MetaMask & WalletConnect.js

Changing the dapp experience to protect people’s privacy

Last weekend I attended the #WalletConf after EdCon. There were lots of fascinating talks about the future of Ethereum and wallet software.

One of the most important takeaways for me came from Dan Finlay, one of the creators of MetaMask. I want to make sure dapp developers know one thing:

MetaMask plans to phase out the injection of Web3.js

Today, the MetaMask Browser Extension automatically inserts a Javascript file into every single web page you visit. This allows dapp developers to talk to Ethereum via the MetaMask wallet quickly and easily.

Right click on this page, click Inspect Element, and search for Web3 to find it.

There are several drawbacks to the current approach. Most of them circle around users’ privacy. As Dan puts it:

MetaMask currently shows the selected account to each site that is visited. This is not an acceptable privacy feature, and user adoption has escalated the urgency of addressing this issue.

It has also been also criticized that the web3 API is visible at all, even to sites a user did not explicitly show it to, since this also provides some identifying information.

We need to shift away from doing this. It will require dapp developers to make changes to their apps. It is best to do this now while the number of daily active dapp users is fewer than a million.

John Backus, from Bloom, even worries that advertisers might be targeting people based on their Ethereum holdings:

I wouldn’t be surprised if some advertisers are already collecting this information. The information is rather easy to collect and has significant use in terms of targeting cryptocurrency holders.

Using an In-Browser Ethereum Wallet? Here’s Some Things You Should Know

What we need is a system where users can opt in to connect their wallet to the web. That is exactly what the team at MetaMask have been working on:

https://github.com/MetaMask/metamask-extension/issues/714

We think this flow is a huge improvement for users and developers. We should not be shy about making breaking changes to dapps now: no one is using them.

It will dappen. Give it time.

At Balance, our goal is to make it easier for people to make and use dapps. We recently released WalletConnect, our solution for getting dapps and wallets to talk to each other more easily. A large part of that project is WalletConnect.js, a drop-in library for developers to make it easier for them to add support for lots of wallets to their web-based dapps.

This is the popup that dapp developers can use from WalletConnect.js

The flow for people logging in to dapps will then be very simple and safe. You can opt in to a dapp, connect your wallet and interact with a dapp. Here is a mockup of what it would look like if you were using CryptoKitties and the Balance Wallet app.

Demonstrating the nitty gritty with the kitties

The plan is to introduce this change in stages. As Dan puts it:

I think we also agreed at the WalletConf that it could make sense to ease-in to this breaking change, by allowing end-users (who understand the new expectation of deliberately signing in) to first “enable” full-web3-stealth-mode.

Once we have that live, and enable the “request login” API, hopefully Dapp devs will see the new API as beneficial to migrate to, before we perform a hard break.

We will make sure that WalletConnect.js is ready for developers. You can follow our work at: github.com/walletconnect/walletconnect.js

You can follow the work being done by the MetaMask team here on GitHub issue #714:

Be signed out per domain until signing in · Issue #714 · MetaMask/metamask-extension

I am really excited to see what you all #BUIDL with these new tools!