As cryptocurrency adoption accelerates, and mobile crypto wallets dominate, scrutiny around app security has never been more in focus. In a major policy shift, Google Play now requires custodial crypto wallet apps to provide proof of government licensing in key markets. This raises the bar for compliance but not necessarily for in-app security. Non-custodial wallets are exempt from this requirement but not from risk.
This blog post breaks down what crypto wallet apps are, how Google’s new policy affects developers, and why security at the application level is mission-critical for both custodial and non-custodial solutions.
A crypto currency wallet is a system used to generate and then manage cryptographic key pairs. Matched sets of a public key and a private key are used together to encrypt, decrypt, and digitally sign data securely. Cryptocurrency wallets enable users to access and store these keys securely, and sign transactions to send or receive cryptocurrency.
Cryptocurrency wallets can exist in different forms that hold your digital credentials so they can control your digital assets. Most are connected to the internet and are used for fast, active trading (‘hot wallets’). Others are offline storage solutions designed to maximize security over the long term by requiring physical access (‘cold wallets’).
“Browser extension wallets remain the most targeted, comprising 42% of known attack vectors in 2025.” [1]
Software wallets are widely accessible and convenient. They remain dominant among users, despite a growing market in hardware wallets. However, software wallets can carry a higher security risk due to their always-online status. This is why hardware wallets are increasing in demand among security-conscious users.
Crypto wallet apps are software programs that deliver crypto wallet functions with a user-friendly, operational interface. Apps are how users interact with their wallet to manage their cryptocurrency accounts in a convenient and secure way. Crypto wallet apps serve as a critical interface layer between users and the blockchain ecosystems that make cryptocurrencies possible.
The special function of crypto wallet apps is to store, send and receive cryptocurrencies such as Bitcoin and Ethereum, while generating and managing key pairs. Typically, a wallet app will also perform basic functions such as balance display, address and token management, as well as backup and security features.
Read more: Financial App Security in 2025: Combating Traditional Malware and Emerging AI Threats
Basic security settings on a crypto wallet app might include the use of PIN and biometrics, as with most apps. Some wallet apps may have advanced security features that are reinforced by runtime hardening. All financial apps deserve security investment.
On August 13, 2025, Google Play announced an update to their Cryptocurrency Exchanges and Software Wallets Policy. This update requires cryptocurrency wallet application developers to obtain appropriate regulatory licenses from government bodies. Although this new licensing requirement is not set to take effect until October 29, 2025, there was an immediate backlash from the cryptocurrency community that forced Google to issue a clarification on X and in their Policy Centre guidelines.
The policy itself is published by Google in a Help Center document on Understanding Google Play’s Cryptocurrency Exchanges and Software Wallets Policy. In it, Google explains that they have established specific guidelines for the publication of cryptocurrency exchanges and software wallets. What this means is that crypto wallets can only be published in certain regions if the app complies with local standards. These countries and regions are then listed, along with the appropriate requirement, where one exists.
But uncertainty and accusation quickly followed. An article written by The Rage—an “independent publication covering financial surveillance”—was published the same day as the announcement. In it, they complained that the new Google Play Store policy forces strict anti-money laundering (AML) and similar frameworks on non-custodial wallets in the US and effectively bans non-custodial wallet developers from the Play Store in the EU.
Google promptly responded to a post on X that linked to this article with an important clarification.
“Thanks for flagging this. Non-custodial wallets are not in the scope of Google Play’s Cryptocurrency Exchanges and Software Wallets Policy. We are updating the Help Centre to make this clear.”
Later on, the update was published in the original Google policy document on app requirements for software wallets.
“Note: Non-custodial wallets are out of scope of the Cryptocurrency Exchanges and Software Wallets policy.”
So, what is this distinction Google is drawing, and what does their new policy mean in practice?
The new Google policy means that after October 29, 2025, anyone developing custodial crypto wallet apps—as well as exchange apps—must hold the appropriate regulatory licenses. However, users and developers of non-custodial wallets are exempt from these licensing rules. This distinction between custodial and non-custodial wallets is vital to all subsequent compliance and security discussions.
Crypto wallet apps come in two primary forms: custodial wallets and non-custodial wallets. The essential difference between the two is that custodial wallets hold users’ private keys on their behalf, while non-custodial wallets give users full control and sole responsibility for managing their own keys. The private keys in custodial wallets are managed by a third-party service provider, while non-custodial wallet users manage their own keys. Key management may include the generation and storage of private keys, and importantly, ensuring their security.
The reason for the backlash against Google new policy becomes clearer when it is appreciated that these different types of crypto wallet are likely to attract different users. Custodial wallets are easier for beginners but give users less control over their funds. This is a significant drawback for many attracted to cryptocurrency in the first place. Non-custodial wallets provide users with greater control, privacy, and autonomy.
The reason non-custodial wallet apps are out of scope is that the service provider never takes custody of the user's private keys. Since they don't control the keys, they don't control the user's assets and therefore fall outside the regulatory definition of a custodian. This is why they are sometimes called exchange apps or self-custody wallets. So, anyone building or distributing a non-custodial wallet will not have their app listing impacted.
Examples of regulatory licenses that developers of custodial crypto wallet apps must now hold include:
While Google’s licensing requirement is a step forward in crypto app compliance and safety, it does not provide full protection inside the app, or across every device, including in hostile environments. It is absolutely vital for users and developers of crypto wallet apps to grasp the gravity of their cybersecurity situation.
| For custodial app wallets | For non-custodial app wallets |
| Meeting regulatory compliance thresholds like FinCEN or MiCA does not by itself equal mobile app security. A custodial crypto wallet app can meet all regulatory standards and still be insecure. | Exemption from regulatory licensing does not mean exemption from mobile security risk. Non-custodial wallets can be just as—or even more—vulnerable depending on how they're implemented and protected. |
Compliance can cover issues such as licensing, transition monitoring, and consumer protection for crypto app wallets. It doesn’t cover vital issues related to mobile app security, for example. A crypto app may be fully compliant but still contain vulnerabilities and suffer breaches.
Crypto wallet apps represent a cybersecurity danger zone. A single breach can compromise or eliminate a user’s entire digital asset portfolio. Blockchain’s irreversible nature makes recovery of stolen funds nearly impossible. A crypto wallet handles sensitive keys with private information. Many wallet apps operate in untrusted, high-risk environments e.g., with consumer devices that may be jailbroken, rooted, or running malware. Both wallet types are high-value targets for threat actors because they expose a full attack surface on the end-user device.
Read more: Mobile malware threats in 2025: How mobile app vendors can stay safe
A recent review of security vulnerabilities in crypto currency wallets highlighted security concerns as a main reason hindering users and governments from adopting crypto market. The study identified a wide range of vulnerabilities used by scammers and hackers to steal cryptocurrency from wallets, including ransomware, phishing attacks, denial-of-service attacks, malware, and SIM swapping. It recommends a greater deployment of AI-systems to mitigate vulnerabilities. [2]
“Phishing attacks led to over $1.1 billion in wallet-related thefts globally in 2025.” [1]
Security research on cryptocurrency wallet applications has tended to focus on one aspect of it. Here are a few examples.
The first large-scale study of Android cryptocurrency wallet apps surveyed 457 applications on Google Play to investigate the behavior of their security features. The study revealed vulnerability and privacy issues in these crypto wallet apps to do with “permission, app packaging, anti-analysis adoption, the use of third-party libraries, and malware presence.” [3]
Bitcoin is the most popular cryptocurrency. There are a wide and growing variety of Bitcoin-specific wallet applications for smartphone use. Recent research has discovered new security vulnerabilities in these. “By exploiting them, adversaries can launch various attacks including Bitcoin deanonymization, reflection and amplification spamming, and wallet fraud attacks.” [4]
“35% of crypto wallet users in 2025 cite security as their top concern.” [1]
Custodial and non-custodial crypto wallets are susceptible to different types of security threats. With custodial wallets, the risk is concentrated but controlled. Non-custodial apps carry more risk at the device-level attack surface. Both need runtime app protection, but non-custodial wallets doubly so.
