StellarGuard - Add enhanced security to any Stellar account - Improvements for SBC 7

I've been hard at work on StellarGuard (https://stellarguard.me) since the last build challenge and have continued to make a number of security and usability improvements to make things safer and simpler for our users.

Since the last build challenge I've made over 200 commits and 40 production releases!

Project Description

The purpose of StellarGuard is to provide enhanced security, safety, and privacy for people and businesses who use Stellar. StellarGuard offers users additional protection against hackers, thieves, and insecure wallets by providing a secure and convenient way to add and manage multisignature on their Stellar accounts. StellarGuard adds a unique signing key to a user's account that is managed by the StellarGuard service and allows them to preview, approve, or reject any transactions that are submitted to StellarGuard. Additionally, StellarGuard offers an API for other wallet/tool developers to integrate and submit transactions to StellarGuard.

StellarGuard aims to solve for 3 "P"s: Protection, Prevention, and Privacy.

Protection: StellarGuard was initially conceived in response to the Blackwallet hack. The idea was simple: there must be a way to keep your account safe even if your secret key gets compromised. By making multisig the core safety mechanism in StellarGuard, the user does not have to rely on application-level security of the tools they are using to keep them safe.

Prevention: Through user education and enhanced transaction analysis tools, StellarGuard hopes to help users detect and stop phishing schemes. Additionally, by warning about or blocking transactions that have suspicious destination or transaction characteristics we hope to stop malware like this: https://cointelegraph.com/news/report-2-3-million-bitcoin-addresses-targeted-by-malware-that-hijacks-windows-clipboard (this feature is not yet implemented in StellarGuard, but is on the roadmap).

Privacy: StellarGuard will continue build tools to help increase privacy when using Stellar, such as https://github.com/stellarguard/secret-memo. Other tools I'd like to invest in is a coin mixing service that can help obfuscate transaction sources.

Changes since SBC 6

I've made the following changes to StellarGuard since the end of SBC 6:

StellarGuard is now open source

This is something I intended to do since I started StellarGuard, but was not able to do it before the end of SBC 6. In the spirit of SBC 7 and my desire to share what I've learned and built in the hopes that others can use it or contribute to it, I've open sourced StellarGuard. I've created a few starter issues and will add more if interest grows.

More Supported Wallets

One of the largest hurdles for StellarGuard is getting support for wallets. Because of the way that multisig works with Stellar, you currently cannot submit a partially-signed transaction to Horizon so that others can sign it later -- each wallet/tool must implement its own way of dealing with multisig transactions. So there was a bit of a chicken and egg problem where we needed wallets to implement submitting transactions to StellarGuard so that we could attract more users, but the wallets don't want to add features that aren't being used by their users.

Thankfully StellarGuard grown and had proven itself to be trustworthy enough for more wallets to consider adding it. I'm humbled as I see entries to the current SBC that are talking about adding StellarGuard support by default, without any prompting!

With all that said, over the past few months I've worked with several wallet/exchange developers to add StellarGuard support (in alphabetical order):

Fully supported wallets (submit transactions directly to StellarGuard without copy/pasting XDR):

Partially Supported Wallets (allow XDRs to be copied so it can be manually submitted to StellarGuard):

There are several others that are in the works now too but won't be ready for this SBC deadline.

Security Improvements

  • StellarGuard private keys are stored in the database encrypted with Google KMS - this means that even I do not know the encryption/decryption key. Only the actual service account running the code has access to decrypting the keys used to sign your transactions (since the encryption is completely managed by Google KMS).
  • Recaptcha added on sign up and sign in to prevent fraudlent sign ups or sign in attempts.
  • Added CSP header to reject all non StellarGuard or Google Api (needed for recaptcha)
    scripts. This significantly reduces the risk of a malicious agent being able to inject scripts.
  • Added HSTS preloading to prevent any damage from the possible hijacking of the stellarguard.me domain (like what happened with BlackWallet).
  • Released a privacy-focused TypeScript/JavaScript library for generating secret/anonymous memos: Stellar Secret Memo

Enhancements to StellarGuard Developer API

I've added several methods to the StellarGuard API and StellarGuard JavaScript SDK. In addition to submitting a transaction, users of the API may also:

