Android: Do not use system keyboard #3757
Comments
|
+1 |
|
Just to understand this better.: If the system keyboard is compromised, how the device file system could be trusted? Copay stores its key on the file system. What is the point of implementing a custom keyboard given that if the device is compromised the attacker you still have access to the key from, for example, the file system. |
|
If the third party keyboard app developer sends out data, it will ask for internet permissions. This is very benign and most users would think it is for "error reporting" or something... But some may be logging keys. Wheras, for a keyboard app to access the file system of another app, the device must be rooted. Adding the software keyboard helps with the mnemonic, as even if the attacker key logged your PIN or spending password, they would need your file as well. But with mnemonic, that is all they need. I don't think it is high priority, as someone with malware keyboard install has more problems than just bitcoin, I'm sure. |
|
thanks for the explanation. It is much clear now. On Wed, Jun 8, 2016 at 11:19 PM, Dabura667 [email protected] wrote:
Matías Alejo Garcia |
|
This is also a possibility on iOS now, with installable keyboards like GBoard. The only place where this could really be an issue is the backup restoration flow. (Since the backup flow does not require a keyboard.) For that flow, we could either:
|
User may be using third party keyboard such as swiftkey which can capture use inputs. Please use a inbuilt keyboard for more security.
E.g. Mycelium
The text was updated successfully, but these errors were encountered: