- Home
- Digital transformation
- Web3, mobile dApps and cybersecurity: an overview
Web3, mobile dApps and cybersecurity: an overview
Smartphones now dominate the digital landscape, with a level of user engagement far surpassing that of consoles and PCs. According to the latest Data.AI study, French people spend an average of 3.5 hours a day on their smartphones, on a par with their European neighbors. In countries such as Thailand, Indonesia, and Argentina, the average is between five and six hours a day, rising to seven hours in Japan and Korea. Mobile data analytics specialist Data.AI report that by the end of 2023 there had been 2.3 billion downloads of applications integrating generative AI functionalities, an increase of 40 % on the previous year.
In light of this, crypto companies have focused much more heavily on their smartphone applications. As a result, their quality has improved dramatically over the past few years, especially during the last bear market of 2022-2023. Investments in R&D, the drive to attract new customers, and the need to keep existing ones interested are just some of the issues that players in the crypto ecosystem have faced during this period, prompting them to transition and develop mobile solutions tailored to consumer habits. While leading centralized exchanges such as Coinbase, Crypto.com, and Binance have offered their mobile-friendly light versions for several years, many crypto wallets have been slow to release mobile versions after launching their browser extensions. Centralized exchange SwissBorg, by contrast, opted for a mobile-only app when it launched in 2017, and still has no desktop version today. It also organized a referendum via blockchain, asking its users which solution they preferred, with the mobile app option winning 55 % of votes and the responsive website option 45%. The geographical distribution of votes revealed strong participation from its users in Japan, followed by Switzerland and the UK.
Adapting the Web3 ecosystem to new challenges
This was an isolated initiative in the world of cryptocurrencies for a long time, but in recent years it has been catching on like wildfire. One example is the appearance of the Warpcast application, one of the clients for Farcaster, a decentralized mobile-centric social media platform with over 350,000 users. Its daily active users skyrocketed in just a few days, from 5,000 on January 28, 2024, to 24,700 on February 3. Another example is Ledger, the hardware wallet manufacturer with its famous “Ledger keys”, which integrated a Bluetooth connection into its new models for signing and validating transactions without a USB cable, optimizing them for mobile use. The number one supplier of physical crypto wallets, this integration gives other companies a foothold in the mobile applications market, providing a security solution previously unavailable on smartphones.
However, developing Web3 applications for smartphones is not without its challenges. The wide variety of mobile devices, with different performance capabilities, makes it difficult to develop applications that work well on all devices. This just adds a further layer of complexity in a sector already plagued by security issues. Decentralized applications (dApps) include crypto platforms, games, and anything requiring payments in cryptocurrencies. Security flaws abound, and developers need to proactively anticipate and resolve them. Web3 game development for mobile, meanwhile, faces stiff competition from the simplified user experiences of today’s mobile games. The complexity of Web3 transactions, compared with simpler Web2 actions, is still a major obstacle to mass adoption.
A boon for cybersecurity
All this has created a new market with infinite potential for cybersecurity companies looking to solve these new challenges. One such company is FuzzingLabs, a startup specializing in vulnerability research, fuzzing, and blockchain security, which has identified two major vulnerabilities.
The first, and most common, is the problem of data storage. For example, if you steal a phone, you can recover access to the wallets even without the private key. This troublesome flaw has already affected a number of Web3 applications available on Android. But the solution is simple: before downloading the application, make sure it uses strong encryption to protect your privacy and check what it stores in memory. When you switch from one app to another, even without logging out of the first, check that the key has not remained in your device’s memory. It’s also a good idea to always log out of Web3 applications after use. Without these precautions, identity theft is child’s play.
The second vulnerability is linked to unsecured connections to public networks. The advantage of a mobile application is that you can access it from anywhere, at any time. However, connecting to dApps in everyday life requires users to pass through servers that are often unsecured. For example, a user logging in to their wallet while eating at McDonald’s will connect through the restaurant’s server. This network is not private, making it vulnerable. Even without having access to it, an attacker can intercept and modify transactions by redirecting the user to another web page, all without the user even realizing. The solution is simple here too: never connect to unknown networks, and only log in to your wallet at home, always from the same device. It’s also better to have several wallets rather than a single wallet holding all your assets, to minimize the risk of loss.
In short, to strengthen security, it’s essential that applications use robust encryption and check what is still in memory. To minimize risks, users should always log off and restart their devices, and avoid connecting to unsecured networks.
Emerging Web3-compatible solutions and opportunities
To meet these challenges, several solutions are beginning to emerge. Zero-knowledge (ZK) rollups are a Layer 2 solution for decongesting blockchains, delivering scalability that was previously impossible and improving application performance. Account abstraction simplifies login, reducing the complexity involved in interacting with dApps.
The emergence of phones specially designed for Web3, such as the Solana Saga, developed by Solana Mobile and OSOM and costing around $600, also presents some interesting opportunities, although they do pose security risks. An attacker could install customized firmware with a backdoor on a Web3 phone, potentially compromising it before the customer even receives it. This risk is not limited to the Solana phone; it applies to all devices with similar security configurations.
Another solution is the use of Trusted Execution Environments (TEEs). TEEs are supposed to provide secure areas within a device’s main processor to protect sensitive data, such as private keys. However, vulnerabilities in TEEs can allow attackers to extract PIN codes and access wallets, emphasizing the importance of correct implementation. There are also questions around the secondary market for these technologies: how can we be sure that a full reset has been performed?
Success stories about Web3 mobile applications, especially wallets and some games, are key to mass adoption. However, security flaws could affect consumers who are less risk-aware. The integration of hardware wallets into smartphones by major players such as Apple, Google, and Samsung could transform the way users interact with Web3 and make these technologies more accessible and secure. This will in turn create new opportunities and innovations for both the Web3 and cybersecurity ecosystems.
the newsletter
the newsletter