  • When submitting a transaction, returns a link to the authorization page in the response so that wallets can link to it
  • Fetch the transaction that is used to set up multisig for StellarGuard
  • Activate their Stellar accounts that have StellarGuard multisig activated, thus linking the account to StellarGuard
  • Check whether a given public key is protected by StellarGuard, and which is the StellarGuard signing public key associated with it
  • An optional callback url can be provided when submitting a transaction, which will be POSTed to when a transaction is authorized with the transaction result

UX Improvements

  • Pending transaction page - see all pending transactions that need to be approved by StellarGuard
  • Added numerous tutorials for using StellarGuard with various wallets
  • Overall enhanced handling of errors and error messages, and loading states
  • Better support for mobile (less cramped, less overflowing/chopped text)
  • Allow auto-rejecting of Interstellar Exchange transactions when rejected via the Instellar Exchange UI
  • Updated two-factor auth implementation to generate more secure secrets and QR codes that work better with Google Authenticator for Android

StellarGuard Blog

I've released a series of blog posts aimed at educating users about Stellar, multisig, and StellarGuard:

And more topics are planned!

Improvements Still in progress

I'm currently working on three features that I believe will address two big concerns that people have raised with StellarGuard. I will have them completed by the SBC 7 deadline but wanted to get some feedback from people first.

Feature 1: Allowing you to choose a transaction security mode that is separate from your StellarGuard account security.

Right now users who verify their emails must always enter a code that is sent to their email when approving a transaction, and users who have two factor auth enabled must use it both on sign in and when approving transactions. I've gotten feedback from users that this requirement is not always convenient, and they would like the option of still protecting their StellarGuard accounts with two factor auth, but have the option of dialing down transaction security when necessary (like when they are doing lots of trades in a row).

Here's a screenshot of what the various options will be:

Transaction Security Level

If you have any feedback or concerns about this feature, let me know!

Feature 2: Allowing users to view their StellarGuard Secret Key or Recovery Phrase

One major concern people have raised about StellarGuard is something alone the lines of "what if you dissapear or StellarGuard shuts down, what do I do?" Although StellarGuard allows you to add backup signers to your account already, it's a bit of a clunky process since you have to supply your secondary public key as a backup signer and many users don't know how to do that.

So I'm taking a page from other wallets and the Ledger Nano and allowing users the option to see their StellarGuard secret key (or possibly the 24 word recovery phrase) during onboarding. They then have the option of storing that themselves so they could remove StellarGuard in the future in the unlikely event that we went down, without involving StellarGuard at all.

My question to the community: do you see any benefit to display the 24 word phrase instead of just showing them the secret key? The recovery phrase seems to actually be a bit more of a hassle to store or remember (since it'll end up being more characters). Or have users just become accustomed to having the recovery phrase shown to them?

Feature 3: Enhanced Onboarding

Right now StellarGuard just dumps you onto a dashboard after you register and doesn't really guide you into anything -- you just sort of have to click around until you figure out what to do next. I'm adding an onboarding/sign up wizard to guide you through the setup process.

The steps will be:

  1. Verifying your email
  2. Optionally adding two factor auth
  3. Setting transaction security level
  4. Showing recovery phrase/secret key

Again let me know if there's any feedback you have over this (maybe you hate these sort of setup wizards and could suggest an alternative approach).

That's a wrap!

I'll be posting more screenshots as I finish up Features 1-3 over the next two weeks (they all sort of come together in the onboarding steps which is why I'm doing them all 3 at the same times.)

Looking forward to hearing any more feedback or suggestions!

    StellarGuard On feature 2: it’s probably better to do the 24 word phrase considering most people with hardware wallets have gotten used to that

      That would be awesome to have a two-factor authentication similar to what we have on exchanges (code-only). Maybe you could serve some kind of HTML form that we would embed into a secure iframe? It would have to check that the iframe is indeed sandboxed, and would have to display let's say an user choosen quote or sentence to prove it's from you. Not sure if it's actually possible. I think it would make the user experience awesome!

      Anyway keep up the good work, StellarGuard is great ?

