XRPL-Labs / Xaman-App

Xaman (Formerly XUMM) for iOS and Android (React Native)
https://support.xumm.app
Other
104 stars 48 forks source link

XUMM Advanced Settings allow customized Node URL (Additionally add entry for NFT devnet) #73

Closed XRP-DEV closed 2 years ago

XRP-DEV commented 2 years ago

Is your feature request related to a problem? Please describe. Not related

Describe the solution you'd like A new entry should be added to the note list for devnet (NFTs) and also it should be freetext, so a user can just enter any URL to use as Node.

Todo

Additional context image

ZachRoberts25 commented 2 years ago

Created a PR for this change

https://github.com/XRPL-Labs/XUMM-App/pull/74

WietseWind commented 2 years ago

Thanks for this. However, we didn't add this feature for good reasons. We decided to not include this feature in the past and we still stand by the reasons for deciding this in the past. We have discussed this internally some time ago. We decided not to add the feature for users to add free text node addresses to Xumm.

This is where we prioritize end user protection above all. For bad actors, it's easy to spin up a custom network, trick users into adding their node URL (possibly hosted on a fancy, confusing domain name), making the end users believe they received something of value (e.g. XRP, but then fake XRP on the scam network).

Also, for security reasons, Xumm as an egress firewall: Xumm cannot connect to nodes not on an explicit whitelist, which is why we proxy non-standard node addresses through our platform. We must whitelist non standard node addresses there.

The way we currently deal with this is:

  1. Decide if another network is safe enough to allow end users to interact
  2. Add it to our proxy whitelist, assigning an UUID
  3. Generate a QR for end users to add the custom node based on the UUID

Even our own Hooks V2 testnet has to be added this way, for example (see the QR): https://xumm.notion.site/Hooks-V2-staging-net-info-XLS20-518fa261c5cd49d2bcb89a5b9e7bef05

XRP-DEV commented 2 years ago

Thanks for this. However, we didn't add this feature for good reasons. We decided to not include this feature in the past and we still stand by the reasons for deciding this in the past. We have discussed this internally some time ago. We decided not to add the feature for users to add free text node addresses to Xumm.

This is where we prioritize end user protection above all. For bad actors, it's easy to spin up a custom network, trick users into adding their node URL (possibly hosted on a fancy, confusing domain name), making the end users believe they received something of value (e.g. XRP, but then fake XRP on the scam network).

Also, for security reasons, Xumm as an egress firewall: Xumm cannot connect to nodes not on an explicit whitelist, which is why we proxy non-standard node addresses through our platform. We must whitelist non standard node addresses there.

The way we currently deal with this is:

  1. Decide if another network is safe enough to allow end users to interact
  2. Add it to our proxy whitelist, assigning an UUID
  3. Generate a QR for end users to add the custom node based on the UUID

Even our own Hooks V2 testnet has to be added this way, for example (see the QR): https://xumm.notion.site/Hooks-V2-staging-net-info-XLS20-518fa261c5cd49d2bcb89a5b9e7bef05

Thanks for the speedy reply and info.