ADR‐003: Deprecation of the Signing Phrase Feature - status-im/status-wiki GitHub Wiki
ADR-003: Deprecation of the Signing Phrase Feature
Metadata
- Status: Draft
- Date: 2025-04-03
- Deciders: @volo, @Pedro
- Participants: @Alisher, @0xM3R, @Samuel, @icaro, @campo, @Ben, @Pedro, @felicio.cc
- Context: Status app (Desktop and Mobile)
TL;DR
The Signing Phrase feature is a legacy mechanism intended to help users detect spoofed prompts or signing modals. Based on current threat models, user behaviour, and feedback, the feature no longer provides meaningful protection and will be deprecated.
Context
The Signing Phrase was originally introduced to protect users from phishing attempts by allowing them to recognise authentic signing requests. This was especially relevant in the dapp browser context, where a malicious dapp could potentially spoof a signing modal or password prompt.
However, the effectiveness of this feature relies entirely on users memorising and verifying the phrase before every transaction — something most users do not consistently do. Moreover, the most plausible attack vectors in the Status app today (such as fake UIs within a dapp, lookalike domains, or misleading prompts) are not mitigated by the Signing Phrase. Newer industry practices use dynamic, real-time protections that do not rely on user memorisation.
Threat Model Analysis
The following analysis was conducted by @Samuel to evaluate the Signing Phrase’s effectiveness across common Web3 phishing attack vectors. It played a key role in informing this decision.
| Attack Type | Plausibility | Signing Phrase Helps? |
|---|---|---|
| Fake UI in dapp | ✅ High | ❌ No |
| Lookalike domains | ✅ High | ❌ No |
| Deceptive signing prompt | ✅ High | ❌ No |
| Fake native modal | ❌ Low | 🤔 Maybe |
| Hijacked signing request | ❌ Very low | ❌ No |
| Fake password prompt | ❌ Very low | 🤔 Weakly (in theory) |
Further breakdowns of each attack vector confirmed that the Signing Phrase provides no meaningful protection against the most likely or impactful phishing strategies. In nearly all cases, the phrase either does not appear or relies too heavily on user attentiveness.
See Threat Model Analysis: Signing Phrase Feature for more details.
Decision
We will deprecate and remove the Signing Phrase feature from both the Desktop and Mobile Status apps.
The rationale is:
- The threat model it addresses is either implausible or already mitigated.
- It depends on fragile user behaviour (memorisation and checking).
- Modern alternatives offer better, user-friendly protection.
- No evidence of strong user demand to keep it.
Consequences
Positive
- Simplifies the signing and password UX by removing unnecessary friction.
- Reduces false sense of security.
- Encourages adoption of more effective, modern security mechanisms.
- Reduces code maintenance of a legacy feature.
Negative
- A small subset of users who may rely on the phrase may lose a familiar signal.
- May be perceived as a reduction in security if replacements aren't clearly communicated.
Alternatives Considered
- Retain the feature: Rejected due to low efficacy and UX friction.
- Redesign the feature: Rejected: no version of the static phrase seems effective against modern phishing tactics.
- Replace with dynamic protections: Preferred. This aligns with industry standards (e.g. transaction simulation, domain warnings).
Next Steps
- Remove Signing Phrase support from both Desktop and Mobile in the v2.35+ release.
- Communicate the deprecation clearly in release materials.
- Revive roadmap discussions around:
- Transaction simulation tools (e.g. Tenderly Snap, Alchemy)
- Domain and dapp safety signals
- Native signing previews
- Re-engage with security and product teams to align on implementation priorities.