Ownercz
/
ssme-thesis
mirror of https://github.com/Ownercz/ssme-thesis.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Android wallet

This commit is contained in:
Radim Lipovčan 2018-10-18 22:48:10 +02:00
parent 92fe7bc3af
commit 962a3511c1
1 changed files with 32 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
Thesis.tex
View File

@ -784,12 +784,26 @@ Ease of use is one of the critical aspects of every cryptocurrency and although
Following scenarios represent secure and easy to use instructions for a new Monero user.
\section{Generating the keys}
The software way means using the official client CLI and GUI wallet available at \url{https://getmonero.org/downloads/} by which user generates the wallet keys. Created keys are after generation saved directly into the memory of the device unless specified otherwise.
\section{Generating the keys and accessing the wallet}
One of the first challenges for Monero users is generating a keys and accessing the wallet.
\subsection{Windows and Linux platform}
The official client offers CLI and GUI wallet management and is available at \url{https://getmonero.org/downloads/}. Using the client users are able to generate the wallet keys. Created keys are after generation saved directly into the memory of the device unless specified otherwise.
Note that the security of this task depends on the origin of the software, delivery chain trust, and the users' operating system. Monero CLI and GUI binaries can be edited, and the app itself does not call any hash checking to alert the user of the unauthorized change.
\begin{figure}[H]
\begin{center}
\vspace{-0.8em}
\includegraphics[trim={0 0 0 0},clip,width=0.85\textwidth]{Screenshot_4.png}
\caption{GUI wallet generation}
\vspace{-1.5em}
\label{pic:guigenerator}
\end{center}
\end{figure}
Although SHA256 has is provided on the website, the user is not instructed to check the hashes beforehand with tools like PowerShell and \texttt{Get-FileHash ./monero-wallet-gui-original.exe | Format-List} command \cite{pialphapialphagammaiotaacutealphanunualpharhoovarsigma2016study}.\\
Security of this task depends on the origin of the software, delivery chain trust, and the users' operating system. Monero CLI and GUI binaries can be edited, and the app itself does not call any hash checking to alert the user of the unauthorized change.
Although SHA256 has is provided on the website, the user is not instructed to check the hashes beforehand with tools like PowerShell and \texttt{Get-FileHash ./monero-wallet-gui-original.exe | Format-List} command \cite{pialphapialphagammaiotaacutealphanunualpharhoovarsigma2016study}. Code injection was successfully tested on GUI binary of the official Monero wallet as seen in figure \ref{pic:codeinjectiongui}.
\vspace{-0.2em}
% Wallet key generation process is shown on examples in figures \ref{pic:cligenerator} and \ref{pic:guigenerator}. \\
\begin{figure}[H]
\begin{center}
\begin{lstlisting}
@ -802,13 +816,10 @@ Hash : DF4EC49E088284ECC78DBBD8B9CEFF00A78085...
Path : ./monero-wallet-gui-injected.exe
\end{lstlisting}
\caption{Checksum change after code injeciton}
\label{pic:withoutresdrawable}
\label{pic:codeinjectiongui}
\end{center}
\end{figure}
\newpage
\vspace{-3.05em}
\begin{figure}[H]
\begin{center}
\begin{lstlisting}
@ -830,36 +841,32 @@ wallet named: ssme-thesis
Generating new wallet...
\end{lstlisting}
\caption{CLI wallet generation}
\label{pic:withoutresdrawable}
\label{pic:cligenerator}
\end{center}
\end{figure}
\begin{figure}[H]
\begin{center}
\vspace{-2.05em}
% \vspace{-0.8em}
\includegraphics[trim={0 0 0 0},clip,width=0.85\textwidth]{Screenshot_4.png}
\caption{GUI wallet generation}
% \vspace{-1.5em}
\label{pic:withoutresdrawable}
\end{center}
\end{figure}
There are also alternative approaches to key generation like an offline javascript based monero-wallet-generator that is available at \url{https://github.com/moneromooo-monero/monero-wallet-generator}.\\
\newpage
\subsection{Hardware wallet}
Hardware way is considered to be in the development, but Monero compatibile devices like Ledger Nano S are already on the market. The way how keys are generated in hardware wallets varies on firmware included in each device.
In general, the wallet is required to have Monero app installed from vendors app catalog. Keys are generated on the hardware device within the app itself and user can only export private view key from the device to view the balance in full CLI/GUI client.
\section{Accessing the wallet}
\subsection{Using the Windows platform}
This way, user has private spend key always on the device and client PC has only private view key. To sign a transaction, user has to confirm the transaction on the device itself meaning the hardware wallet will sign the transaction and then sends it to the Monero client. By this, in case of security breach on the host computer, there is no Monero to steal.
\subsection{Using the Android platform}
There are two major wallet apps avaiable on Android, first being the Monerujo app and second is Monero Wallet by Freewallet.org.
Monerujo is opensource and
\subsection{Using the iOS platform}
\subsection{Using the Linux platform}
\section{Usage summary}
\section{Secure storage system}
\subsection{Backups}