Yes, you heard right, it happens even in the best apps. It is well known that the more you use a software the more eyes will be aware of errors and bugs, more so if the software is open source where it can be scrutinized in much more detail. Recently using JAXX I became aware of an Android security problem and when I looked up information on the internet about it I found  OTHERS security problems. What does it consist on? I'm going to comment on this post ... but first let's take a look at what JAXX is.

JAXX the blockchain wallet

JAXX is an application that you can download in your cell phone and it serves you to administer several cryptocurrencies like Bitcoin, Ethereum or Dash. The private keys of your wallets are not stored on any server and are not sent anywhere, they are GENERATED AND STORED on your cell phone, which means that you have total control of your money.

How does it work? JAXX is an HD (hierarchical deterministic) wallet. This means that access to all your funds is secured by a key of 12 words. These 12 words is what is called the "seed", which is like the password that allows you to generate the different addresses and private keys of your cryptocurrencies in order to receive and send money. For this reason it is not necessary to store private keys on any server or anything like that, the keys are with you, the keys are in those 12 words that allow them to be generated. And hence the importance of writing these words on paper and keeping them in a safe place as a backup of your money.

Regarding the application, the 12 words are encrypted and stored on your phone with the intention that if someone accesses the files can not read its contents. In addition to this you have the option to configure a PIN so that every time you want to make a transfer you have to type it ... now we go with security problems.

Security Issue # 1 - Seed

Although this 12 word seed is encrypted, recently (June 10, 2017) in vxlabs they found a vulnerability in the system that allows to extract the seed. how do they do that? It turns out that JAXX for chrome uses the SAME key to encrypt anything. If you use the same key for everything, and it's public (you can see it in github) there is no security level to decrypt it, it's just a matter of taking it and using it. If someone could access your files, in less than 20 seconds you could extract the seed, then replicate it in your wallet and transfer the funds to another address.

Security Issue # 2 - PIN

This security problem is easier to explain. It is given simply because the PIN to make transfers is a 4 digit number, it is very short !! What can happen? Suppose someone steals your cell phone ... the thief can try as many PINs as he wants until he has access to your funds. I know that 10000 combinations may seem like a lot, but in computer terms it's NOTHING. In a page like https://crackstation.net/ you can quickly test the combinations until you get the right one without taking too much time.

Actually this PIN is thought more than anything so that your partner or someone close to you can not easily transfer money when you borrow your cell phone for a few minutes. This is not a good level of security and therefore the App is not intended for you to store there 400 BTC !! but small amounts for the day to day.

Security Issue # 3 - Autocomplete

This security problem is not properly of JAXX but of the system Android, has to do with the words of autocomplete. It turns out that every time you write words your cell phone is learning your words and even goes beyond, memorizes ordered patterns of words.

Suppose you download JAXX and want to restore an old wallet, what you have to do is write the 12 words of the seed. The problem is that while you write them Android is memorizing, and even the order. Now suppose you want to sell your cell phone ... the first thing you do is uninstall JAXX and erase the data. The new owner could download the app again, and if he knows the first word of the seed (or test several by letting himself be guided by the autocomplete) he could write it down and wait for the Android corrector to suggest a next word and so on repeatedly until he writes the 12 Words and access the funds.

To be vulnerable in this case have to pass 2 things: First that you have written several times the 12 words on your cell phone, so that Android has reinforced the learning of these. And secondly, let the attacker know this and devote himself to letting himself be guided by the corrector until he gets it.

To finish

JAXX is like your physical wallet or pocket: A place where you save little money, but enough to make your daily expenses, so that if you are stolen the loss will not be high. If someone has access to your JAXX files you could easily access your funds and transfer them to another account.

My recommendation is to go carefully with this App and whatever large sums of money you save in Wallet Papers, which are the safest way to store your money.