The forum discussion on Possible App Impersonation Attack is not clear. Specifically:
- Is there really an “impersonation attack” happening or is a user just not reading dApp dialogs?
- Is this specific to web instead of mobile?
AFAIK, it appears to be a user reading issue / messaging improvement issue, and not one where a user is unwittingly tricked into allowing one dApp access to another dApp’s GAIA bucket. Can someone elaborate if I am wrong? (See my reposted comment below for what happens in mobile today.)
Stealthy is working with other dApp developers to write data to their dApp GAIA buckets directly from Stealthy mobile. We’re using the redirect mechanism to access their GAIA buckets. This is required for a demo in late November, so if changes that will break this functionality are being committed, please let us know @friedger & @shreyas and provide us with an alternate mechanism for users to be able to work with their data? (We don’t have plans to update our use of Blockstack mobile SDKs in that timeframe so if the changes are scoped to the SDK that is fine, however going forward, this mechanism should be provided for in new SDK releases too).
The “impersonation attack” description sounds like a user choosing to access their data from a different dApp (i.e. using TweetDeck to access Twitter data). The user downloads Fake.app knowing that it is not Authentic.app. @Jude’s point about clearer messaging to the user when accessing Authentic.app’s bucket from Fake.app is important .
Here’s an illustration of the situation today when a Stealthy User taps to access their Graphite bucket (using redirect.html):
Graphite Stealthy Login.jpg1608x1270 255 KB
It could be clearer if it said something like @hank suggests or this: “Would you like to access your Graphite data from Stealthy? (Tap to learn more.)”