Recently, Ethereum's famous browser extension MetaMask has been exposed to security breaches, which may cause the user's Ethereum address to be unwittingly obtained by third parties such as DApp developers. We are already in safe question? Still a compromise in user experience? Analyzed in the MetaMask Privacy Leak Problem .
In fact, the problem with MetaMask is essentially the problem of excessive openness of private data permissions, making a security sacrifice for the user experience. Similar problems exist on the Android app side, especially in the use of apps such as digital wallets and exchanges. Beijing chain security expert C00lMan introduced the following scenario: For example, when we back up the private key or transfer money through the wallet address, we need to transfer the private key information or address information to other App. The strategy of most wallet apps at this time is to use the clipboard of the Android system as the transmission medium of data. Is this really safe? The answer is: not safe.
- Double 11: The best training ground for e-commerce giants' blockchain traceability
- Viewpoint | Blockchain don't pass the pass?
- Vitalik Buterin: Not very optimistic about the alliance chain, 5G technology can improve blockchain scalability
- Monthly Report | September Domestic and Foreign Blockchain Policy: Virtual Currency Mining Supervision Strengthens Legal Digital Currency Multi-Country Support
- Babbitt Site | Academician Zheng Zhiming of the Chinese Academy of Sciences: The establishment of China's national sovereign blockchain basic platform is imminent
- Babbitt site | Policies are hot, Tokenfund is cold, where are the investment opportunities for blockchain in 2020?
(Android system clipboard framework)
All apps in the Android system can be copied and pasted through the system clipboard, and the data stored in the clipboard can be accessed by all apps. An App registers a listen event through the interface that comes with the system. When new data is stored in the clipboard, the app can know what the copied data is.
(Register clipboard listener event function)
Imagine if you copied your private key data in the wallet app at this time, the app that registered the listen event can steal your private key information.
(wallet copy private key interface)
The figure above shows the digital wallet export private key interface, which illustrates a series of security tips that need to be paid attention to when the private key is saved. Since this article aims to explain the security of the Android system clipboard, it shields the interface that may reflect the specific characteristics of the wallet brand. . In fact, when you choose to copy the private key, it triggers a clipboard listener event.
(Stealing private key attack example)
As you can see from the above figure, after this event is intercepted, we can read the contents of the clipboard, steal the private key, and put your assets in an extremely dangerous situation.
Even the contents of the clipboard can be further modified. For example, if you copy the transfer destination address, the app can clear all the data of the clipboard first, then write a fake transfer address to the clipboard, so that when you pass When the system's "paste" function is used to enter the transfer address, you actually entered a fake address. This caused a phishing attack. The funds you transferred were stolen by hackers, and all this is in the unknown. Not finished.
It can be seen that the clipboard brings some convenience in sharing data between applications, but should important data be transmitted through the clipboard? How to better ensure the security of important data of users while ensuring convenience?
In this regard, we can actually adopt a safe data clipboard solution.
According to Zer0dMan, a mobile security expert from Beijing Chain Security, in the security sandbox technology, we can use high-intensity encryption of the data copied by the user through a special security technology and store it in a memory area created by the secure container. The area is the system. The clipboard is isolated, only the blockchain app launched in the security sandbox can be used, and applications outside the sandbox have no access to this zone. This solution not only ensures the security of user data, but also achieves a good user experience.