unstoppable-wallet-android
unstoppable-wallet-android copied to clipboard
horizontalsystems
Passphrase storing
Hello! Thank you, unstoppable team, for cool app.
I just want to clarify regarding bip39 passphrase how it works in other apps.
According to bip39 the main purpose of 13rd word/passphrase is additional security layer. If someone will get 12 words/mnemonic phrase from device or backup then they can't get access to wallet without passphrase. And positive bonus that user can generate many wallets using one mnemonic and different passphrases. https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki
So, it is supposed that passphrase shouldn't be stored at device persistent memory. For instance trezor asks passphrase every time during getting access or signing transaction https://wiki.trezor.io/Passphrase
Whereas, unstoppable wallet stores passphrase in database. And according to description in app "Passphrase add additional security layer to the wallets..." but actually it doesn't do this because passphrase is stored at the same place as mnemonic. https://github.com/horizontalsystems/unstoppable-wallet-android/blob/db5bec87bdb3259fa343f050635966d0fb4b456a/app/src/main/java/io/horizontalsystems/bankwallet/core/storage/AccountRecord.kt
Please, correct me if I am wrong. But I suppose that passphrase should work in consistency with other implementations.
Hello! Thank you, unstoppable team, for cool app.
I just want to clarify regarding bip39 passphrase how it works in other apps.
According to bip39 the main purpose of 13rd word/passphrase is additional security layer. If someone will get 12 words/mnemonic phrase from device or backup then they can't get access to wallet without passphrase. And positive bonus that user can generate many wallets using one mnemonic and different passphrases. https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki
So, it is supposed that passphrase shouldn't be stored at device persistent memory. For instance trezor asks passphrase every time during getting access or signing transaction https://wiki.trezor.io/Passphrase
Whereas, unstoppable wallet stores passphrase in database. And according to description in app "Passphrase add additional security layer to the wallets..." but actually it doesn't do this because passphrase is stored at the same place as mnemonic. https://github.com/horizontalsystems/unstoppable-wallet-android/blob/db5bec87bdb3259fa343f050635966d0fb4b456a/app/src/main/java/io/horizontalsystems/bankwallet/core/storage/AccountRecord.kt
Please, correct me if I am wrong. But I suppose that passphrase should work in consistency with other implementations.
sorry for delayed reply. Thanks, we are going to revisiting the local storage of passphrase in the near future.
We had a discussion on this. Taking into account the pros and cons we decided to leave it as is.
We had a discussion on this. Taking into account the pros and cons we decided to leave it as is.
@abdrasulov Could you elaborate on what are cons to not storing the passphrase on a device, please?
We had a discussion on this. Taking into account the pros and cons we decided to leave it as is.
@abdrasulov Could you elaborate on what are cons to not storing the passphrase on a device, please? Sorry we missed you question. we had a chat about this with @abdrasulov and your reasoning for not implementing this would be that the user would be required to enter the passphrase on every app unlock, not just on transaction send.