Security Considerations
AirGap is built with focus on security, but it is still important to be aware of the potential risks and how to avoid them. On this page we will outline some of the design decisions we made to protect our users and outline a few potential issues, as well as ways to mitigate them as good as possible.
Offline Device
This document assumes that you are running AirGap Vault on a secure offline device.
Hardware​
AirGap can be installed on a variety of devices. Due to the fact that AirGap can be operated in an air-gapped way, even older devices are well suited for the purpose. However, it is important to note that older hardware is generally less secure than newer hardware. This is especially relevant if someone gets physical access to your device (see below). Depending on your threat model, investing in newer hardware might be advisable.
When setting up a new phone as your air-gapped wallet, be sure to follow our Best Practices.
Software​
Software updates often fix ciritical security issues, so it is important that the software on your offline device is kept up to date. It's not necessary to install every update, but you should update the software on your offline device, as well as AirGap Vault, every couple months.
When setting up a new device, be sure to follow our Best Practices.
Read this guide to learn how to securely update an existing device.
Remote attacks​
Because AirGap Vault runs on an offline device and is completely air-gapped, remote attacks, meaning that the attacker tries to compromise a device remotely over the internet, are almost impossible. This is because AirGap Vault does not have any internet connectivity and an attacker has no way of "connecting" to the device to try and compromise it.
The only way for an attacker to get data onto an air-gapped device is by adding adding it to a QR code, which is then scanned by the user. There are 2 main considerations here:
- Our QR scanner was integrated in a way that makes sure the scanned QR codes are not processed, unless they are in an expected format. Even then, the way the data is used is strictly defined, so it is unlikely an attacker will be able to inject a malicious payload on to the offline device.
- Communication via QR codes is strictly one way. This means it is not possible for an attacker to have a back-and-forth interaction with the offline device, making it harder to exploit.
- It is more difficult to transfer big payloads to an offline device because many QRs need to be scanned and the user can be warned about this.
Local attacks​
If an attacker has physical access to your device for an extended period of time, you should consider your mnemonic as compromised. It is rather unlikely that an attacker will actually be able to get access to your secret because it's stored in an encrypted format and protected by the secure chip of the device, but it's better to be safe than sorry. If you lose your device or it gets stolen, you should follow our "What to do if my secret is compromised?" guide.
A few notes:
- No matter which Hardware Wallet you use, you should always consider your secret as compromised. Even if the hardware is considered secure, you never know what kind of exploits are released in the future. And if the attackers hold on to your device, they just have to wait until an exploit becomes available.
- Because AirGap Vault is installed on a regular mobile phone, an attacker might not identify it as a device that holds something valuable like a cryptocurrency private key. We therefore encourage you to not mark the device with labels or stickers that might indicate to an attacker that is something other than an old phone.