The smartphone has replaced many devices, from cameras, voice recorders, and GPS navigation, torches, as well as our primary access point to the internet. They’ve become more than a simple communication device for making calls and sending texts; with bitcoin, a smartphone can be your bank.
There’s little rest for your hard-working smartphone. If you’re like many today, you use your smartphone in your personal and professional life, and with that comes some serious risks. Smartphones and custodial have brought us convenience, and many of us don’t question the trade-off and mistakenly treat bitcoin and bitcoin apps with the same nonchalant attitude.
A disposition that has seen plenty of bitcoin owners live to regret it.
While you can use bitcoin on your smartphone, it’s by no means a risk-free operation, broadcasting transactions from a device that can be snatched or compromised.
Smartphones can’t stop you from making dumb decisions
While you might enjoy pinging sats to friends and family and unsecured browsing websites on the same device and get away with it, someday you might not be so lucky. You’re operating on the assumption that all attack vectors are covered, but that is anything but the truth.
Have you ever sat down and asked yourself, what if something went wrong with that phone, like loss or theft? Worse yet, what if your smartphone got hacked? What would you do? Do you have a plan for these scenarios?
If not, perhaps it’s time to start working on your operational security. While losing a phone can be a costly replacement, losing a phone that has access to your bitcoin can be a position from which you can never financially recover.
Although it’s impossible to have perfect privacy and security on any smartphone, there are plenty of settings and safety practices you can employ to minimise your risk, so let’s have a look at what they are and how to deploy these tactics properly.
1. Move your funds.
The first and simplest tip for reducing risk to your bitcoin balance is not to keep any of it on a mobile device with hotkeys. If you have funds in a wallet that you’re not using or planning to use or haven’t used in at least six months, then why even risk having access to those funds on your phone? You’re better off moving that bitcoin to cold storage and topping up your hot wallet later when needed.
Yes, it might be an extra loop for you to jump through to access your finds, but rather have that pain than the pain of seeing your wallet cleaned out.
2. Maintain a hard cap.
If you must have a bitcoin balance on your phone because you do spend it regularly or you receive funds on the fly, then perhaps the next step for you would be to decide on a hard cap. This could be any figure you like, but ensure that it’s a figure you can live with losing in a worst-case scenario.
For argument’s sake, let’s say it’s 10 million satoshis/0.1 BTC. As soon as you hit that figure, you should consider reducing your exposure and moving the rest of that bitcoin into cold storage. That way, you know that if anything happens, your losses are capped at the amount you set.
Now there is no one that is going to enforce this hard cap on you; you have to enforce it and remain disciplined and stick to the rules you’ve set for yourself. If you get lazy or sloppy, you only add a greater incentive for those who would love to break into your wallet.
3. Regularly back up your phone.
You will save yourself a lot of headaches if you keep an ongoing backup of your phone. That way, if it’s ever lost or stolen, you still have all the apps, data, and accounts up to date in your backup.
While backing up your contacts and your apps to the cloud are best practice, one thing you should not back to cloud storage is your seed phrase. For the love of all things Satoshi Nakamoto, do not keep your seed phrase in an email, text message, not or screenshot image on your phone.
When you back it up to the cloud, you’re only creating digital copies of your seed phrase, digital copies you have no control over and digital copies that you don’t know where they are or how many times they are copied or who could have access to it.
Your copy of the seed phrase should always be kept offline, even if your device has hotkeys generated by the device.
That is already one hotkey copy, too many, and you shouldn’t be adding to that.
4. Don’t use free WiFi or Have a VPN.
Yes, we know it’s a perk offered by plenty of public places such as shopping centres, cafes, and airports, but free WiFi doesn’t mean secure WiFi, and those internet connections can spell open season for all kinds of online mischief.
Everyone should be aware of the dangers of using open WiFi. If you are out in public, try to use only your private cell connection whenever possible and switch off WiFi on your mobile phone altogether whenever you are in a public place.
If you must use WiFi that is not your home or office connection that you trust and can monitor, then use a VPN to mask your connection, allowing you to connect privately when you are on unsecured public networks.
