Security
Self-custody only works if your secrets stay secret. BlockVault is built around a simple promise: your recovery phrase, password and private keys never leave your phone in usable form.
How your secrets are protected
Your password
↓ stretched into a strong key
↓ used to encrypt your recovery phrase
↓ encrypted phrase saved in your phone's secure hardwareThere are two locks on your recovery phrase, and you control both:
- A lock you set — the password you choose when you create the wallet.
- A lock your phone provides — the Secure Enclave (iOS) or Keystore (Android), backed by dedicated security hardware.
An attacker would need to break both to read your phrase. Even a stolen, unlocked phone is not enough on its own.
Your recovery phrase
- Generated on-device using your phone's cryptographically secure random source.
- Follows the BIP-39 standard (12 or 24 words).
- Encrypted with AES-256-GCM before it touches any storage.
- The password that protects it is stretched through PBKDF2 with 600,000 rounds (the OWASP 2023 recommendation), so guessing it is slow and expensive.
- We never see it, never upload it, and there is no "forgot phrase" link. Write it down and keep it safe.
Your password
- Used to unlock your recovery phrase when you sign transactions.
- Stored only as a hash, never in plain form.
- Kept in memory only while the app is open; cleared the instant the app goes to the background.
- On every return to the app, you authenticate again.
Biometrics (Face ID, Touch ID, fingerprint)
Biometrics are an optional convenience — they unlock the password for you, but they never replace it.
- Your face or fingerprint is matched by the operating system, not by BlockVault.
- After three failed attempts, you have to type the password.
- Disabling biometrics doesn't change your password or your phrase.
Private keys
Private keys are derived from your recovery phrase only when you sign a transaction, used for that one signature, and then wiped from memory. They are never written to disk.
Device integrity
BlockVault checks that it's running on a real, untampered device before talking to sensitive backend services:
- Android — Google Play Integrity.
- iOS — Apple App Attest.
If the check fails (rooted, jailbroken, emulator, modified app), sensitive requests are rejected.
What we can never do
- See your recovery phrase or your password.
- Recover your wallet if you lose both.
- Freeze your funds, reverse a transaction or change a destination address.
That's the trade-off of true self-custody — and the reason it works.