Status, the first mobile Ethereum client built entirely on peer-to-peer technologies, is aligning with other DApp browsers to implement new interoperability standards, the company announced on September 5, 2018.
End of Ethereum Provider Injection
“The decentralized web can feel more wild west than www. To help advance the ecosystem, Status is aligning with other DApp browsers on new interoperability standards,” the company explained.
The new standard they will be implementing is EIP1102, as they see it as “as critical to upholding Status’ core principles of privacy and security.”
According to GitHub, the EIP1102 status is a protocol in which DOM environments expose a read-only provider until the user approves full provider access. The previous generation of Ethereum-enabled DOM environments followed a pattern of injecting a fully-enabled provider into the DOM without user consent.
This environment put users at risk as malicious websites could use this provider to view account information and to arbitrarily initiate unwanted Ethereum transactions on the user’s behalf.
Status noted that the first version of the update is already included in Status version 0.9.26 and that the next release would include an improvement per the EIP. The company also said that developer action would be required to maintain compatibility with the Status browser.
New Standard Affects Users and Developers
Status developed and implemented the new protocol in response to a serious security risk their users faced. Their original Ethereum provider enabled DApps to get users’ Ethereum addresses and initiate transactions so that they could trade CryptoStrikers and send Peeps.
However, the company noted that their current method could offer up sensitive information about the users’ account without their permission – it could expose details about the user’s balance and past transactions, thus allowing bad actors to track individuals.
As of November 2, 2018, all users will have full control over their personal information, and all DApps will need to request permission to access the users’ Ethereum accounts.
Developers will be required to implement a minor change to accommodate the new status, which will inject a read-only provider.
“Rather than inject a full Ethereum provider and web3 library into the DOM on page load, Status will inject a read-only provider. The web3.js library will no longer be injected at all. Instead, a DApp will need to load the version of web3.js that it requires. And to access user information from the browser, a DApp must asynchronously request the full Ethereum provider,” Rachel Hamlin, the product manager at Status, explained.