Concern about copying private keys for backups

The problem was flagged by @Scrivdotorg in Telegram.

When you backup your private keys in the app, the most common way to do it would be to copy and paste your keys, but this creates a valid concern about privacy: any malicious app could be listening to the clipboard in the background and potentially steal all your private keys, or the user could paste it wherever they think would be nice, which in reality could be dangerous.

Proposed solution

  • Make instead a PDF or an image with all the keys and their respectively QR codes. This way, we’ll not be touching the public clipboard of the cellphone, and we could also incentive the user to print out the generated keys, which is much safer that what most users do: paste all into WhatsApp or some other equally unsecure or worst app.
8 Likes

I have had similar concerns in another post. It was my very first concern actually when finally joining incognito as a user. My solution was for the user to input a password and then download an encrypted zip file.

The PDF solution is better I think! This should totally be done. It’s a great idea!! PDF’s also can have a password. I don’t know if that improves the idea or not.

The most import thing in my opinion is that the raw text of the private keys don’t exist in that format anywhere when exported.

4 Likes

True! PDF could have passwords.
Could you share with me the link to the post you made? :smiley:

1 Like

Actually it looks like I joined someone else’s topic rather than creating my own. It’s here:

1 Like

We should add a “Screenshot blocking feature” to the app also I think it will be easy to implement it for the devs almost all banking app and chat app have that.

1 Like

This is easy to implement in new versions of android but if we decide to include this in the app I hope it will be optional. Very often I am helping or explaining things to others and screenshoting the app makes it easy.

2 Likes

Sure ! Should be an option that you can enable or disable

Unfortunately I don’t think it works that way in newer versions of android. For example on banking apps they don’t let you screenshot by the options they set in the app when building it. Incognito would have to come up with their own methods for preventing screenshots in order to allow the end user to turn that function on or off.

1 Like

The ability to take screenshots can be optional, even in newer versions of android. Take for example Telegram, who has that option when you setup a password for the app.

1 Like

I agree screenshots are needed for anything customer service related and make testing easier as well.

1 Like

We can also add more ways to protect the account like “create 12 keyphase password” beside using the pdf file

3 Likes