Topic: AirGap wallet- Self custody made simple and secure - Protect your crypto offline - page 7. (Read 2541 times)

Currently, we use our own Serializer to encode the data we transfer in an efficient way. It also supports “splitting up” QR codes into multiple chunks, which allows us to transfer transactions with many inputs or outputs that don’t fit into a single QR code.

On our support page, we have a small page that shows a few examples and contains instructions on how the content of the QR codes can be inspected using 3rd party tools. https://support.airgap.it/coinlib/examples/serializer/v2/introduction

A small note here: We’re working on a bigger refactoring of our apps to support Segwit and PSBTs. Once this is done, there will be an option to encode the data in different formats, for example, bc-ur, to be compatible with other watch-only wallets like Electrum or Sparrow.

So that’s just some background information, let’s get to your questions:


We generally assume that the offline device (Vault) can be trusted. If you don’t trust the offline device, you will have to inspect every QR code going from Vault => Wallet yourself (using 3rd party tools) to make sure no sensitive data is leaked. Sadly, this is not as easy as it sounds. By inspecting the contents of a QR code, you might catch some simple attempts to leak private data (eg. if part of the seed is put into the identifier). But sophisticated attacks, for example abusing the “random number” of an ECDSA signature, can leak data in a way that is practically impossible to detect. (See https://core.ac.uk/download/pdf/301367593.pdf). Because air-gapped and offline wallets get more and more popular, we have started a discussion about exactly this issue, but sadly there were no responses so far. Feel free to participate to show other developers that this is an issue we should be looking into: https://github.com/BlockchainCommons/Airgapped-Wallet-Community/discussions/60


Not necessarily. There are advantages and disadvantages to encrypting the messages that are sent between online and offline devices:
   
Advantages:
   

• Privacy (nobody can read the contents of your message)

   
Disadvantages:

• The messages can no longer be inspected by 3rd party tools (at least not with considerable extra work)
• More complexity overall (an additional key/keypair has to be generated for the communication, and it has to be shared between offline and online device)

While encryption obviously also prevents Man-In-The-Middle attacks (if the right encryption is used), this could also be solved by adding a signature to the data. So the only actual benefit of the encryption is that nobody can read its content.

Because of the additional complexity, the downsides regarding verifiability of the messages and no real security advantages, we decided against implementing encrypted messages for now. The thread of a “Man-In-The-Middle” attack is also relatively low in our case, because the communication happens directly between the 2 devices, it is not sent over the network, for example. But we still have it in our backlog to add as an optional feature for those who want it.


While we don’t support your specific use case (we only support BIP39 mnemonics, not private keys), the mnemonics in AirGap Vault are always encrypted, unless they are needed for some action (eg. deriving of the keypair or signing).

Let us know if you have any feedback regarding those points. We’re always happy to have those technical discussions

Can you give a brief explanation how the tx's is being transferred from the Vault to the Wallet? (QR Code) without the source being contaminated or altered using Malware?

Would it not be more secure if the tx's could be encrypted between the source and destination? (To prevent a Man-In-The-Middle attack between the two devices? I have been looking for something like this to sweep coins from a Paper Wallet to a online wallet, but the Private Key must be encrypted at all times. 

m/44'/0'/0'

If you have more questions can you write to us on telegram or any of our support platforms?

So please tell us what exactly BIP standard you are using and what are default derivation paths for Bitcoin generated by Airgap wallet?

The majority of the issues we've experienced from our users not being able to set up the app are related to not having an updated webview.

Yes, you should be able to recover your funds with other wallets as long it supports a 24-word seed phrase. (I think electrum uses something different, I'm not sure though).

Also, the code for AirGap is open source, so the default derivation paths are all there. You can also open the Vault and go to the Add Account screen, toggle the Advanced Mode, and you will see the default derivation path for each protocol.

I saw complains from people on google store claiming they couldn't even use your wallet with Android 5.1, and even if everything looks nice on paper in reality it is not working for all old smarphones.

What I am interested to know is what system and derivation paths are you using for generating seed words and can they be used to recover funds on other wallets like Electrum, Wasabi or other hardware wallets like Trezor?

AirGap is mostly funded by grants from various cryptocurrency foundations.

