Docs

Security guide

This guide explains how the mallow wallet is built and how to use it safely. It is the practical companion to our Privacy Policy.

The non-custodial model

There are two kinds of crypto wallets. Custodial wallets (like a centralized exchange) hold your keys for you, which means they can recover your account but they can also freeze it, lose it to a breach, or be compelled to surrender it. Non-custodial wallets — like mallow — give you the keys directly. You hold all the power, and all the responsibility.

In practice, that means:

  • The first time you create or import a wallet, the App generates or accepts a 12- or 24-word seed phrase locally on your device.
  • That seed phrase derives every key you will ever need for that wallet, across every supported chain (Solana, Ethereum, Tezos).
  • mallow never sees, stores, or transmits the seed phrase. There is no account on a server tied to your wallet.
  • If you uninstall the App without backing up your seed phrase, your funds are gone permanently.

What stays on your device

These items live in your device’s secure enclave (iOS Keychain or Android Keystore) and are encrypted at rest:

  • The 12- or 24-word seed phrase
  • The Ed25519 keys derived for Solana (path m/44'/501'/0'/0')
  • The secp256k1 keys derived for Ethereum (path m/44'/60'/0'/0/0)
  • The keys derived for Tezos
  • Your PIN
  • Biometric-unlock and app-lock settings
  • App preferences (theme, chain toggles)

When the App needs a key — for example, to sign a transaction you have approved — it reads it from secure storage, signs the transaction, and lets the key fall out of scope as soon as the operation completes. Keys are not held in long-running memory.

What does not stay on your device

The following data leaves your device when you use specific features. The Privacy Policy lists every recipient.

  • Public wallet addresses (visible to all RPC providers and indexers by the nature of public blockchains)
  • Transactions you sign and broadcast (public on the chain)
  • Diagnostic data — crash logs, a 10% sample of performance traces, and breadcrumbs — sent to mallow’s self-hosted error-tracking service with mnemonics, keys, PINs, and tokens scrubbed before transmission
  • Push notification token (sent to Firebase if you opt into push)
  • Token swap quote requests (sent to Jupiter when you swap)
  • NFT metadata you choose to mint (sent to our IPFS pinning service)

Locks and gates

The App layers protections on top of the OS-level secure storage:

  • PIN — required to unlock the App.
  • Biometrics — Face ID or Touch ID can replace the PIN for normal unlock, and is required separately for sensitive operations like exporting your seed phrase or approving large transactions.
  • App lock on background — when the App is backgrounded, it locks immediately so a glance at your task switcher cannot reveal balances or history.

Hardware wallet support

mallow integrates with Ledger hardware wallets via Bluetooth (and USB on supported platforms). When you connect a Ledger, the private key never leaves the hardware device. You confirm transactions on the Ledger’s screen, and the App only ever sees the signed result. This is the strongest protection available for mobile self-custody.

Backing up your seed phrase

Your seed phrase is the only way to recover your wallet. Treat it with the care you would give a passport or large amount of cash.

Recommended practices

  • Write it on paper or stamp it on metal. Store it somewhere physically secure that is not your phone.
  • For larger holdings, store backups in two separate physical locations so a single fire, flood, or theft does not destroy your only copy.
  • Verify your backup by reading it back word-for-word before you fund the wallet.

Avoid these mistakes

  • Do not type your seed phrase into a website, chat, email, or any password manager that syncs to the cloud.
  • Do not photograph or screenshot it.
  • Do not store it in a notes app, even one you trust.
  • Do not share it with anyone, including someone claiming to be mallow support. We will never ask for your seed phrase.

Recognizing scams

Common scam patterns to watch for:

  • Fake support. Anyone DMing you asking for your seed phrase, asking you to “validate” your wallet, or asking you to import a “mallow recovery tool” is a scammer. mallow does not provide DM support and does not have a recovery tool that needs your seed.
  • Fake airdrops. Tokens that appear in your wallet asking you to visit a site to “claim” are usually traps designed to drain your wallet when you sign their transaction.
  • Phishing apps and clones. Always install from the official App Store or Google Play listing, not from an APK link or sideload.
  • Address spoofing. Always verify the full recipient address before sending. Some attackers send dust to your wallet from an address that looks like one of your past contacts so it appears in your history.

What to do if something goes wrong

  • Compromised device or seed phrase exposure — assume the wallet is fully compromised. Generate a fresh seed phrase in a new wallet on a clean device, and immediately move funds out of the compromised wallet.
  • Lost or stolen device — if you have your seed phrase backed up, you can restore the wallet on any new device. The App is locked by your PIN and biometrics, but a determined attacker with physical access and time is a real risk; move funds from a known-stolen device promptly.
  • Lost seed phrase, device still works — generate a fresh seed phrase in a new wallet immediately and migrate your funds. Do not keep using a wallet whose seed you cannot reproduce.

Reporting a vulnerability

If you have found a security vulnerability in the App, the Site, or our backend, please email security@mallow.art.

Please include:

  • A clear description of the issue
  • Steps to reproduce
  • The impact you observed
  • Any proof-of-concept code or screenshots

Please do not test against other users’ wallets or against production data you do not own. We do not currently run a paid bug-bounty program but we take responsible disclosure seriously and will acknowledge your report within a reasonable timeframe.