Amber, especially its offline APK, is likely more secure against session hijacking than nsec app. As a native Android app with offline capability, it sidesteps many network-based vulnerabilities. Nsec app, being web-based, is potentially more exposed to session hijacking risks.
I assume basics are being followed like:
- Using HTTPS to encrypt communication and prevent sniffing.
- Implementing proper session management, including secure session ID generation and handling.
- Using additional security measures like IP binding or user agent checking.
- Regularly expiring and regenerating session IDs
That said, we'd need to hear directly from the devs about specific safeguards. Even then, the only way to know definitively if the implementation is solid is through a successful exploit, or a thorough independent security audit.
Security audits are expensive and basically everything built on and for Nostr is still in beta, but like password managers, security audits are ultimately necessary for greater trust and certainty especially with everything that gets attached to a user's npub, and to my knowledge, neither has undergone or passed such an audit yet.
I personally use Amber for its offline capabilities and potential security advantages. However, always download from trusted sources and stay cautious, especially on shared networks.
greenart7c3 (nprofile…fpck)
brugeman (nprofile…kdah)
Any input on this would be appreciated. Thank you.
ava
npub1f6…azcka
2024-09-25 22:37:36
in reply to nevent1q…s825
Author Public Key
npub1f6ugxyxkknket3kkdgu4k0fu74vmshawermkj8d06sz6jts9t4kslazckaSeen on
wss://relay.damus.ioPublished at
2024-09-25 22:37:36Event JSON
{
"id": "64e712a974186cd070df49f4b3c4c1860d249fd624c7e1d5ffc03ff902113f33",
"pubkey": "4eb88310d6b4ed95c6d66a395b3d3cf559b85faec8f7691dafd405a92e055d6d",
"created_at": 1727303856,
"kind": 1,
"tags": [
[
"e",
"cbf076e853ccfdb3f4328db7be58ba1ecf57bed1de445df8b9bdb30b7ce5a607",
"",
"root"
],
[
"p",
"4eb88310d6b4ed95c6d66a395b3d3cf559b85faec8f7691dafd405a92e055d6d"
],
[
"p",
"5729ad991a7e0cb88971ced2348758105790d51160a09b22d0d8f39ca762de11"
],
[
"p",
"7579076d9aff0a4cfdefa7e2045f2486c7e5d8bc63bfc6b45397233e1bbfcb19",
"",
"mention"
],
[
"p",
"3356de61b39647931ce8b2140b2bab837e0810c0ef515bbe92de0248040b8bdd",
"",
"mention"
]
],
"content": "Amber, especially its offline APK, is likely more secure against session hijacking than nsec app. As a native Android app with offline capability, it sidesteps many network-based vulnerabilities. Nsec app, being web-based, is potentially more exposed to session hijacking risks.\n\nI assume basics are being followed like:\n\n- Using HTTPS to encrypt communication and prevent sniffing.\n- Implementing proper session management, including secure session ID generation and handling.\n- Using additional security measures like IP binding or user agent checking.\n- Regularly expiring and regenerating session IDs\n\nThat said, we'd need to hear directly from the devs about specific safeguards. Even then, the only way to know definitively if the implementation is solid is through a successful exploit, or a thorough independent security audit. \n\nSecurity audits are expensive and basically everything built on and for Nostr is still in beta, but like password managers, security audits are ultimately necessary for greater trust and certainty especially with everything that gets attached to a user's npub, and to my knowledge, neither has undergone or passed such an audit yet.\n\nI personally use Amber for its offline capabilities and potential security advantages. However, always download from trusted sources and stay cautious, especially on shared networks.\n\nnostr:nprofile1qqs827g8dkd07zjvlhh60csytujgd3l9mz7x807xk3fewge7rwlukxgpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhszrnhwden5te0dehhxtnvdakz7qgswaehxw309ahx7um5wghx6mmd9usjfpck\n\nnostr:nprofile1qqsrx4k7vxeev3unrn5ty9qt9w4cxlsgzrqw752mh6fduqjgqs9chhgppemhxue69uhkummn9ekx7mp0qy2hwumn8ghj7un9d3shjtnyv9kh2uewd9hj7qg6waehxw309aex2mrp0yh8x6rfw3nx7unrv5hx7mn99uslkdah\n\nAny input on this would be appreciated. Thank you.",
"sig": "203722bef390483575637fa99f69889697c0be4454463017914b0d303075caffb0ec2fd503db2d0b9c7499d6ad7fc201ec1acf9209e3532b19cf5506a1434a42"
}