Inconsistency in derivation paths by default between Android and iOS (v6.1.2)
Juanma0x opened this issue · 7 comments
In version 6.1.2, newly created accounts on iOS and Android exhibit inconsistent behavior with derivation paths:
- iOS generates accounts with the derivation paths
//polkadot,//kusama, and//westend. - Android, however, creates accounts without any derivation paths.
For a consistent UX, reduced frustration, and improved documentation, both systems in version 6.1.2 should generate accounts similarly.
Version numbers are not in sync between android and ios, current upstream android generating the same paths, it's just not released to production.
Do you thinks it's important to release asap?
Thanks for your response @Dmitry-Borodin!
I think it is important that the Android version is released asap so the app has the same behaviour on both platforms. It would also be good if the versioning is the same on both OS. These will allow consistency in the support articles we write and the support we give to users, regardless of their OS.
However, I have to ask why was this change introduced. This was the behaviour of old Parity Signer and I thought the deprecation of these custom derivation paths was a big improvement of Vault, because account generation now worked like on every other ecosystem wallet. With this revert to the custom derivation paths this compatibility is broken again.
Also, what is the address (?) shown at the top, 85L9... in your screenshot? In the previous version (current Android version) the Substrate address of the account was displayed there.
So, IMO ideally the iOS version should be changed to match the current Android version, i.e. these changes should be rolled back.
@michalisFr I think current iOS version aligns with guidelines for current Vault approach: https://hackmd.io/7OPDldkXRhOIBwlHfnwzSw
@michalisFr I think current iOS version aligns with guidelines for current Vault approach: https://hackmd.io/7OPDldkXRhOIBwlHfnwzSw
Thanks @krodak! I wasn't aware of these guidelines. But honestly I'm surprised that Gav suggests this approach. No other wallet works in that way (including PJS-UI) and that breaks the ability to use accounts across networks, since each network has a different keypair now. Of course, the other wallets are hot wallets, but I don't see why that would be a factor.
Do you happen to know the rationale behind these guidelines? I'm trying to think if it adds security, but I can't see how, since what's almost always compromised is the mnemonic, not the private key.
Do you happen to know the rationale behind these guidelines? I'm trying to think if it adds security, but I can't see how, since what's almost always compromised is the mnemonic, not the private key.
Signer v6 allows for private key export, making its leakage a highly probable security risk. Derivations help isolate accounts. But if the mnemonic is compromised, the game is over in any case.
When it comes to using BareSr25519/BareEd25519 format for the root key, I believe it's done to differentiate it from regular accounts.
Thanks for the details @prybalko, I wasn't aware private key export is possible. Still I would argue that as attack vectors go a compromise of the mnemonic through human error is still way more likely than a compromise of the private key in any other way (especially on a disconnected phone) and that we're sacrificing a lot in user experience for little gain in security.
But that's just my opinion. Since this is the direction Vault is going, I just want to ask that you update the Android version as soon as possible so that both versions work the same way. And if possible, that the app follows the same versioning on both platforms.
Thank you everyone for your inputs!
#2192
Will release within next week.