A complete overview of Terra Wallet security

Web3 offers real financial freedom: you hold your own assets, transact globally, and answer to no intermediary. That freedom comes with responsibility, and the wallet is where that responsibility lives. Terra Wallet is built so that the secure choice is also the easy one - strong protection by default, with clear, readable prompts whenever something matters.

Our approach is multi-layered: cryptography on the device, automated scanning of our code, in-app warnings that catch common scams, and a commitment to transparency about what is shipped versus what is still in progress.

Your wallet is controlled by a 12 or 24-word recovery phrase, from which your private keys for every blockchain address are derived. That phrase and those keys are generated on your device using audited cryptographic libraries and are encrypted at rest with AES inside the device's hardware-backed secure enclave (iOS) or keystore (Android).

Your PIN is strongly hashed before it is stored, never kept in plaintext. Most importantly, your wallet password, recovery phrase and private keys never leave your device - we do not receive them, store them, or transmit them anywhere. Because Terra Wallet is non-custodial, there is no server-side vault for an attacker to breach.

Terra Wallet undergoes continuous automated security scanning using industry-standard tooling, including Semgrep static analysis and OWASP testing methodologies, so potential issues are caught early - on every change, before they ship. We also monitor our third-party dependencies for known vulnerabilities and patch them promptly.

Many losses in crypto come not from broken cryptography but from social engineering and look-alike tricks. Terra Wallet actively helps you avoid them:

• Address-poisoning warnings flag look-alike addresses planted in your history.
• Spam-token filtering hides junk and scam tokens airdropped to your wallet.
• A verified-asset badge marks genuine, well-known tokens so you can spot fakes.
• Plain-language transaction previews show what you are about to approve.
• Explicit signing approval is required for every dApp and WalletConnect request - nothing is signed silently.

Even with your device in hand, a thief should not be able to get into your wallet. Terra Wallet protects the app itself with layered access controls:

• Recovery phrase - the master key, shown only after explicit authentication and never over the network.
• Biometrics + PIN - Face ID / fingerprint with a 6-digit PIN fallback.
• Auto-lock - the app locks in the background after a configurable timeout.
• Anti-screenshot - sensitive screens block screenshots and screen recording.

Security is a continuous process. If you are a researcher and believe you have found a vulnerability, we want to hear from you. Please report it privately through our support channel so we can investigate and remediate before any public discussion. We disclose issues responsibly - only after a fix is in place.

The best way to protect data is not to collect it. Terra Wallet requires no sign-up, no email and no KYC to hold your own crypto. We do not sell your personal data or profile your activity for advertising. Self-custody means your keys - and your business - stay yours.

The strongest wallet still depends on a few habits only you can keep:

• Write your recovery phrase on paper and store it offline. Never type it into a website, chat or email.
• No one - not even Terra Wallet support - will ever ask for your recovery phrase. Treat anyone who does as a scammer.
• Enable biometrics, a PIN and auto-lock, and keep your device software up to date.
• Double-check addresses and review every transaction preview before approving.

Need a hand? Our team is one tap away on the support page.