Hacker News new | ask | show | jobs
by lxgr 1112 days ago
> Everybody will have malicious keylogger on their phone eventually

Are there actually any keyloggers for iOS and Android? Unlike on desktop OSes, there isn’t even an API for that, so you’d need an actual OS exploit.

> fresh linux system with fresh wallet software

And how do you make sure that that doesn’t come with a keylogger (in a world where a significant number of people were to actually do that)?
1 comments
tourmalinetaco 1112 days ago
> you’d need an actual OS exploit

Not necessarily, for instance 3rd party keyboards like Grammarly are keyloggers by their very nature. They grab your input, process it, and give output in terms of grammar corrections. And a rogue app update can absolutely do the same.

> And how do you make sure that that doesn’t come with a keylogger

The same way you verify anything is what you want and stays that way, MD5/SHA256 hashes and airgaps.

link
lxgr 1112 days ago
It's possible to disable third party keyboards for sensitive data entry at least on iOS. Not sure if the same is possible on Android – worst case, a wallet could just provide their own keyboard/passphrase entry method.

> The same way you verify anything is what you want and stays that way, MD5/SHA256 hashes and airgaps.

How do you determine a given hash to be trustworthy? And how do you know you can trust your `sha256sum` implementation?

You're always trusting someone. Any security analysis pretending otherwise is worthless.

link