Your seed and private keys never leave your device. They are encrypted by an AES key derived from the password you currently have set for protecting the wallet. Your seed and keys are kept encrypted at all times on your device's default application data folder, beyond the reach of any other app that doesn't have root privileges. The Android version supports Trusted Execution Environment (TEE), so the decryption of your wallets is handled by hardware and systems specifically designed to protect sensitive data.
When you enter your password to make a transaction, your keys are locally decrypted and used to sign the transaction. After signing, the plain text keys are immediately destroyed (filled with zero) as an extra security precaution.
Can a thief hack my device and spend my funds?
Your keys are stored on the Coinomi data folder, it can only be accessed by Coinomi itself and administrator-level applications. If your device is rooted non-system applications may be able to access Coinomi's data folder. During wallet setup you will get a warning notifying you in case Coinomi detects that your device is rooted. That doesn't mean your funds are at risk. By setting a strong password, even automated bruteforcing is unfeasible. Read more below.
What if my device is stolen?
You can enable PIN bruteforce protection on Coinomi for Android. If your initial PIN is entered wrong a certain consecutive number of times, your wallets are permanently deleted from the device. Only you will be able to regain access to them with your recovery phrase.
If an attacker gets past the PIN, each and every transaction sending from your device will still need your transaction password if you set one. Your keys are encrypted and the app can't do anything without decrypting them with your password first.
Setting a strong password makes it extremely difficult to brute-force, possibly taking hundreds of thousands of years. Assuming that whoever accesses your lost device doesn't just factory reset it or fails to enter the PIN too many times, you will have time to restore your wallet on a new device and move the funds to a new phrase that you are sure is safe.
Let's say your phone was stolen by a super-villain that has all the computer power in the world to crack your password. If you set the most secure option, he still can't access your funds since he doesn't have your fingerprint.
What if my device gets infected with malware?
Malware on your device can't access your private keys directly, but it could try to get your information some other way. If you ever suspect that your device is infected with malware, we recommend that you wipe your device to factory settings as soon as possible. But even if your device is infected, Coinomi still has security features to protect your funds.
Dedicated offline keyboardWhen restoring your wallets, the Android version has its own secure keyboard that is guaranteed not to "learn" your phrase or transmit it anywhere, like many "smart" keyboards do.
Screenshot and Screen recording protection
Screenshots and screen recording on the Android version are disabled by default. No app will be able to capture your passwords, phrases, addresses or balances when they are displayed on your screen.
Optional BIP39 passphrase
When creating or restoring you have the option to add an extra BIP39 passphrase. Even if your recovery phrase is leaked, wallets are inaccessible unless the passphrase is also known during restoration.
What happens if your servers get hacked? Can't hackers steal my funds?
Our servers have nothing but the blockchain itself. If hackers want that, they can simply run their own nodes. Private or personal data is never transmitted from your device, so there is nothing in our servers that can be stolen.
How can I log out of the app?
When you log in to a website, the website will provide you with all the information they keep on their database. When you log out of the website, it ceases to provide that information. In Coinomi there are no accounts. No information about you is kept on our databases. Wallets aren't linked to an email address, phone number, username or any kind of user information. You are not logged in anywhere because we don't have your data. Likewise, you also don't log out from anywhere. All of your data exists only on your device, which is why it's essential that you back up your recovery phrase safely. If you want to erase any trace of the wallets being on your device, simply open Coinomi's "Settings - Manage wallets" and delete your wallets from there.
How can I prevent others from seeing my balances?
Please check out all of our privacy features here.