Today I went full paranoid as I entered the private key into Elastos Mobile wallet for access into a Supernode wallet. I already hate this, as I don’t trust my phone, nor do I ever expose my private key except when completely necessary and certain that I am safe.
But, after I typed the very first word into my phone, I was given a suggested word, which, lo and behold, ended up being the next word in my private key. This happened about 5 times in which Gboard, the native android phone keyboard, correctly predicted the next private key word.
After some research, it looks like Google has full permission to transmit this data however it pleases through the keyboard. I can’t say I’m surprised, but I just didn’t think about this vulnerability, to be honest.
So, going full paranoid, I tried to uninstall the keyboard—yet I realized that on an android, I couldn’t uninstall it nor could I delete the information that has already been stored. Old tutorials described a clearing cache option, but nothing was available to me now. All I could do is find another third party keyboard and remove whatever permissions I could from both.
Upon installing this new, third party keyboard, and trying to make it my default keyboard, I was given this disturbing message:
“This input method may be able to collect all the text that you type, including personal data like passwords and credit card numbers. It comes from the app ________. Use this input method?”
If you read between the lines, you’ll understand that Google is letting you know that this is exactly what they’ve been doing all along with collecting personal data.
Not news, I know, but certainly a personal wake-up call in this case.
I have to trust some keyboard in order to use my phone, so I’ve made an independent choice that seems to be the best option, and I’ve denied any permissions it might need. It’s a keyboard; it doesn’t need WiFi, nor should it be able to.
A few conclusions come to mind:
- Elastos is the answer.
- Until we have Elastos Browser, I would like to see another option besides Elephant and Elastos Mobile wallet concerning Supernodes. The phone is, to me, the most likely device to be compromised, and Supernode funds are no joke.
- Keystore, at least, would improve the situation rather than putting in the entire private key—though this doesn’t solve the problem that your keyboard has full access to what you are typing into it. But use the Keystore that you can get from the Elastos Mobile Wallet and it will add an additional layer of protection at the very least.
- Hardware wallet support is coming, thanks to Ledger as well as the Noderator’s relationship with Ellipal, but hardware support in Supernode related funds, voting, and registration, needs to come fast.
As mentioned, I went full paranoid, and while I know I am “likely” safe, the phone’s keyboard is a clear vector of attack. And though I deny application permissions regularly, I haven’t done a full sweep in a while. I was surprised to see many apps, including crypto apps, taking permissions that I can’t imagine them needing.
I urge the community to take a look at their own settings and application permissions and to consider switching their default keyboard to something better. I also urge the Elastos Foundation to be ready to quickly implement hardware wallet support, and at the least, suggest better security standards in their apps and support desktop applications.
Note: I am not suggesting a specific keyboard because I do not want to have the responsibility (nor do I have the expert knowledge) of recommending any particular 3rd party keyboard. DYOR.