BlockEQ Stellar Wallet & Password AutoFill
How a development tool became our newest feature
At BlockEQ, one of our primary goals is to provide a secure, usable and well-designed Stellar wallet to people who are a part of the Stellar ecosystem. One of the highest priority features for our wallets is to allow existing wallet users to import their wallets with our iOS mobile application.
This meant that we had to support importing a wallet through the 56-character secret seed. While implementing support for the feature, we found ourselves constantly having to switch into a password manager, copy a mnemonic to the clipboard, and paste it into the wallet recovery screen. That certainly beats typing it, but can still take upwards of 30 seconds to complete. It doesn’t seem so bad if you’re only doing it for a single recovery, but when you are vigorously testing a feature, those precious seconds add up quickly.
In order to expedite the process, we needed a more fluid way to select a mnemonic or secret key. Copy and pasting sensitive information is also a serious security risk — we want to limit the possibility for other applications (or websites) to read the sensitive contents of the clipboard, or have the user accidentally paste it somewhere unintended.
At WWDC in June, Apple expanded their SharedWebCredentials API to add support Password AutoFill extensions provided by third parties, like 1Password. This was the perfect debug tool for us — we discovered we could integrate Password AutoFill, and use the associated domain entitlement to make the iOS app aware of our organization.
It didn’t take us very long to realize that if we had concerns about security and wanted more convenience when recovering wallets, so would our users. After some discussion, we decided that allowing our users to use the feature was actually more secure than the alternative they currently had — using the clipboard.
Overall, it is a definite quality-of-life improvement for our app.
How Our Users Benefit
People who use the wallet gain a lot of the benefits described above:
- Fast wallet switching for mnemonics or keys saved to the keychain
- An immediate opportunity to record the mnemonic or secret seed when creating a wallet, helping avoid potential losses
- Prevents copying sensitive data to the clipboard, which can be subject to attacks or user error
The Technical Bits
The wallet takes advantage of some iOS 11 & 12 features that allow filling password fields from the keychain and allows integration of third-party AutoFill extensions.
We updated our wallet recovery view controller to indicate that the UITextField supported being populated, and added the Associated Domains entitlement to our Xcode project. This uses the .well-known directory of our website indicate to the iOS application that we are the developers of the app and that passwords associated with our domain can be populated inside it.
Finally, the SharedWebCredentials API is used to securely store a mnemonic or secret seed in hardware, but never to request it — we let iOS handle the field population via setting the textContentType = .password.
For the adventurous readers, we welcome you to check out the iOS project repository, as our wallets are all open-sourced!
Thank you for reading and supporting BlockEQ and our wallets!
You can download the iOS wallet for your iOS device on the iOS App Store.
You can download it for your Android phone on the Google Play Store.
You can download it for your desktop from our website.
