This might be a bit more technical, but I am really interested in security of Metamask desktop extension → mobile app synchronization process.
So when I create a wallet on desktop, random seed phrase is generated and I have to create wallet password. Seed phrase is stored encrypted locally on my desktop only and can only be accessed by wallet password. Seed phrase and wallet password are never sent to any server. So far so good.
Now, when I install a Metamask mobile app and go successfuly through the sync process, the seed phrase and wallet password is transferred to my mobile device. According to network log, it is transferred using 3rd party service pubnub.com and my question is: how is my seed phrase and wallet password secured during this transfer via 3rd party untrusted service? Is there an end-to-end encryption? What kind? What kind of key exchange scheme is used during this sync process?
Since this is not clear enough from any documentation I have found, isn’t it much safer to “sync” mobile to desktop by entering seed phrase manually in mobile app? This way at least I am sure that my seed phrase and wallet password is not being sent to internet…
Thanks for any information, I believe it is secure enough, but in this case, believing is not enough and sending seed phrase to internet really deserves detailed explanation.