Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Family Wallet>Discussion>Potential key leaks in screenshots
GeneralOverview
Findings
High (3)
Medium (2)
DiscussionPrivate key material storagePotential key leaks in screenshotsAddress and transactions privacySandboxed iframesUnsafe handling of text input
Audit ResultsSummary

Potential key leaks in screenshots

At certain times, such as when importing an existing wallet or when performing a manual backup, the wallet displays private keys or seed phrases. The app does not prevent screenshots from recording private key details. A user could, voluntarily or involuntarily, take a screenshot of the application. The screenshot would be saved to the gallery and be much more exposed.

Additionally, a screenshot of the application is automatically captured by iOS when the app is put in background (and used to display the app in the app switcher). This screenshot is stored on the device file system, and while not directly accessible on a nonjailbroken device, it does not have the same security guarantees offered to an item stored in the iOS keychain. The screenshot is also displayed by the app-switcher menu and can be seen with possession of the unlocked device.

It is possible to prevent screenshots of sensitive information by implementing information hiding in the sceneDidEnterBackground or applicationDidEnterBackground life cycle events.

This was addressed in the following commits:

  • e1b4c43ce0e8db013305c863f2127e264755a772

Zellic © 2024Back to top ↑