Custodial Mobile Crypto Wallet Development

TRUETECH is engaged in the development, support and maintenance of iOS, Android, PWA mobile applications. We have extensive experience and expertise in publishing mobile applications in popular markets like Google Play, App Store, Amazon, AppGallery and others.
8+Years of work900+Completed projects100+In house employees19+Partners
Development and support of all types of mobile applications:
Information and entertainment mobile applications
News apps, games, reference guides, online catalogs, weather apps, fitness and health apps, travel apps, educational apps, social networks and messengers, quizzes, blogs and podcasts, forums, aggregators
E-commerce mobile applications
Online stores, B2B apps, marketplaces, online exchanges, cashback services, exchanges, dropshipping platforms, loyalty programs, food and goods delivery, payment systems.
Business process management mobile applications
CRM systems, ERP systems, project management, sales team tools, financial management, production management, logistics and delivery management, HR management, data monitoring systems
Electronic services mobile applications
Classified ads platforms, online schools, online cinemas, electronic service platforms, cashback platforms, video hosting, thematic portals, online booking and scheduling platforms, online trading platforms

These are just some of the types of mobile applications we work with, and each of them may have its own specific features and functionality, tailored to the specific needs and goals of the client.

Offered services
Showing 1 of 1 servicesAll 1735 services
Custodial Mobile Crypto Wallet Development
Complex
from 2 weeks to 3 months
FAQ
Our competencies:
Development stages
Latest works
  • image_mobile-applications_feedme_467_0.webp
    Development of a mobile application for FEEDME
    756
  • image_mobile-applications_xoomer_471_0.webp
    Development of a mobile application for XOOMER
    624
  • image_mobile-applications_rhl_428_0.webp
    Development of a mobile application for RHL
    1052
  • image_mobile-applications_zippy_411_0.webp
    Development of a mobile application for ZIPPY
    947
  • image_mobile-applications_affhome_429_0.webp
    Development of a mobile application for Affhome
    862
  • image_mobile-applications_flavors_409_0.webp
    Development of a mobile application for the FLAVORS company
    445
Show more works

Custodial Mobile Crypto Wallet Development

In a custodial wallet, users' private keys are stored by the operator. Fundamental difference from non-custodial: user trusts operator with asset management, operator takes responsibility for security. This is the model used by most centralized exchanges (Coinbase, Binance) and corporate crypto solutions.

Technically simpler for user — no seed phrase to protect, familiar recovery via email. But server infrastructure security requirements and regulatory burden — incomparably higher.

Key Storage Architecture

Storing user private keys in regular database — recipe for disaster at first breach. Correct architecture:

HSM (Hardware Security Module). Physical device generating, storing, using keys — they never leave HSM. Transaction signing happens inside HSM: app sends transaction, HSM returns signed transaction, key not exported. Popular solutions: Thales Luna, AWS CloudHSM, Azure Dedicated HSM.

KMS (Key Management Service). Cloud equivalent: AWS KMS, Google Cloud KMS, Azure Key Vault. Keys not exported, signing operations via API. Cheaper than HSM, easier to scale, but keys in cloud provider — regulatory restrictions for some jurisdictions.

MPC (Multi-Party Computation). Modern approach: private key never fully exists in one place. Multiple participants (server nodes) hold key shards, signing happens via MPC protocol without key reconstruction. Resilient to single node compromise. Fireblocks, Fordefi, ZenGo use this.

Cold/Hot Storage Scheme. Majority of funds — in cold storage (offline HSM, hardware wallets). Hot wallet (online) — operational reserve for current withdrawals. 95/5 or 98/2 ratio — industry standard for exchanges.

Server Transaction Architecture

Client app doesn't sign transactions — only initiates request. Flow:

  1. User enters withdrawal parameters in mobile app
  2. App sends request to backend with authentication (JWT + 2FA)
  3. Backend validates: sufficient funds, limits not exceeded, address in whitelist
  4. Request queued for signing (not automatic — may require manual or automatic approval)
  5. Signing service requests HSM/KMS to sign transaction
  6. Signed transaction sent to blockchain node
  7. Confirmation monitoring, user notification

Transaction queue — not just async processing. Protection from parallel attacks: two withdrawal requests of same balance can't both pass. Optimistic or pessimistic locking on account level when withdrawal initiated.

Accounting: UTXO vs Account-Based

For Ethereum-compatible networks — account-based model. One address per user or address pool with mapping:

  • Dedicated address: each user gets unique deposit address → simpler incoming ID, expensive in gas consolidating
  • Shared address + memo/tag: one deposit address, identification via memo (like XRP, TON) or calldata

For Bitcoin — UTXO. Each UTXO owned by specific user or requires address-transaction mapping. Specific Bitcoin address per deposit, sweep UTXO to cold wallet on schedule.

Internal accounting database must provide instant balances without blockchain queries. All operations in internal DB, blockchain final confirmation. Like a bank: internal accounting system doesn't wait for Fedwire for each balance request.

Mobile Client: Custodial Model Specifics

For user, custodial wallet closer to bank app than MetaMask. Features:

  • Registration/login with KYC (if required by regulator)
  • Real-time asset balances (WebSocket for live updates)
  • Transaction history with filters
  • Sending (with address book, QR scanner, address whitelist)
  • Receiving (QR with address, monitoring incoming)
  • Swap between assets (via internal engine or aggregator)

Biometric auth on device — for operation confirmation, but doesn't protect key itself (keys on server). Here biometry protects app session.

KYC and AML — Regulatory Obligation

Custodial wallet in most jurisdictions — financial service. VASP (Virtual Asset Service Provider) per FATF Recommendations. Means:

  • KYC (Know Your Customer): identity verification, documents, selfie liveness check. Integration with providers: Sumsub, Onfido, Jumio, Veriff
  • AML screening: transaction checks against sanctions lists (OFAC, EU), blocking known mixers and darknet addresses. Providers: Chainalysis, Elliptic, TRM Labs
  • Travel Rule (FATF Recommendation 16): transfers > $1000 require sender/recipient data transmission between VASPs. Protocols: TRP, OpenVASP, TRISA

Without this in EU, US, most developed countries — can't legally operate. KYC/AML integration — mandatory stage, not optional.

Push Notifications and Monitoring

Monitor incoming transactions — via blockchain provider webhook (Alchemy Webhooks, Moralis Streams, QuickNode Streams) or own event listener. On deposit confirmation — credit internal balance, send push via FCM/APNs.

Suspicious activity alerts: login from new device, large withdrawal, email change — immediate push + email.

Timeline and Stages

MVP custodial wallet (one blockchain, basic operations, KMS instead of HSM, simplified KYC) — 2–3 months. Full system with HSM/MPC, multichain support, AML integration, regulatory reporting — 6–12 months team. Regulatory part (obtaining VASP license) — parallel process, timeline depends on jurisdiction. Cost calculated after analyzing requirements: number of blockchains, jurisdictions, KYC/AML scope, security infrastructure requirements.