This is like coming to a soccer game wanting to play voleyball. Don't put your nsecs on apps that connect to the web.
Discussion
This is just fud, please show the vulnerability where connecting to the internet is magically going to leak the key.
Damus iOS works the same way and we have had 0 security incidents with leaked keys
This is why growth is so slow lol some of us just want to write notes and chill hahah
exactly
Same for Amethyst, but regardless I still don't recommend anyone to put any nsec on any client connected to the web. Especially on Android with the historical incidents we have seen in apps.
go on, not all of us are aware of the deets.
Most attacks on Devs are about fooling us into importing libraries that hide a callback to their server, exposing the user to lots of different attacks. Removing the Internet permission from your app blocks all callbacks. So, even if we get fooled into a lib, the app still does not leak information.
One day I’ll fool you into making an amethyst iOS version 😈
Aye, remember all the "and suddenly it's malware"
Keep in mind that not even rust native can easily bypass the lack of internet permissions. You can load as many libraries you want and it will be safe.
Shots fired 😂
What Damus is doing, with itself being a signer, is good, though there's a big UX issue (which leads to a security issue): having to copy/paste an nsec to a lot of different apps/sites (a UX issue connected with a security issue because of it) instead of using a signer app where.
I've yet to log into Damus with my/this account, and I haven't logged into Open Vibe either because of the same issue: No login with remote signer option.
My warning to nostr:nprofile1qqsr9cvzwc652r4m83d86ykplrnm9dg5gwdvzzn8ameanlvut35wy3gpz3mhxw309aex2mrp0yhx5c34x5hxxmmd9uqsuamnwvaz7tmwdaejumr0dshszythwden5te0dehhxarj9ekxzmny9u0ljp2l if he thinks he can be an android dev: []󠅘󠅤󠅤󠅠󠅣󠄪󠄟󠄟󠅦󠅙󠅔󠅕󠅟󠄞󠅞󠅟󠅣󠅤󠅢󠄞󠅒󠅥󠅙󠅜󠅔󠄟󠅖󠄥󠅑󠄤󠄧󠅕󠄣󠄧󠄩󠄠󠄥󠅔󠄦󠄨󠄩󠅖󠄡󠅑󠄤󠅒󠄧󠅕󠄥󠄣󠄥󠄤󠄡󠄣󠄤󠄩󠄠󠄩󠄤󠅓󠅔󠅒󠄢󠄧󠄡󠅖󠄡󠄣󠄣󠄥󠄣󠄠󠅒󠄥󠄠󠄡󠅒󠄨󠄧󠅓󠄡󠄨󠄥󠅕󠄩󠅓󠅒󠄨󠄠󠄧󠄞󠅝󠅠󠄤
Amber has internet permissions though... 🤔
🤔
Maybe I messed something up in my install, but I don't see how it is supposed to communicate with bunkers without internet..
No, I did not mess up my install. Amber also uses internet to fetch profiles.
Only the nip46 flavor
Amber has the offline version and the bunker version
Interesting, thanks! Made me realize fdroid left me a couple versions behind.
I can see how it would work when amethyst is on the same device as amber, but how I would sign an event offline to authenticate on a website is totally beyond my comprehension.
Yeah, never use fdroid for anything.
The website can call a local app via intents. That doesn't require Internet.
But then, what do you suggest for any other app? Aren't browser extensions connected to internet via the browser too?
Yep, they are all at risk. That's why we like Amber on top of everything else.
Something something passkeys
I mean sure... But are you saying nostr is only safely used on a mobile with an app like amethyst that has support for n offline signer like Amber? Is there any desktop signer?
Nos2x-fox is a desktop signer. You can also use it in your mobile browser (only Mozilla derivatives, such as Firefox, IronFox, Tor, etc.).
Thanks! I know it, but by "desktop" and "off-line" i was not thinking about a browser extension. Appreciate the intention though.
