Although open source code enables a kind of “audit” on your product’s security, benefits are highly dependent on the scale of community involvement and you are ultimately making it easier for cybercriminals to discover loopholes. Still worse for hardware wallets, vulnerabilities can be exploited to produce counterfeit products with malicious code that the majority of users won’t use open source code to verify the authenticity of.
In light of the security concerns inherent in releasing source code, Cobo Vault has introduced a different type of “auditability” through the transparency of QR codes. In excluding Bluetooth, Wi-Fi, USB, NFC, and other opaque means of data transmission from our product design, we have made it easy for users to verify that their hardware wallet is not revealing their private keys or other sensitive information in any way.
How Transactions Are Created with the Cobo Vault
The Cobo Vault is an offline storage device (cold end) that cannot construct transactions without the help of an online mobile device (hot end) running the Cobo Vault app. Because private keys are stored on the offline device and remain there the entire way through, the user’s assets won’t be affected if this mobile device is damaged or lost.
Transactions are constructed and signed through QR code communication between a mobile device and the Cobo Vault in the following way:
The Cobo Vault mobile app generates a QR code containing the data of a newly created unsigned transaction.
The camera on the Cobo Vault (cold end) scans the QR code to obtain the transaction data.
The transaction is confirmed on the Cobo Vault touchscreen, signing the transaction and outputting the signed transaction data in the form of a QR code.
The camera on the hot end mobile device scans the QR code on cold end to obtain the signed transaction data.
The hot end broadcasts the transaction to the blockchain network.
More information on auditing the code is here:
https://medium.com/cobo-vault/ever-wondered-what-your-hardware-wallet-inputs-and-outputs-ac78ec3ce331?source=activity---post_recommended