Concern about copying private keys for backups

J053 · 10 September 2020 23:35

The problem was flagged by @Scrivdotorg in Telegram.

When you backup your private keys in the app, the most common way to do it would be to copy and paste your keys, but this creates a valid concern about privacy: any malicious app could be listening to the clipboard in the background and potentially steal all your private keys, or the user could paste it wherever they think would be nice, which in reality could be dangerous.

Proposed solution

Make instead a PDF or an image with all the keys and their respectively QR codes. This way, we’ll not be touching the public clipboard of the cellphone, and we could also incentive the user to print out the generated keys, which is much safer that what most users do: paste all into WhatsApp or some other equally unsecure or worst app.

marko · 11 September 2020 00:44

I have had similar concerns in another post. It was my very first concern actually when finally joining incognito as a user. My solution was for the user to input a password and then download an encrypted zip file.

The PDF solution is better I think! This should totally be done. It’s a great idea!! PDF’s also can have a password. I don’t know if that improves the idea or not.

The most import thing in my opinion is that the raw text of the private keys don’t exist in that format anywhere when exported.

J053 · 11 September 2020 00:51

True! PDF could have passwords.
Could you share with me the link to the post you made?

marko · 11 September 2020 01:05

Actually it looks like I joined someone else’s topic rather than creating my own. It’s here:

Katoshicoins · 11 September 2020 13:19

We should add a “Screenshot blocking feature” to the app also I think it will be easy to implement it for the devs almost all banking app and chat app have that.

Jared · 11 September 2020 17:38

This is easy to implement in new versions of android but if we decide to include this in the app I hope it will be optional. Very often I am helping or explaining things to others and screenshoting the app makes it easy.

Katoshicoins · 11 September 2020 18:54

Sure ! Should be an option that you can enable or disable

Jared · 11 September 2020 19:48

Unfortunately I don’t think it works that way in newer versions of android. For example on banking apps they don’t let you screenshot by the options they set in the app when building it. Incognito would have to come up with their own methods for preventing screenshots in order to allow the end user to turn that function on or off.

J053 · 12 September 2020 19:53

The ability to take screenshots can be optional, even in newer versions of android. Take for example Telegram, who has that option when you setup a password for the app.

krazykrista · 13 September 2020 01:33

I agree screenshots are needed for anything customer service related and make testing easier as well.

tuyet · 19 September 2020 05:18

We can also add more ways to protect the account like “create 12 keyphase password” beside using the pdf file