MetaMask & WalletConnect.js
Changing the dapp experience to protect people’s privacy
Last weekend I attended the #WalletConf after EdCon. There were lots of fascinating talks about the future of Ethereum and wallet software.
One of the most important takeaways for me came from Dan Finlay, one of the creators of MetaMask. I want to make sure dapp developers know one thing:
MetaMask plans to phase out the injection of Web3.js
There are several drawbacks to the current approach. Most of them circle around users’ privacy. As Dan puts it:
MetaMask currently shows the selected account to each site that is visited. This is not an acceptable privacy feature, and user adoption has escalated the urgency of addressing this issue.
It has also been also criticized that the
web3API is visible at all, even to sites a user did not explicitly show it to, since this also provides some identifying information.
We need to shift away from doing this. It will require dapp developers to make changes to their apps. It is best to do this now while the number of daily active dapp users is fewer than a million.
John Backus, from Bloom, even worries that advertisers might be targeting people based on their Ethereum holdings:
I wouldn’t be surprised if some advertisers are already collecting this information. The information is rather easy to collect and has significant use in terms of targeting cryptocurrency holders.
While developing the Bloom dApp, we frequently stumble across noteworthy design considerations of the platforms we are…blog.hellobloom.io
What we need is a system where users can opt in to connect their wallet to the web. That is exactly what the team at MetaMask have been working on:
We think this flow is a huge improvement for users and developers. We should not be shy about making breaking changes to dapps now: no one is using them.
At Balance, our goal is to make it easier for people to make and use dapps. We recently released WalletConnect, our solution for getting dapps and wallets to talk to each other more easily. A large part of that project is WalletConnect.js, a drop-in library for developers to make it easier for them to add support for lots of wallets to their web-based dapps.
The flow for people logging in to dapps will then be very simple and safe. You can opt in to a dapp, connect your wallet and interact with a dapp. Here is a mockup of what it would look like if you were using CryptoKitties and the Balance Wallet app.
The plan is to introduce this change in stages. As Dan puts it:
I think we also agreed at the WalletConf that it could make sense to ease-in to this breaking change, by allowing end-users (who understand the new expectation of deliberately signing in) to first “enable” full-web3-stealth-mode.
Once we have that live, and enable the “request login” API, hopefully Dapp devs will see the new API as beneficial to migrate to, before we perform a hard break.
We will make sure that WalletConnect.js is ready for developers. You can follow our work at: github.com/walletconnect/walletconnect.js
You can follow the work being done by the MetaMask team here on GitHub issue #714:
Updated March 21, 2018, to reflect latest plans for this feature's implementation: MetaMask currently shows the…github.com
I am really excited to see what you all #BUIDL with these new tools!