Desktop and Mobile applications does not validate data coming from online services

[Balanced02]

Description

Both lisk-desktop and lisk-mobile receive data from online services, mostly from instances of lisk-service maintained by the Lisk team. That data is used in various functionalities, but most importantly in transaction construction and singing procedures. Some information received from the online services is not sufficiently validated.

A proper validation must comprise two phases:

• Technical, in-code, invisible to a user validations of syntax and basic semantics properties. This type of validation is for example, validation of length, format, and correspondence to other data.
• Manual validation of the data by a user. Users should be able to manually check and confirm data received from external (and so potentially malicious) endpoints.

These screens should contain every piece of information the user needs to make an informed decision on whether to approve or reject the transaction. Specifically, the transaction summary screen (figure 83.2) is missing the chain ID and networks fields which would give the user more context to make their decision.

Recommendation

Show the chain ID and Network fields in the transaction approval screen inlisk-desktop. Validate and show chainID in the lisk-mobile. This will ensure the user has all the information he needs to make an informed decision.

Which version(s) does this affect? (Environment, OS, etc...)

3.0