Leo Wandersleb on Nostr: Transitive dependencies are a nightmare most wallet developers prefer not to think ...
Transitive dependencies are a nightmare most wallet developers prefer not to think about. While systems like mobile phones have very good separation of apps - one app cannot see what the other app is doing - same is not true for libraries. A library that lets you more conveniently process your data in your app could do all sorts of other stuff while at it. Like search for private keys in the app's memory and send them to a server if the app using the library has internet access. This is precisely what happened in an attack against a bitcoin wallet[1].
I had this long blog post[2] for some days open in a browser tab before I finally had Claude summarize it for me. It basically suggest to take the same precaution for library function calls as we already take for "apps" or processes in general. As it turns out there are several projects doing this already. Google Sandboxed API [3] and RLBox [4] for example.
At the Mycelium Android Wallet team I had led an effort to also isolate signing functionality from the main app through a separately installed app but it was discontinued for being impractical. It was probably my fault for not overcoming the engineering hurdles fast enough as it still appears to be the only way to well isolate key material from all the other fancy stuff wallet providers want to integrate for their business partners. Or do others know tools I don't know?
[1] https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets
[2] https://tratt.net/laurie/blog/2024/can_we_retain_the_benefits_of_transitive_dependencies_without_undermining_security.html
[3] https://developers.google.com/code-sandboxing/sandboxed-api
[4] https://rlbox.dev/
I had this long blog post[2] for some days open in a browser tab before I finally had Claude summarize it for me. It basically suggest to take the same precaution for library function calls as we already take for "apps" or processes in general. As it turns out there are several projects doing this already. Google Sandboxed API [3] and RLBox [4] for example.
At the Mycelium Android Wallet team I had led an effort to also isolate signing functionality from the main app through a separately installed app but it was discontinued for being impractical. It was probably my fault for not overcoming the engineering hurdles fast enough as it still appears to be the only way to well isolate key material from all the other fancy stuff wallet providers want to integrate for their business partners. Or do others know tools I don't know?
[1] https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets
[2] https://tratt.net/laurie/blog/2024/can_we_retain_the_benefits_of_transitive_dependencies_without_undermining_security.html
[3] https://developers.google.com/code-sandboxing/sandboxed-api
[4] https://rlbox.dev/