Skip to content

Security

Self-custody only works if your secrets stay secret. BlockVault is built around a simple promise: your recovery phrase, password and private keys never leave your phone in usable form.

How your secrets are protected

Your password
    ↓ stretched into a strong key
    ↓ used to encrypt your recovery phrase
    ↓ encrypted phrase saved in your phone's secure hardware

There are two locks on your recovery phrase, and you control both:

  1. A lock you set — the password you choose when you create the wallet.
  2. A lock your phone provides — the Secure Enclave (iOS) or Keystore (Android), backed by dedicated security hardware.

An attacker would need to break both to read your phrase. Even a stolen, unlocked phone is not enough on its own.

Your recovery phrase

  • Generated on-device using your phone's cryptographically secure random source.
  • Follows the BIP-39 standard (12 or 24 words).
  • Encrypted with AES-256-GCM before it touches any storage.
  • The password that protects it is stretched through PBKDF2 with 600,000 rounds (the OWASP 2023 recommendation), so guessing it is slow and expensive.
  • We never see it, never upload it, and there is no "forgot phrase" link. Write it down and keep it safe.

Your password

  • Used to unlock your recovery phrase when you sign transactions.
  • Stored only as a hash, never in plain form.
  • Kept in memory only while the app is open; cleared the instant the app goes to the background.
  • On every return to the app, you authenticate again.

Biometrics (Face ID, Touch ID, fingerprint)

Biometrics are an optional convenience — they unlock the password for you, but they never replace it.

  • Your face or fingerprint is matched by the operating system, not by BlockVault.
  • After three failed attempts, you have to type the password.
  • Disabling biometrics doesn't change your password or your phrase.

Private keys

Private keys are derived from your recovery phrase only when you sign a transaction, used for that one signature, and then wiped from memory. They are never written to disk.

Device integrity

BlockVault checks that it's running on a real, untampered device before talking to sensitive backend services:

  • Android — Google Play Integrity.
  • iOS — Apple App Attest.

If the check fails (rooted, jailbroken, emulator, modified app), sensitive requests are rejected.

What we can never do

  • See your recovery phrase or your password.
  • Recover your wallet if you lose both.
  • Freeze your funds, reverse a transaction or change a destination address.

That's the trade-off of true self-custody — and the reason it works.

BlockVault Documentation