japan, KryptoGO, and IVC Join Forces

Biweekly Dev Update: September 14th, 2022

Wanting to issue NFT but is complained about the difficult procedure? —Find out what the marketing pain points are from the “distribution process”

Biweekly Dev Update: August 31th, 2022

Crypto Wallets: Custodial vs. Non-Custodial Wallets

All You Need to Know About VASP FATF

Checking the Security of a Crypto Wallet - Taking KryptoGO Wallet as an example

Recommend Articles

Hot Articles

Hot Tags