search

novasamatech / parity-signer

Air-gapped crypto wallet.
https://www.parity.io/signer/
GNU General Public License v3.0
549 stars 163 forks source link

Howto: Never have device online - no app store - install via USB #701

Open nuke-web3 opened 3 years ago

nuke-web3 commented 3 years ago

A suggested improvement to the wiki: detailing the methods to use a virgin (or freshly factory reset) and wireless hardware removed/destroyed such that the device will never go online to do an install or update to the signer software.

This can be done via on android (I am not sure on iOS) by use of a USB drive to install/update the software.

Here is a primer on how to use USB with older devices. https://www.howtogeek.com/129800/how-to-use-usb-drives-with-the-nexus-7-and-other-android-devices/

USB-C drives should work with any device that has the port - so many modern devices could support a completely offline workflow without the need for any extra equipment. 😁

If desired, I am happy to put a PR together outlining how to do this - just tell me where to put it in the repo structure here 😀

burdges commented 3 years ago

I'd think this works for upgrades too, no? Is there a reason to warn against that?

nuke-web3 commented 3 years ago

Absolutely, I would need to test that data is preserved, so long as the key stores and possibly configuration files are not removed on uninstall/reinstall/upgrade... Are they? If so, could the app be changed to do so in encrypted form to preserve privacy?

kirushik commented 3 years ago

@NukeManDan It requires careful consideration if using USB sticks to install the updated apk would actually be any safer than just using adb while connecting the phone over the wire. (Since USB sticks usually have firmware which can be exploited, as well as enough physical space to place an implant. It's true that such attacks would be slightly more involved than exploiting the operator's machine itself, but taking in account the usual lifecycle of a USB drive, this can be compensated with multiple machines being suitable targets to carry out the exploit.)

Of course updating to the newer apk version would keep the key store intact (provided that the keys used to sign the apk haven't changed.) But taking in account the uncertainty in threat modelling above, I think the suggested way of updating Signer would remain "factory-reset the device, then install the newer version from the source you trust, then go offline forever and only after that restore your key". This also answers why we're not recommending physically removing any wireless chips as a general measure (even if some groups of users might still prefer to do so to better accommodate their respective threat profiles).

Slesarew commented 3 years ago

@NukeManDan Do you think upgrading through QR code videos would be usable if you have to scan for like half an hour? It does not have to be half an hour straight, breaks are fine and skipping frames/shaky hand is OK.