For a couple of weeks in July and early August we were housesitting a fabulous place near the beach and it was 35°C (95 °F) for a while, so what better way then spending behind the computer inside? It was during this time @pharesim who was/is travelling (and also paid a visit to the SteemWhale fountain!) came by with his companions in the Steemlambo and we discussed Steem during the night. He mentioned he really missed out on a simple straightforward wallet app for Steem.
We discussed it a bit, I gave it some thoughts, researched a bit more later that night and the next day after I did some more research (I do still dev some apps, sometimes - see https://shoudio.com for previous work) discussed it some more with @pharesim. @pharesim & co took on with their trip and I was just experimenting some with signing transactions with dSteem and broadcasting them using the condensor api. Then I started experimenting with AES256 encryption for an encrypted, secure, wallet-file.
Rest assured this was all just testing, as I wasn't planning on actually building a full app, thinking it would draw too much time, which I desperately needed for @SteemFest, but then I just couldn't leave the idea sitting there on my computer, so I continued at nights resulting in not much sleep :P.
And now it's here. After some legal mumbo jumbo with them apples (needed to enroll with an "organisation" account instead of using my regular individual account - 3 weeks of back & forth reviewing the app - including the app review appeal board (!)) the ♨️steemwallet.app is live and available on both iOS and Android.
The app's complete code is open source, published under a Creative Commons License. So you can head over to my github repo and analyse the signing, storage and encryption of active keys (should you want to use the send-feature, not obligatory) and how the whole app works. The app is build using the open source Titanium Appcelerator app platform, where one can code in a combo of javascript and xml and stylesheets and have that compiled into native code, crossplatform!
I'm quite happy with v1 and here is what you can expect:
With the ♨️steemwallet.app you can monitor any account's balances on the Steem blockchain. Specifically you can:
- Monitor any account's balances and recent Steem & SBD transactions
- Optionally store your active key (or have it derived from your password) in a passphrase encrypted wallet file and send Steem & SBD to any user by signing broadcast messages with your key.
Security
Should you decide to use the feature of signing transfer operations (sending steem or sbd), you will need to store your active key into a local wallet file. The contents of this wallet file is encrypted in similar ways as thecli_wallet- (Steem chain's official command line wallet) app. Note, you can also just use the app to monitor one or more steem account's balances and recent transactions.
Here is how the security model works in the ♨️steemwallet.app, as well as several other security related features explained:
The app uses AES256 encryption for storing your wallet file. The AES 256 initialisation vector normally changes with every install of the app so two wallet files with the same passphrase and same key contents would not even look the same. Therefore you also can't export the wallet-file, because you could not even re-import it. This app is therefore not meant to be the single storage place for your private keys!
You have to use an obligatory difficult passphrase before you can create the wallet file. The app uses the zxcvbn library to check the complexity of your passphrase. Don't worry, this happens on your device, not online :P If you forget this passphrase, you would have to delete and reinstall the app and start from scratch by re-importing your key(s).
Parts of the great dSteem library are used, namely the signing of transaction operations as well as public key derivation from active keys and the derivation of your active key should you use a password. The plain text keys are only used for signing the operation and never leave the device.
Devices with Touch ID or Face ID (or Fingerprint on Android) can opt to use that feature to store and retrieve their passphrase onto the device's native keychain, for easier decrypting and signing of operations. How each OS treats the storage of that passphrase is a bit different, but on both iOS and Android those files are encrypted too, on iOS in the so-called secure enclave and on Android in an encrypted .dat file in the app's private-data folder.
When sending to some account, the existence of the account is checked prior to actually broadcasting the transaction.
Also when sending to some account, the app check's whether the address is not on the 'bad actors list'. If you (accidentally) try to send to one of these known fraudulent accounts the app prevents you from sending there.
When sending, and you add a memo, the app validates the memo with a simple sanity check (again, all happening on device) to see if you did not (accidentally) paste a key (following this algorithm: starting with 5, 51 chars length) in the memo field. If that would be the case, the memo field would be reset and you alerted.
No tracker software is installed, analytics are disabled. The only data which is send from the device is requested blockchain information, calls to the condensor api hosted on api.steemit.com and signed operations. Oh, and the device connects to Coinmarketcap sometimes to retrieve the steem/sbd prices. However, seeing their api is going to deprecate, will change this in December to another price provider (most probs self-hosted, and multiple currencies beyond just USD).
Also I would firmly DIScourage you to use the send / active key encrypted storage features if you are using the app on a rooted or jailbroken device, simply because the integrity of the Operating System you are using might not be guaranteed.
Other features of the app:
Add multiple accounts (as many as you like): Start of by adding one account, but then tapping on your main account name, will open an 'account picker dialog' where you can opt to add more accounts. You can monitor a whole list of accounts. If you hit send, you can add the active key for the selected account, should you have it. It is not required to have active keys on storage for just monitoring an account.
QR scanner built in: At certain points in the app (in the 'send to:' and 'import private key' you can opt to fire up an in-app QR scanner, so you don't have to copy paste your active key, but can scan it from example from the security page on Steemit.
QR code for 'receiving': An on device QR code library generates a unique colourful QR code to present to anyone who wants to send Steem or SBD to you.
Integration of SBD / Steem to USD prices. The app regularly updates with Coinmarketcap and shows you the current worth in fiat, should you be interested in that.
Updates waiting to be reviewed and released by Apple (already live for Android):
- more transaction history visible
Feature requests already added to github:
- Implementing Steem's custom url signing for broadcasting any operation onto the Steem chain, using the ♨️steemwallet.app
- Implementing other fund related operations to be displayed in the transactions history (market_orders, transfer_to_vesting, powering up etc)
Want the app in your native language?
Feel free to checkout the english language dictionary file on github, copy it, and make a pull request, following these instructions: https://github.com/roelandp/steemwallet#feature-requests-pull-requests