5. Keep the Bluetooth switched off.
A surprising amount of people don’t realise the dangers of Bluetooth. This data transfer method is a handy device-pairing protocol that can save you a lot of hassle in transferring files or connecting devices wirelessly. Still, it can also be an easy way for hackers to get into your phone.
Consider disabling Bluetooth while you’re out and about unless you are wearing a smartwatch or wireless headphones that require the connection. In this case, your next best option would be to turn off discoverability via Bluetooth and only allow access to your personally connected white-labelled devices.
6. Keep your 2FA private.
Another security measure that most people can’t stand because they are the ones who have to jump through the hoop is Two-factor authentication (2FA). It might be annoying, but like passwords, it serves a purpose by providing an extra layer of protection in case someone gets ahold of your password.
If you are using 2FA, you best set it up to use multiple 2FA, like email and authentication apps, since you can easily revoke access to those methods. In comparison, 2FA via SMS is pretty useless if the hacker has your phone or has already copied your SIM card.
Another option would be to connect your 2FA to an eSIM instead, which you can remove from the device with a remote purge.
7. Keep all software up to date.
If you’re not using a custom operating system (OS), you have pretty much zero say in the version you should be using, so in this case, the latest version is often the best in terms of security. When an update is released for your device, download and install it immediately.
These updates often include security fixes, vulnerability patches, and other necessary maintenance. If you’re using a custom OS, you might want to apply the opposite rule and wait for community feedback before you update any software, especially something as vital to your phone’s security as the OS.
8. Have several password layers.
It should be your first line of defence with any smartphone, but having a passcode for your screen, be that a password or biometric lock is a must when you hold bitcoin on your phone. This prevents anyone who picks up your phone can access your apps and the data held within.
Set a passcode that only you know, and tap it in before you use your phone.
9. Unique password use.
Avoid reusing any passwords or using variations of the same password. When cybercriminals get a user’s password in their grasp, they try that password for every one of the user’s accounts.
Don’t give them that kind of skeleton key.
The better option is to use a password manager to create unique, hard-to-crack passwords. The advantage of a password manager is that it remembers all your passwords for you. Another option is to use memorable sentences or “passphrases” that you can remember.
If you need to write them down, do so, but store them away from your computer.
10. Avoid suspicious links.
Any link you receive in an email, SMS or Instant message should be looked at suspiciously when you have a bitcoin wallet on your phone. If you don’t know the sender, don’t even think about clicking on the link.
If you do know the sender, make sure they did indeed send it before you click or rather open those links on a different device like your home computer. False email, text, and message accounts pretending to be a person or entity you know is a common cybercriminal trick, and it’s known as phishing.
What these hackers want is access to a device flush with personal information they can use to unlock your funds, so don’t take the bait.
11. Keep sensitive notifications off your lock screen.
Notifications are pretty standard on smartphones these days, and very few of us customise our screens which can leak personal information. If your phone reminds you of transactions, balances and price alerts, these are all dead giveaways.
You might have bitcoin on your phone. This is the kind of information you don’t want someone peeking at over your shoulder or a stranger to find if you lose your phone, such as text message conversations or email subject lines.
Today’s smartphones allow you to selectively turn off notifications for specific apps or hide the amount of data a notification provides, so take the time to check your phone settings and remove this possible data doxing.
12. Purge your smartphone.
Finally, if the worst happens and you lose your phone or have it stolen, you can turn it into a little bit of a mission-impossible scenario, where this message will self-destruct in a few minutes. Many of today’s smartphones offer a remote detonation to purge the device.
Using a command on your account, you can wipe out all your personal data from its memory remotely. You can learn more about how to erase your iPhone remotely and erase your Android device remotely by checking the manufactures instructions.
Clearing the phone ensures no trace of any data that can lead to your bitcoin wallet on that device. You don’t have to worry about losing that data because you have the regular backup you’ve been making, and you kept a local copy of your seed phrase, right?
Do you take self-custody of your stack?
If you’re new to bitcoin and have not ventured down the self-custody rabbit hole, what is stopping you? If you’re already self-sovereign, how has the experience been since you took hold of your funds? Have you lost funds from bad opsec?
Let us know in the comments down below. We’re always keen to hear from bitcoiners from around the world.