Is it safe to copy and paste your nsec into a local app on my phone? Obviously not on browser on phone.
Discussion
Depends on the app of course... Damus on iOS, or Amethyst/Nostros/Plebstr on Android, these are probably safe.
Just mainly test flight apps for nostr. Like current and iris.
“Probably” ?
It's open source so we can assume that other people are looking at it and it's not too bad
But it would be nice if there was a better solution
unfortunately that solution is a systemic problem affecting the entire planet not just nostr
You're just trusting them to custody your private key correctly
most of this apps are not even storing it in the keychain
they can't because the hardware doesn't support the curve that we use and the operations needed
so even if they do stuff it in there they're going to stuff it in there as a wrapped encrypted object that they're going to unwrap and use as a raw key
ultimately, it's not safe to put your private key anywhere. it should live on a yubikey or something and never leave unless explicitly exported to another public key (using a cert that verifies the hardware). but browsers and smartphones simply have shitty support for talking to device keychains and hardware devices. and a lot of this failure is caused by the cryptography community with increasingly opaque and bad standards (won't let me do a dh operation, because i might do it wrong)
so we all just paste private keys.
the entire cryptography community got something very basic wrong when X.509 came out
it's the same thing they get wrong when it comes to password security
every time you try to prevent users from using the gun you made to shoot themselves in the foot, you inevitable create a new class of users that just makes their own gun from scratch. which is arguably much more dangerous.
good example: frequent password changes lead to people making easy to remember passwords with minor differences on the end. or writing them down. or sticking them all on a notepad doc on their machine
better solution: require very long passphrases with no special characters. long == hard to break.
Thank you, that was good info. I have no idea how to put it on a ubikey, but maybe I should spend time working on that part of my security setup instead of mobile authenticators. They scare me anyway if I happened to lose my phone.