Random question that I just thought of out of pure curiosity:
Say I download Damus or another iOS client with my Apple ID that I’m required to use to download apps. Explain to me like I’m not a Dev how my newly generated nsec is not tied to my identity (at least my Apple ID) or any network that I’m using. Because in my head it makes sense that it could be linked one or both of those ways, but also I’m stupid.
Genuine question out of curiosity.
I’m not a dev but I don’t think iCloud stores your account details for apps unless you (can) use keychain
Pretty sure apple is RSA encryption based. Little more complicated than a npub and nsec.
For this to happen Apple needs to know your new npub or nsec somehow.
Since npub/nsec are generated by the app and hopefully with some randomness, Apple won’t know what they are unless you tell them, or unless they are monitoring your activity and all of nostr well enough to piece together their concept of you + the nostr concept of you (your nsec/npub).
It seems like they are doing neither of those things - though they do know that their concept of your downloaded a Nostr app.
If someone can login to your Apple ID they can find your nsec if the app:
- stores the nsec in keychain and you have iCloud keychain enabled
- stores the nsec somewhere else on device unencrypted and you have iCloud back-up enabled
So to keep your nsec safe keep your Apple ID safe, or disable iCloud.
Also technically Apple can always get your nsec by pushing a malicious update to your device, but this is very tinfoil.
