Mobile Sync Security

This might be a bit more technical, but I am really interested in security of Metamask desktop extension → mobile app synchronization process.

So when I create a wallet on desktop, random seed phrase is generated and I have to create wallet password. Seed phrase is stored encrypted locally on my desktop only and can only be accessed by wallet password. Seed phrase and wallet password are never sent to any server. So far so good.

Now, when I install a Metamask mobile app and go successfuly through the sync process, the seed phrase and wallet password is transferred to my mobile device. According to network log, it is transferred using 3rd party service pubnub.com and my question is: how is my seed phrase and wallet password secured during this transfer via 3rd party untrusted service? Is there an end-to-end encryption? What kind? What kind of key exchange scheme is used during this sync process?

Since this is not clear enough from any documentation I have found, isn’t it much safer to “sync” mobile to desktop by entering seed phrase manually in mobile app? This way at least I am sure that my seed phrase and wallet password is not being sent to internet…

Thanks for any information, I believe it is secure enough, but in this case, believing is not enough and sending seed phrase to internet really deserves detailed explanation.

This feature leverages pubnub’s AES-256 end to end encryption to transfer the seed phrase and token list. You can read about pubnub’s security here:

and here:

1 Like

Thanks for the info … this is what I was looking for … and just to be complete: the cipherkey for AES-256 is randomly generated in extension and transfered to the app (the other end) directly via the QR code so it is never revealed to anyone, right? Now it makes sense. Thanks again…