        MisterTicot Would you mind clarifying what you mean by that? Do you mean the option of having StellarGuard integration/approval embedded directly into the wallet/tool you're using instead of having to go to the StellarGuard website?

            I am going to be focusing heavily on 3rd party integration in the coming months, and something like this is on the top of the list. I want to explore whitelabel solutions around the same time.

            However, I want to take the time to do it right (developer API keys, oauth, etc...), so probably won't have something ready in the near future. But it's coming soonish (TM).

            We would like to build in Native support into our wallet and the dotnet sdk for StellarGuard.

              I've added rudimentary transaction callback support today -- where when submitting a transaction you can specify an optional callback url that is POST'd to on successful transaction authorization and submission.

              POST /api/transactions
{
  xdr: "<transaction-xdr>"
  callback: "https://webhook.site/7753d513-fc9b-488e-b762-c4596b79a3e7'
}

              And also published version 1.4.1 of the StellarGuard JS SDK with support for it.

              const callback = 'https://webhook.site/7753d513-fc9b-488e-b762-c4596b79a3e7';
StellarGuardSdk.submitTransaction(transaction, callback);

              You can see the data that gets sent to the callback here: https://webhook.site/#/cc677ade-969d-411e-9b9c-93745f69d37b/407fad2d-a4b3-44e3-a235-d9a32f20c783/0

              10 days later

              I've completed and pushed all 3 of the mentioned features (Onboarding, Transaction Security Level, Recovery Phrase) to https://test.stellarguard.me and will push it to production after a bit more testing. Feel free to get a preview if you have a test account (or sign up for one to try it) and if you do, please let me know what you think.

              I'm also very happy to announce that StellarGuard has 3 more fully supported wallets/tools!

              Stellar Authenticator
              MyStellar.Tools
              Nucleo.fi

              I'll be adding them to the supported wallets page shortly as well as writing up tutorials for each one. Thank you so much for supporting StellarGuard.

              Screenshots of the onboarding flow:

              Email Verification
              Add Authenticator
              Transaction Security Level
              Recovery Phrase Warning
              Recovery Phrase

                StellarGuard

                Just to complete your message StellarGuard is also supported by cosmic-lib, so when cosmicLink.send() and 2FA is enabled the transaction is automatically send to Stellar Guard.

                    @mikeyrf
                    @MisterTicot

                    I've added you to https://stellarguard.me/supported-wallets, let me know if you want any change in the description -- @MisterTicot I didn't know how to word the cosmic.link integration in the description -- any ideas?

                    @mikeyrf if you have a logo that looks good in a square I can add it next to the name. I took some screenshots when I was testing it out that I can use in my tutorial. But if you have anything in particular you want me to call out in it, let me know.

                    Will work on all 3 tutorials next.

                      Hi,
                      I just went through your reg process + stellarport and tried it out. Works like a charm :-). Nice valuable addon to have.

                      StellarGuard Nice! Nothing in particular to call out about the integration.

                      For the logo, use my profile icon on galactic talk (or pull the profile icon from the square image here: https://nucleo.fi/profile/nucleo/).

                      Also small typo on the link you provided, it’s Nucleo.fi (not Nucelo.fi)

                          StellarGuard

                          Well, obviously it doesn't feet into support wallets. There's a little sentence at the end about integrating StellarGuard into wallets, so maybe the mention that cosmic-lib comes with transparent StellarGuard support could go there.

                          I think that ideally you could have a page dedicated to StellarGuard integration with some precise instruction and relevant links that is listed in the footer, on which you could dedicate a few sentences to cosmic-lib. As a developer I would expect to find that kind of information easily, without having to mail the author.

                          (Edit: by the way thank you for adding Stellar Authenticator)

                            Hi,

                            I really like your approach and it would improve the security of my service. So I'm thinking to integrate StellarGuard into my "Timed Payment" Service (https://smartstellar.org).

                            I read your FAQ. I understand I have to check if there is a signer with GCVHEK... and then send the XDR via post.
                            Can just integrate it or do I need to know anything more?

                            Regarding the logo, any requirements here? Can I use your logo to signal this account is proteced by your service? Let me know if you would like to look at the solution before I publish anything.