Custodial wallets benefit from the centralized oversight and storage of private keys. They are often protected by internal AppSec teams and KYC deterrents. But this makes them a higher-value target with a larger attack surface. Custodial wallet risk is a breach of trust on a scale, with one exploit compromising thousands of users. Wallet users tend to rely entirely on the custodian’s security posture.
Non-custodial wallets delegate responsibility to the user, and so shift risk directly to end-user devices, where runtime threats, overlays, and memory scraping remain active dangers. So, if the app is compromised, the wallet is compromised, since the app itself is the single point of failure. There is no recovery or recourse if private keys are stolen—only irreversible loss at a personal level.
Here are some best practices for crypto wallet application security for those building the apps (developers and vendors) and those interacting with them (users).
The same best practices apply to the development of crypto wallet apps that apply to mobile app security in general. Mobile app security practices involve defending applications from insecure devices and the issues they might introduce. These practices are vital since mobile wallets dominate the hot wallet market.
These best practices and protections include:
These are development techniques to eliminate common attack vectors, encapsulated by the OWASP Top 10.
Examples: data encryption, removing hardcoded credentials, vulnerability management, user/app authentication, user input validation.
These prevent hackers gaining access to the internal logic of crypto wallet applications to locate vulnerabilities or sensitive data.
Examples: code obfuscation and encryption.
Read more: The ultimate guide to code obfuscation for security professionals
These prevent hackers from using techniques to extract key information from crypto wallet apps or modify the apps’ behavior at runtime.
Examples: anti-malware, hooking prevention, repackaging checks, and rooting/jailbreak detection.
Read more: What is RASP and how does it secure web apps vs. mobile apps?
These protect insecure or malicious connects from accessing the server or database through public-facing APIs.
Examples: app legitimacy checks, behavioral analysis, user authentication, using authenticated protocols.
Crypto wallet device security on mobiles is not 100% effective. Users cannot be relied on to have, implement, or keep these protections. This is why the app security practices and protections mentioned above are so important, and why vendors must invest in them.
But there are security best practices that protect individual apps on devices. These device security practices are designed to defend the device from malware, and protect personal data stored on or accessed by the device. Devises can employ MDM (Mobile Device Management) or VPNs (Virtual Private Network) for storage and network security. MFA (Multi-Factor Authentication) can protect a device against phone theft of SIM swap.
“Wallets with MFA (Multi-Factor Authentication) show a 62% lower incidence of compromise.” [1]
In a market where reputational trust and security are as critical as regulatory compliance—if not more so—organizations must protect not just with adherence to crypto policies like Google’s but with proactive security measures. What crypto wallet apps and financial apps of all kinds need is a secure application layer across threat vectors, independently of jurisdictional regulation or licensing frameworks. They need protection is device‑native, post‑compile, and non‑intrusive, bridging the gap between compliance and trust.
Promon strengthens the shield where regulations fall short—inside the app, on the device, and in the runtime. For custodial systems, Promon adds a device-native layer of defense to prevent key extraction and session tampering. For non-custodial wallets, Promon helps secure seed phrases, block runtime exploitation, detect rooting/jailbreak, and protect transaction integrity—all without impacting UX or release velocity.
[1] https://coinlaw.io/cryptocurrency-wallet-adoption-statistics/
[2] https://www.researchgate.net/publication/389965491_Security_Vulnerabilities_of_Cryptocurrency_Wallets_-A_Systematic_Review
[3] https://www.researchgate.net/publication/371113045_An_Empirical_Analysis_of_Security_and_Privacy_Risks_in_Android_Cryptocurrency_Wallet_Apps
[4] https://www.researchgate.net/publication/351102110_Security_Threats_from_Bitcoin_Wallet_Smartphone_Applications_Vulnerabilities_Attacks_and_Countermeasures