keyguard-app icon indicating copy to clipboard operation
keyguard-app copied to clipboard

Published 20 hours ago verified publisher icon AChep

Discussion: Provide users a way to verify the URI they're using autofill on

Open danielphan2003 opened this issue 11 months ago • 1 comments

On first adding a new URI field, Keyguard should prompt the user to verify that URI's legitimacy.

There are many platforms that needs verification:

Android URIs (aka Android apps):

Verifying Android App Links

  • Not all apps use this.

Verifying app signature (derived from the process that Play app signing uses).

  • We could save the signature to custom fields, and use that to verify other instances of autofilling later on.

  • If the signature is different from what Keyguard has: warn the user before they proceed, and optionally allow them to add this to a list of verified signatures.

Web

  • /.well-known directories
  • DNS
  • HTTP headers

Other platforms

TBD.

IMHO is there already an infrastructure that can do all of this for us? I tried searching for uri attestation and uri verification and none came out.

Edit1: Cross posting this to Reddit.

danielphan2003 avatar Aug 31 '23 20:08 danielphan2003