Device-specific security (and a farewell to the Web App)

Before we begin, this is an announcement that we'll be sunsetting the Web App version of HashPack by the end of the year. The goal date is December 1st, 2023. We will put out plenty of warnings and provide ways for users to move onto the other platforms, so there’s nothing to worry about. But if you use the wallet via the web browser (and not the Google Chrome extension), this is a great article for you.

—

Something you may not have noticed as a HashPack user is that no matter which device you use, the experience is always the same. Whether you use HashPack on Android or iOS, mobile or desktop, the user interface and feel of the app are pretty much exactly the same. This actually takes a bit of magic behind the scenes, and we’ve been very deliberate about making the experience seamless across all these different devices.

Yes, there are some slight differences between different devices (looking at you, iOS), but for the most part, the user experience is the same. Observant users may have noticed that the web app and Chrome extension usually update sooner than the Android version, and that if you’re using iOS, you usually have to wait an extra day for the update to show up on your device. This is because each store has its own checks that need to be done with every update before it can be released into your hands.

User experience aside, one big difference between each version is the security that comes along with it. We take security very seriously at HashPack (check out our recently completed audit, and see this blog where we go into more detail), and while there’s a lot that we do to protect our users, just as important is knowing how your choices as a user affect your security.

This is an educational piece to help users understand what’s going on underneath the hood of each version of HashPack so you can choose which platform is best for you.

The flavours of HashPack

As of July 2023, there are four ways to access your HashPack wallet. The Web App (the original version, accessible at https://wallet.hashpack.app), the Google Chrome extension (for use on desktops, with any Chromium browser: Google Chrome, Edge, Opera, Brave, etc.), and the two mobile apps for Android and iOS devices.

As a TL;DR, here’s a summary of which flavour of HashPack is for you:

Best for mobile: Android and iOS

Best for desktop devices: Chrome extension

Alternative: Web App (to be decommissioned by the end of the year; more on that below)

Honourable mention: hardware wallet

Since a big part of the difference in the wallet apps is how each version secures your keys and sensitive data, it needs to be said that the current most secure method is to hook up a hardware wallet to your HashPack. HashPack currently supports Ledger and D’CENT hardware wallets, with the Hedera-native Citadel Wallet due to come out later this year.

A lot of the security of a non-custodial wallet like HashPack depends on the features of the platform. Because of this, if the keys don’t live on your device, there’s no way for them to accidentally be exposed. The hardware-wallet/software-wallet combination is the gold standard of key security in crypto right now, and worth looking into if you are holding a significant amount of value in your HashPack.

HashPack Android (Google Play Store)

On Android, HashPack uses the Android Keystore system to store your private keys. It uses the Secure Element of the Android Device. When you create or import your account on your Android device, HashPack stores the private key inside the Android Keystore. The secure hardware prevents the keys from being exposed, only letting the HashPack app use them from that point on. HashPack uses your biometrics (or a PIN that you provide) to further authenticate yourself and protect your keys.

The Google Play Store verifies each version of HashPack before letting users download it, with security measures in place preventing anyone but the HashPack team from updating the app. Make sure to only download the official version of the app from the Google Play Store, published by HashPack.

As of July 2023, HashPack Android is the full version of HashPack, with all features enabled.

HashPack iOS (Apple App Store)

On Apple devices HashPack uses Apple’s Secure Enclave. Like Android’s Keystore, Secure Enclave is a dedicated secure subsystem integrated into Apple systems. It is an isolated chip that is designed to keep sensitive user data secure even when the main processor becomes compromised. The Secure Enclave is a hardware feature of most versions of the iPhone, iPad, and Mac.

Similar to Android, your keys are locked to the HashPack App as well as secured by the biometrics on your Apple device. Also, the Apple App Store verifies each update for HashPack, meaning you know you’re always downloading a verified copy of the app. Just make sure to only download the official version of the app from the Apple App Store, published by HashPack.

Due to Apple's App Store policies, the iOS version has a reduced feature set compared to other versions of HashPack. These are based around Apple's NFT policies, so although you can view NFTs from HashPack, there are a few disabled functions. Notably, Secure Trade is disabled, the dApp browser works but the recommended apps cannot be shown, and NFT marketplace functions are disabled as well.

Google Chrome extension

For desktop users, HashPack can be found as a Google Chrome extension. Since most desktops do not have dedicated security hardware, the extension encrypts your sensitive data in your browser's local storage. This is standard across extension-based non-custodial wallets, and the important thing to know as a user is that the more secure your password is, the more secure your keys are on your device.

HashPack enforces a 12 character minimum, but we recommend also adding in other security enhancing factors to your password, such as a longer length, as well as numbers and special characters. Password managers are a great option if you find one that you like.

Be sure to practise safe browsing and only install trusted software and Chrome extensions on your computer. For optimum security, we highly recommend using a hardware wallet if possible to further secure your account.

That said, we’ve done everything we can to make sure your data is as secure as possible on your system.

Every update to HashPack does go through the Google Chrome Web Store’s review process, so if you’re updating through the extension, you know it’s coming from a trusted source.

Web App

The final (and original) version of HashPack is the Web App, which you can access in pretty much any browser on any device. It is by far the easiest version to access since you don’t have to download an app or an extension to use it.

Similar to the Chrome extension, the Web App uses local storage in your browser. It carries the same security benefits as the Chrome extension in how it secures your data. Which is to say, it’s as secure as we can make it.

However, there are some specific ways the Web App can be exploited. The most simple way is that if an attacker provides a fake link to a fake HashPack website, a user may be scammed into re-entering their private key into the fake version, thus exposing their keys. This is known as phishing.

The official and only website for HashPack is https://www.hashpack.app.

Another avenue has to do with how websites are delivered in real time to your device. In the unlikely event HashPack's web servers were ever compromised, an attacker could compromise the Web App as well. This would be a severe attack, one that we have procedures in place to prevent, but that nonetheless exists. On the other hand, the mobile apps and Chrome extension versions of HashPack are saved on your device and only update when the store version is updated, adding an extra layer of security.

So it’s not to say the Web App is insecure, but it’s our weakest link. We want to remove the possibility of specific attack vectors, so that our users can have the best balance of usability and security.

That is why later this year (currently scheduled for December 1st, 2023), we are sunsetting the Web App and removing access to it. We will give ample notice for users to migrate to the other versions of HashPack (of which you are now an expert from this article). And if you have properly secured your account recovery details as a security-conscious crypto user, you will have no problem reimporting your account on any device.

In closing

Security is the most important element of a wallet, and one that we take very seriously. It is also not a black-and-white topic, because apps don’t exist in bubbles. The most secure machine in the world is one that is never turned on or connected to anything (or anyone), but it would also be the most useless machine.

We hope this article sheds some light on the device-specific security that HashPack takes advantage of to keep your keys safe, and provides you with more knowledge to make good decisions to continue to enjoy the crypto space.

For any questions or comments, please reach out to us on Twitter, Discord, or hit the support chat button in the corner of the website. We look forward to hearing from you.