Mobile Web3 faces catastrophic retention (< 5%) yielding effective acquisition costs of \$500 - \$1,000 per retained user. Existing solutions force an impossible tradeoff: embedded wallets achieve moderate usability but suffer inherent click-jacking vulnerabilities; app wallets maintain security at the cost of 2 - 3% retention due to download friction and context-switching penalties. We present SecureSign, a PWA-based architecture that adapts desktop browser extension security to mobile via EIP-6963 provider sandboxing. SecureSign isolates dApp execution in iframes within a trusted parent application, achieving click-jacking immunity and transaction integrity while enabling native mobile capabilities (push notifications, home screen installation, zero context-switching). Our drop-in SDK requires no codebase changes for existing Web3 applications. Threat model analysis demonstrates immunity to click-jacking, overlay, and skimming attacks while maintaining wallet interoperability across dApps.
翻译:移动Web3面临灾难性的用户留存率(<5%),导致每位留存用户的有效获客成本高达500至1000美元。现有解决方案迫使开发者陷入两难选择:嵌入式钱包虽具备中等可用性,但存在固有的点击劫持漏洞;应用钱包虽能保持安全性,却因下载摩擦和上下文切换惩罚导致用户留存率降低2%至3%。本文提出SecureSign,一种基于渐进式网络应用(PWA)的架构,通过EIP-6963提供程序沙盒技术将桌面浏览器扩展的安全性适配至移动端。SecureSign将去中心化应用(dApp)的执行隔离在可信父应用程序的iframe中,在实现点击劫持免疫和交易完整性的同时,支持原生移动功能(推送通知、主屏幕安装、零上下文切换)。我们的即插即用软件开发工具包(SDK)无需对现有Web3应用程序的代码库进行任何修改。威胁模型分析表明,该系统能免疫点击劫持、覆盖攻击和侧录攻击,同时保持跨dApp的钱包互操作性。
相关内容
微信扫码咨询专知VIP会员