• Stars
    star
    393
  • Rank 109,518 (Top 3 %)
  • Language
    TypeScript
  • License
    MIT License
  • Created over 6 years ago
  • Updated about 1 month ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

The AirGap Vault is installed on a spare smartphone that has no connection to any network, thus it is air gapped. This app handles the private key.

AirGap Vault

Self custody made simple and secure. Protect your crypto and store your private keys offline.

AirGap is a crypto wallet system that lets you secure cypto assets with one secret on an offline device. The AirGap Vault application is installed on a dedicated device that has no connection to any network, thus it is air gapped. The AirGap Wallet is installed on your everyday smartphone.

Description

AirGap Vault is responsible for secure key generation. Entropy from audio, video, touch and accelerometer are used together with the output of the hardware random number generator. The generated secret is saved in the secure enclave of the device, only accessible by biometric authentication. Accounts for multiple protcols can be created. Transactions are prepared by the AirGap Wallet and then transferred to the offline device via QR code, where it is signed and sent back to the Wallet using another QR code.

AirGap Vault is a hybrid application (using the same codebase for Android and iOS). Created using AirGap's protocol agnostic airgap-coin-lib library to interact with different protocols and our own secure storage implementation.

Download

Features

  • Secure secret generation with added entropy from audio, video, touch and device accelerometer
  • Secure storage using the secure enclave of the device, accessible only by biometric authenticaiton
  • Secure, one-way communication with AirGap Wallet over QR codes or URL-Schemes (app switching)
  • Create accounts for all supported currencies like Aeternity, Bitcoin, Ethereum, Tezos, Cosmos, Kusama, Polkadot, Groestlcoin etc.
  • Sign transactions offline without the secret ever leaving your device

Security

The security concept behind air-gapped systems is to work with two physically separated devices, one of which has no connection to the outside world or any network. In the context of AirGap, the component which has no internet connection is the AirGap Vault. The two components, AirGap Vault and AirGap Wallet, communicate through one-way communication using QR codes.

Key Generation

The entropy seeder uses the native secure random generator provided by the device and concatenates this with the sha3 hash of the additional entropy (audio, video, touch, accelerometer). The rationale behind this is:

  • The sha3 hashing algorithm is cryptographically secure, such that the following holds: entropy(sha3(secureRandom())) >= entropy(secureRandom())
  • Adding bytes to the sha3 function will never lower entropy but only add to it, such that the following holds: entropy(sha3(secureRandom() + additionaEntropy)) >= entropy(sha3(secureRandom()))
  • By reusing the hash of an earlier "round" as a salt, we can incorporate the entire collected entropy of the previous round
  • Native secure random cannot be fully trusted because there is no API to check the entropy pool it's using

The algorithm being used for the entropy seeding:

const ENTROPY_BYTE_SIZE = 256
let entropyHashHexString = null

function toHexString(array) {
  return array
    .map(function (i) {
      return ('0' + i.toString(16)).slice(-2)
    })
    .join('')
}

function seedEntropy(additionalEntropyArray) {
  const secureRandomArray = new Uint8Array(ENTROPY_BYTE_SIZE)
  window.crypto.getRandomValues(secureRandomArray)
  console.log(entropyHashHexString + toHexString(secureRandomArray) + toHexString(additionalEntropyArray))
  entropyHashHexString = sha3_256(entropyHashHexString + toHexString(secureRandomArray) + toHexString(additionalEntropyArray))
  return entropyHashHexString
}

Supply Chain Attacks

In the past years, mutliple cryptocurrency wallets have been targeted by attackers to try and steal users funds. One common attack vector is the supply chain attack. In this attack, the attacker tries to compromise a dependency that is used in the wallet and use it to inject malicious code. At AirGap, we take utmost care of evaluating the dependencies we use. We have also introduced a system that separates the dependencies used during testing and development from the dependencies that are used to build and run the project. This reduces the risk of malicious code injection during the build and test steps.

Verifiable Builds

A very important property of any open source wallet is reprucibility. This means that executable that is downloaded from the Play Store or App Store can be exactly reproduced by compiling the open source code. If this is not the case, it means that there is hidden or removed code in the published version that is not visible in the published source code.

The project WalletScrutiny examines a wide variety of cryptocurrency wallets to determine their reproducibility. We're happy to say that AirGap Vault was one of the first wallets to be marked as "reproducible".

Security Audits

The application as a whole, as well as multiple components, have been audited by different third party companies.

All audits have found no way of extracting the private key from AirGap Vault.

The reports will be released once all the findings have been resolved.

Build

First follow the steps below to install the dependencies:

$ npm install -g @capacitor/cli
$ npm install

Run locally in browser:

$ npm run start

Build and open native project

$ npm run build
$ npx cap sync

You can now open the native iOS or Android projects in XCode or Android Studio respectively.