Since this wallet is open source, but backed by for-profit company, how do you earn income from this wallet? Only commission from exchange feature?


Even if you don't upgrade your device, it already connected to internet. You might as well as upgrade it before perform factory reset to get newer feature and security patches. It's even better if you can find and install custom ROM with newer Android version which have good reputation.

That guide was from 2019, at that point, it was at a beta state.
It is a fully fledge production app now and it is recommended to handle productive funds.

Your site is not as privacy invading as some other sites that claim to be interested in preserving the privacy of its users, but still there are 3 ad trackers and 2 third-party cookies on it.

I have never heard of your brand to be honest. I took a look at the medium article you shared in your latest post and was wondering why does it say that your apps are still in beta and it's not recommended to "handle productive funds with it"?

AirGap requires at least Android 5.0(which is still considered old) and the reason we didn't move further back is that there are some security features that are not available on older devices.

your device will ask for a fingerprint if that's the default security setup you have or pin or pattern as the case may be, so a device without a fingerprint sensor will work perfectly fine.

you can look at the more recent guide from 2019 on how to set up here

dkbit98 raised a good point. Anyone who is going to use AirGap wallet is likely going to use an old mobile with an old Android version especially the mobile for the AirGap Vault. And since it is going to be an arirgapped device it would be better if you makeAirGap Vault compatible with old versions than asking the user to upgrade his device which require an Internet connection.
Also, in this guide on how to create a wallet: https://medium.com/airgap-it/airgap-the-step-by-step-guide-bff36d50a4ed it sais you have yo "Use your fingerprint to store the secret in the secure enclave of the mobile device"! is this mandatory? If yes then what about devices that are not equipped with fingerprint sensors?

AirGap Vault and AirGap Wallet require at least Android 5.0. Make sure that the WebView is updated to the latest version.

I have my old smartphone with Android os version 4.4.2 and I can't turn it into ''hardware wallet'' because i can't install and test this app.

Not really sure what version Airgap is supporting but if they are only supporting new android versions than this story of using old phones is not really true.
I can even read on their google store that even Android 5.1 and Android 8 are not supported, and some user with Android 6 is also having issues.

AirGap is an open-source audited software wallet that turns your old phone into a hardware wallet. it achieves this by using two apps, called AirGap vault and AirGap wallet.

AirGap Vault: AirGap Vault is a blockchain agnostic crypto vault that turns your mobile phone into a cold wallet.

AirGap Vault does not connect to any network, irrespective of the device used. This system built into the app makes it more secure than an ordinary crypto wallet.

Transactions can be signed seamlessly without the use of cables, thanks to verifiable QR codes. This opens up multiple possibilities for interacting with other solutions and also wallets.

The AirGap Vault is currently used alongside other companion apps like AirGap Wallet, MetaMask, Sparrow Wallet, BlueWallet, Specter, and any other QR code-based wallets. These companion apps serve as watch-only wallets that allow users to view portfolios and initiate transactions while the Vault signs transactions and protect your private keys offline.
.

AirGap Wallet: The AirGap Wallet is a watch-only wallet used alongside the AirGap Vault. This separation helps to provide optimum security while handling your funds.

The AirGap Wallet initiates transactions, connects to a network to fetch data from the blockchain, and displays this information within the app as a portfolio overview. The Vault, however, does not connect to any network, irrespective of the device used. The Vault signs transactions and protects your private key securely offline.

About AirGap features

• Store your private key totally offline with maximum security
• MetaMask Support
• Offline Address Overviewl
• Secure input Keyboard
• Coin Flip & Dice Roll
• Offline Key Generation
• BIP39 Passphrase
• Shamir Shares
• Open Source
• BIP85 Child Entropy
• No KYC requirement to be able to convert coin within the application
• Many more...

COIN SUPPORTED

• All EVM-chain when paired with MetaMask
• Bitcoin(BTC)
• Ethereum(ETH) & ERC20
• Aeternity(AE)
• Groestlcoin(GRS)
• Tezos(XTZ) & FA1.2/2
• Cosmos(ATM)
• Polkadot(DOT)
• Kusama(KSM)
• Moonriver(MOVR)
• Shiden(SDN)
• Astar(ASTR)