samourai-wallet-android icon indicating copy to clipboard operation
samourai-wallet-android copied to clipboard

Published 20 hours ago verified publisher icon Samourai-Wallet

Option to disable/remove "show mnemonic seed" after wallet setup

Open infernix opened this issue 7 years ago • 9 comments

I'd like to be able to remove the option to display mnemonic seed. I don't quite understand why the option exists to show it after the initial setup. It means that it's stored somewhere in plaintext, correct? Or is this not possible when using a passphrase?

If it really can't be removed due to key derivation, at least the option should exist to never show it. It can come with big disclaimers but I feel it shouldn't be displayable after the initial setup. There can be cases where someone can snap a picture of it unbeknownst to me, or against my will.

infernix avatar Mar 02 '18 16:03 infernix

It is not stored anywhere in plaintext. It is decrypted and displayed upon demand. The passphrase, however, is not available on demand and must be remembered by the user.

SamouraiDev avatar Mar 02 '18 16:03 SamouraiDev

OK, so then it's stored encrypted. But does it have to be? Can it be forgotten?

Because I don't like it that this is possible:

  • Open wallet, do something
  • Go to home screen
  • Lock phone
  • Unlock phone
  • Use "task manager" to switch back to wallet
  • Directly open settings > Show mnemonic

I'm not prompted for pin, passphrase or anything else. You could make the argument that I should lock the phone with a pin etc, but that doesn't make this any less of a "vulnerability".

infernix avatar Mar 02 '18 17:03 infernix

The app does have a timeout feature which will disallow access after a period of inactivity via enforcement of PIN entry.

SamouraiDev avatar Mar 02 '18 17:03 SamouraiDev

I understand. But do you not agree that it is potentially a risk to be able to view the mnemonic seed? Isn't it enough to only show it upon wallet creation?

infernix avatar Mar 02 '18 19:03 infernix

In the case of Samourai, which imposes the use of a BIP39 passphrase for the wallets it creates, the mnemonic alone cannot restore the wallet.

SamouraiDev avatar Mar 02 '18 19:03 SamouraiDev

I understand that too. But that doesn't change my point?

infernix avatar Mar 02 '18 20:03 infernix

To further drive home my point, if I restore a wallet without a passphrase, or if I use one without a passphrase for plausible deniability (and another one with a passphrase as the "real" one), all that's needed is one peek or screenshot or photo of it. So I'd really like to see an option to "forget" it (provided that it's not needed anywhere) or otherwise opt to permanently disable viewing it.

infernix avatar Mar 02 '18 23:03 infernix

Just a shower thought: may be another option would be to ask for the PIN before displaying the mnemonic.

LaurentMT avatar Apr 03 '18 14:04 LaurentMT

I agree with @infernix - making the seed available (after the user has recorded it) reduces security of the wallet. Such an option should be difficult to trigger. The PIN and Passphrase should be required before showing it. Adding in a 1 minute delay and a huge warning would also be good.

jonathancross avatar Aug 02 '18 15:08 jonathancross