$ npx cap open ios
$ npx cap open android

Testing

To run the unit tests:

$ npm run install-test-dependencies
$ npm test
$ npm run install-build-dependencies

Translations

We use Transifex for the application translations.

If you want to contribute with translating the application you can do so by going to the AirGap Transifex page.

Updating translations

To import the translations from Transifex to the application, first you will need to install the transifex-cli. You can do so by creating a directory of your choice and intalling in it the package globally by running:

curl -o- https://raw.githubusercontent.com/transifex/cli/master/install.sh | bash

You can now restart the terminal and check if it is installed by running:

tx --version

Every available language can be found in src/assets/i18n/<lang>.json where each json file corresponds to a different language. You can now import the updated translations from Transifex by running:

tx pull

This will update all the local translations with the updated ones automatically.

If you want to send new variables from the default language file to transifex, you can do so by running:

tx push

Disclosing Security Vulnerabilities

If you discover a security vulnerability within this application, please send an e-mail to [email protected]. All security vulnerabilities will be promptly addressed.

Contributing

Before integrating a new feature, please quickly reach out to us in an issue so we can discuss and coordinate the change.

  • If you find any bugs, submit an issue or open pull-request.
  • If you want to integrate a new blockchain, please read the contributing guidelines in the airgap-coin-lib project.
  • Engage with other users and developers on the AirGap Telegram.

Related Projects

More Repositories

1

airgap-wallet

The AirGap Wallet is installed on an everyday smartphone. This app has only access to public information.
TypeScript
449
star
2

airgap-coin-lib

A library that offers a unified API to prepare, sign and broadcast multiple cryptocurrencies.
TypeScript
143
star
3

beacon-sdk

The beacon sdk allows developers of dApps and wallets on Tezos to implement the wallet interaction standard tzip-10.
TypeScript
100
star
4

tezblock

tezblock is a block explorer for Tezos.
TypeScript
29
star
5

airgap-distro

Bootable live usb/cd linux distribution containing AirGap Vault.
Shell
25
star
6

tezos-rust-sdk

Rust
20
star
7

beacon-node

Reference setup and docker image of the Beacon Node for the Tezos wallet interaction standard
Python
12
star
8

airgap-raspberry-apk-signer

Modified Raspberry Pi Image to sign your APK in the most secure way (airgapped).
Shell
11
star
9

beacon-android-sdk

The beacon sdk allows Android developers of dApps and wallets on Tezos to implement the wallet interaction standard tzip-10.
Kotlin
10
star
10

spire

Spire is a browser extension for Tezos that supports multiple singing methods like Ledger and Beacon-enabled wallets.
TypeScript
9
star
11

beacon-ios-sdk

The beacon sdk allows iOS developers of dApps and wallets on Tezos to implement the wallet interaction standard tzip-10.
Swift
8
star
12

airgap-web-signer

Standalone (offline) transaction signer to host on an air gapped machine
JavaScript
7
star
13

airgap-cli-signer

Standalone (offline) transaction signer to sing a transaction in the console on an air gapped machine Edit Add topics
JavaScript
6
star
14

airgap-sapling

Rust
5
star
15

tezos-metamask-snap

TypeScript
5
star
16

beacon-vue-example

An small vue app showcasing the integration of the beacon-sdk.
Vue
5
star
17

tezos-snaps-wallet

A wallet for the Tezos MetaMask Snap
TypeScript
4
star
18

CMTAT-FA2

Python
4
star
19

beacon-docs

MDX
4
star
20

beacon-example-dapp

An example dApp on tezos using the beacon sdk to communicate with your wallet and the landing page for beacon.
HTML
4
star
21

beacon-debug-wallet

Beacon Debug Wallet is a watch-only wallet for developers to debug Beacon enabled dApps.
TypeScript
4
star
22

airgap-angular-components

A library of angular components and services that are used in both AirGap Wallet and AirGap Vault
TypeScript
3
star
23

tzwrapped-generic-multisig

Python
2
star
24

tezos-standards

tentative repository for the tezos wallet interaction standard
2
star
25

tezos-kotlin-sdk

Kotlin
2
star
26

cordova-plugin-airgap-secure-storage

Cordova Secure Storage Plugin for Android & iOS.
Kotlin
2
star
27

beacon-notification-backend

TypeScript
2
star
28

airgap-docs

Help Center and Documentation of AirGap Vault and AirGap Wallet
MDX
1
star
29

ibcf

TypeScript
1
star
30

ur-registry-xtz

Offline signing standard for Tezos
TypeScript
1
star
31

tezos-swift-sdk

Swift
1
star
32

airgap-community

Tools and libraries built for AirGap by 3rd party developers
JavaScript
1
star