I'm currently developing an app for iOS and Android using React Native where users will have a wallet, made using: https://www.npmjs.com/package/ethereumjs-wallet-react-native. They then are able to sign and send transactions to my Web API using this: https://github.com/ethereumjs/ethereumjs-tx.
I'm by no means an expert on Web security but the server I'm using is using HTTPS for the communications between client and server. I was wondering what could be possible security implications for the specified procedure.
Steps:
- User creates wallet and stores private key on device.
- User creates transaction and signs the transaction on the device.
- User sends signed transaction over HTTPS to my WebAPI.
- My WebAPI sends it onto the blockchain.
Additionally, I'd like to create some way for users to be able to retrieve their wallets should the device get corrupted somehow. I can't think of a particularly secure way of doing this. Unless, when I store the private key on the keychain (or similar for Android), does Apple / Android manage the recovery? For example, if I log in on one device and then log in on another device will it use the same private key?
Thanks in advance and I appreciate your help.
Best Answer
As long as you sign the transaction on the device and transmit only the signed transactions, you have met the base line security requirements any other wallet would have deployed. If you haven't looked at infura.io, suggest to check that as it mimic your WebAPI functionality (work as a broker).