Changes related to the forum post Possible App Impersonation Attack appear to be scoped to the newest Blockstack iOS and Android SDK code.

@friedger, @shreyas, @jude do these changes require or imply GAIA hub or infrastructure modifications that would break deployed mobile dApps for users? (We didn’t see any, but it’s important for our userbase that we confirm this.)

I can’t speak for everyone, and we haven’t discussed any concrete changes that we want to make (at least that I’ve heard). But I can say pretty confidently that we wouldn’t push out a breaking change (of any kind) without a long period to make sure every developer understands and has time to make the change.

Some of the proposed changes, like using an app’s private key to encrypt the authResponse, would almost definitely be opt-in on a per-app basis. I.e. the developer could specify, maybe in the manifest.json, that they want their response to be encrypted. If that wasn’t present, the old auth flow would continue.

I 100% agree that we should do everything possible to not break existing applications.

As Hank mentioned there is nothing concrete that we are moving forward with just yet. As we figure out a path forward we’ll definitely try to avoid breaking changes. In the event that something does break existing apps, you’ll hear about it first :).

The leading solution for this issue seems to be the use of Universal Links in iOS and App Links in Android, so there should be nothing to worry about in terms of breaking infrastructure changes.