On April 17, Kraken, a highly regarded major cryptocurrency exchange, introduced its open-source mobile wallet, designed to provide users with a secure and transparent solution for storing their digital assets. According to what Eric Kuhn, the Product Director for Kraken Wallet, told CoinDesk, the wallet was built “on the principles central to the crypto space, such as user privacy and open source code.”
Per Kraken’s blog post, Kraken Wallet aims to address the inherent limitations of mobile operating systems while offering a robust security architecture that prioritizes user control and privacy. One of the primary challenges faced by mobile crypto wallets is the lack of direct access to the device’s secure element for key storage and transaction signing. To overcome this limitation, the Kraken Wallet employs a pure-js implementation of the NodeJS crypto module, utilizing the Cryptographically Secure Pseudorandom Number Generator (CSPRNG) available on the device to generate random numbers for key generation.
The wallet adheres to the BIP39 standard for key generation and management, enabling users to easily backup and recover their mnemonic seeds while maintaining interoperability with most wallets in the ecosystem. Private key material is securely stored in the device’s Keychain (iOS) or Keystore (Android), while non-sensitive data is encrypted and stored in the application’s database using Realm.
To protect user data, Kraken Wallet implements multiple security controls, including an app lock, password protection, database encryption, and a lockout mechanism to deter brute-force attacks. The wallet employs various encryption methods based on the user’s chosen protection settings, ensuring that sensitive data is always stored in encrypted form. Biometric authentication is required for critical functionalities such as enabling app lock, wiping data, and connecting to decentralized applications (dApps).
Transaction signing remains a critical area of focus for continuous improvement in the Kraken Wallet. The wallet implements transaction simulation to assess the potential risk of a transaction, providing users with warnings and safeguards against malicious transactions or message signing. Additionally, the wallet validates addresses, networks, and fees to prevent user errors and overpayment.
To protect users’ privacy and personal data, the Kraken Wallet utilizes an API gateway to proxy requests, preventing the exposure of client IP addresses to external or public providers. This backend service encapsulates blockchain data querying functionality behind a common API, ensuring that the wallet does not need to implement blockchain-specific behaviors for data retrieval.
Kraken Wallet’s commitment to transparency and trust minimization is evident in its open-source nature. By making the wallet’s source code publicly available under the MIT license, Kraken enables users to verify the security assumptions presented and audit the implementation for correctness. Kraken says this approach aligns with the industry maxim “Don’t trust, verify!” and empowers users to take control of their digital assets.
To further bolster security, Kraken Wallet underwent a rigorous external audit conducted by Trail of Bits, a prominent security auditing firm. The results of this audit are publicly available, demonstrating Kraken’s commitment to transparency and providing users with insights into the wallet’s security measures.
Initially, Kraken Wallet supports the following blockchains: Bitcoin, Ethereum, Polygon, Dogecoin, Solana, Arbitrum, Base, and Optimism.