New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Zashi-iOS audit] Issue E: Copying of the seed phrase should be discouraged #1097
Comments
There are few things we can do or at least we can take into considreation:
here are the scenarios for 10s expiryTime being set:
Possible solution is to set another key called I see 2 problems with this approach
I see only 1 fully functional solution and that is to never let users to copy the seed. Actually it wasn't in the Figma design, Honza put it there with no discussion in the team. So I put it there as well, we might reconsider this. |
- copy with expiry time set draft
Thanks for describing the scenarios for us @LukasKorba ! This seems like a good candidate to discuss tomorrow at the Zashi team call once we have the whole team on? |
Very well explained Lukas! I've read research about this and it sheds some light on this kind of trade-offs. Most probably users will make mistakes that will lead to loss-of-funds errors. Copy to clipboard is the easiest to develop and more effortless way for users to quickly get started and having some sort of backup quickly. A less secure backup is probably better than having no backup at all given the probabilities of each scenario to happen. see:
Cited paper is:
|
- copy to pasteboard has been removed from recovery phrase seed completely - copy seed to pasteboard added to the debug menu, please note, the debug menu will not be in production build, issue Electric-Coin-Company#1113
- copy with expiry time set draft [Electric-Coin-Company#1097] Zashi-iOS audit Issue E - copy to pasteboard has been removed from recovery phrase seed completely - copy seed to pasteboard added to the debug menu, please note, the debug menu will not be in production build, issue Electric-Coin-Company#1113
From @defuse's draft report:
The text was updated successfully, but these errors were encountered: