All cryptographic material is generated and stored within the device’s secure hardware (Secure Enclave for iOS, StrongBox or Trusted Execution Environment for Android).
Private keys are non-exportable and exist only inside the secure hardware module.
Transaction signing occurs locally, preventing exposure of key data to the main OS or network.
Sensitive files use AES-256 encryption with per-device keys derived from hardware entropy and user PINs.
On devices without hardware support, Xym falls back to a software key vault secured with Argon2-derived keys and enforced biometric authentication.
This design prevents extraction even under forensic examination or full system compromise.