In a reddit post, redditor u/rm-84 has been poking around the Arbor Wallet mobile app code and discovered something that was definitely not made clear and should give security conscious Chia user pause when using the app for critical transactions.
You should head to reddit and read the discussion, but in a nutshell the following codeblock in the Arbor Wallet transaction library wallet-service.dart is sending the private key along with transaction details to the central service to sign transactions.
Future<dynamic> sendXCH(
{required String privateKey,
required var amount,
required String address,required int fee}) async {
try {
final responseData = await http.post(
Uri.parse('${baseURL}/v1/send'),
headers: <String, String>{
'Content-Type': 'application/json; charset=UTF-8',
},
body: jsonEncode(<String, dynamic>{
'private_key': privateKey,
'amount': amount,
'destination': address,
'fee': fee
}),
);
This is not great, although before you get your pitchforks out its important to read the developer response from DFI:
RigidityMC
Hello, lead DFI developer here. I can appreciate where your concern is coming from.
This is intended behavior, and is not malicious. We do not store your keys on the server in a database, which would be terribly insecure. However, we do send the private key over an SSL encrypted connection to our server for the signing of transactions.
This is not the most secure way to do this, as others here have noted. And we have already been thinking of solutions for the future. Keep in mind this wallet is very new, and we have a backlog of changes we need to add.
Our future plan to improve this is to do as u/rm-84 suggested, and sign the transactions locally. This would require a substantial amount of work, as an entire Dart implementation of CLVM, BLS-Signatures, and other complementary libraries would have to be created or ported.
I assure you that we are doing the best to keep our servers safe, and there is no database to leak. We will continue to improve security as time goes on.
I agree with the commenters who are expressing concern here, that its not very easy to keep keys secure as they pass over the wire – even encrypted with TLS. I hope that they take the concerns seriously and update the app to sign the transaction on-device and send a tamper-proof transaction bundle to the service instead of a JSON response containing the private key.
I thought the hackathon was suppose to review the code/source to ensure of proper security.
How did they get first place if this is true?
That never happened.