What are the risks of using zashi on your smartphone?
I always hear about people losing their cryptocurrency funds by using a smartphone wallet. What are the risks of losing funds in a virus attack on a smartphone? How can I protect Zashi so that no virus can get the funds from the wallet? Is there any way to install Zashi on a computer with Linux?
If I buy any Android smartphone (any company or model) and only use Zashi and the applications that come with Android from any smartphone of a certain company or model. If I just connect it to my home Wi-Fi, connecting to the internet every 3 months to update Zashi and check how my coins are doing. Do I run any risks by doing this? Is it worth buying a smartphone just to use the Zashi wallet?
It depends on a lot of factors as usual, but it is fairly secure. If you take care not to install shady apps then the risk is slim. Also make sure to apply OS security patches.
Of course, if you want to store a huge amount of ZEC, it would be better to use a hardware wallet or offline wallet.
I’d argue that Linux is a bit riskier since mobile is more sandboxed. But that also depends on how you use, how often you install other stuff in it, etc.
Zashi has a lot of “footgun protective measures” but it can only do as much.
Additionally to what Conrado has said, usual security advices apply:
keep your OS up-to-date
Don’t sideload OS’s unless you are very sure of what you are doing (for example you are an advanced user with a lot knowledge in opsec)
don’t use public wifi
use a privacy minded vpn (like NYM vpn) to protect your traffic as much as you can
don’t side load apps
Don’t participate on dubious “airdrops”
in the case of Android, use the most modern device you can afford. Make sure that your device has a “Secure enclave”. This means that it has a dedicaded piece of hardware to store secrets.
Modern devices and their OSs’ do a lot to protect their users but a lot of attacks leverage social engineering so that are the users that let the door open for the attackers to do their jobs more than exploting complicated 0day issues. It’s not that those don’t exist but is much easier to lure someone into disclosing their secrets by mistake than to actually break a complicated piece of software.
A practice I have is that I don’t “check” SPAM folder. I just delete it. This comes with its cost thoug. A few days ago It almost left me out of a conference a MSc student of mine presented a paper in, because their emails were legit but so poorly crafted that the SPAM filter applied to them.
I do this because no one is immune to social engineering. Social Engineering is very effective because we are human and imperfect.
My first rule of thumb for avoiding falling into social engineering is admitting that you are human that hardly makes it to pass a CAPTCHA , but still can be trapped by its instincts to agree and be liked other human beings.
My second rule of thumb is to treat all email as possibly SPAM regardess of the folder or categorization your email client gives to it. Try to verify in the conversation belongs to the channel is being initiated in even if the source is someone you’ve been communicating with frequently.