- Add DappBrowser protection for browsing non-whitelisted sites.

- Lock DeveloperOverride with warning page.
AlphaWallet · Nov 30, 2024 · 8a2ff5a · 8a2ff5a
1 parent aa109b9
commit 8a2ff5a
Show file tree

Hide file tree

Showing 13 changed files with 106 additions and 3 deletions.
diff --git a/app/src/main/assets/dapps_list.json b/app/src/main/assets/dapps_list.json
@@ -1,6 +1,7 @@
 [
   {"name": "TokenScript", "description": "Smart Token Labs TokenScript Viewer", "url": "https://viewer.tokenscript.org/", "category": "Infrastructure"},
   {"name": "SmartLayer", "description": "Smart Token Labs Smart Layer Network", "url": "https://smartlayer.network", "category": "Infrastructure"},
+  {"name": "TLink", "description": "Smart Token Labs TLink", "url": "https://tlink.store/", "category": "Infrastructure"},
   {"name": "X", "description": "Social Media", "url": "https://x.com", "category": "Social Media"},
   {"name": "Aave", "description": "A decentralized non-custodial liquidity protocol where users can participate as depositors or borrowers", "url": "https://app.aave.com/", "category": "Finance"},
   {"name": "Tbull", "description": "A Utility Token on Binance Smart Chain for Payments for Services", "url": "tbull.live", "category": "Utility"},
@@ -40,7 +41,6 @@
   {"name": "SmartDrops", "description": "A platform that lets people earn crypto by joining new token projects.", "url": "https://www.smartdrops.io/", "category": "Tool"},
   {"name": "xDai Bridge", "description": "xDai/Ethereum bridge for self transfers of Dai to xDai", "url": "https://dai-bridge.poa.network/", "category": "Tool"},
   {"name": "Alfacash", "description": "Trade crypto instantly. ETH, BTC, XRP and 30+ other coins and tokens", "url": "https://www.alfa.cash/", "category": "Exchange"},
-  {"name": "0x Instant", "description": "A free and flexible way to offer simple crypto purchasing", "url": "http://0x-instant-staging.s3-website-us-east-1.amazonaws.com/", "category": "Exchange"},
   {"name": "KyberSwap", "description": "Instant and Secure Token to Token Swaps", "url": "https://kyber.network/swap/eth_knc", "category": "Exchange"},  
   {"name": "Kyber Migration Portal", "description": "Migration portal to upgrade legacy KNC to ERC-20 KNC tokens", "url": "https://kyber.org/migrate", "category": "Token Migration"},  
   {"name": "localethereum", "description": "Peer-to-peer marketplace allowing to trade eth to fiat", "url": "https://localethereum.com/", "category": "Exchange"},

diff --git a/app/src/main/java/com/alphawallet/app/ui/AdvancedSettingsActivity.java b/app/src/main/java/com/alphawallet/app/ui/AdvancedSettingsActivity.java
@@ -159,9 +159,46 @@ private void initializeSettings()
         tokenScriptViewer.setToggleState(viewModel.getTokenScriptViewerState());
     }
 
+    @FunctionalInterface
+    public interface Callback 
+    {
+        void onResult(boolean choice);
+    }
+
     private void onDeveloperOverride()
     {
-        viewModel.toggleDeveloperOverride(developerOverride.getToggleState());
+        boolean developerOverrideState = developerOverride.getToggleState();
+        if (developerOverrideState)
+        {
+            //display warning popup
+            showWarningPopup(R.string.developer_override_warning, result -> {
+                viewModel.toggleDeveloperOverride(result);
+                developerOverride.setToggleState(result);
+            });
+        }
+        else
+        {
+            viewModel.toggleDeveloperOverride(developerOverride.getToggleState());
+        }
+    }
+
+    private void showWarningPopup(int message, Callback callback)
+    {
+        AWalletAlertDialog dialog = new AWalletAlertDialog(this);
+        dialog.setIcon(AWalletAlertDialog.WARNING);
+        dialog.setTitle(R.string.warning);
+        dialog.setMessage(message);
+        dialog.setButtonText(R.string.i_accept);
+        dialog.setButtonListener(v -> {
+            callback.onResult(true);
+            dialog.dismiss();
+        });
+        dialog.setSecondaryButtonText(R.string.action_cancel);
+        dialog.setSecondaryButtonListener(v -> {
+            callback.onResult(false);
+            dialog.dismiss();
+        });
+        dialog.show();
     }
 
     private void onFullScreenClicked()

diff --git a/app/src/main/java/com/alphawallet/app/ui/DappBrowserFragment.java b/app/src/main/java/com/alphawallet/app/ui/DappBrowserFragment.java
@@ -1,5 +1,6 @@
 package com.alphawallet.app.ui;
 
+import static com.alphawallet.app.C.ALPHAWALLET_WEB;
 import static com.alphawallet.app.C.ETHER_DECIMALS;
 import static com.alphawallet.app.C.RESET_TOOLBAR;
 import static com.alphawallet.app.entity.tokens.Token.TOKEN_BALANCE_PRECISION;
@@ -1485,10 +1486,22 @@ public void onWebpageLoadComplete()
 
     private boolean loadUrl(String urlText)
     {
+        requireContext();
         AnalyticsProperties props = new AnalyticsProperties();
         props.put(Analytics.PROPS_URL, urlText);
         viewModel.track(Analytics.Action.LOAD_URL, props);
 
+        // ensure the URL is whitelisted, that is it is featured in the dapp list, and check if the app is in developer override mode
+        if (!viewModel.getDeveloperOverrideState(getContext()) && !DappBrowserUtils.isInDappsList(this.getContext(), urlText))
+        {
+            //reset url string back to AlphaWallet
+            setUrlText(ALPHAWALLET_WEB);
+
+            //display a warning dialog
+            displayError(R.string.title_dialog_error, R.string.not_recommended_to_visit);
+            return false;
+        }
+
         detachFragments();
         addToBackStack(DAPP_BROWSER);
         cancelSearchSession();
@@ -1500,6 +1513,7 @@ else if (handlePrefix(urlText))
         {
             return true;
         }
+
         web3.resetView();
         web3.loadUrl(Utils.formatUrl(urlText));
         setUrlText(Utils.formatUrl(urlText));

diff --git a/app/src/main/java/com/alphawallet/app/util/DappBrowserUtils.java b/app/src/main/java/com/alphawallet/app/util/DappBrowserUtils.java
@@ -13,6 +13,7 @@
 
 import com.alphawallet.app.C;
 import com.alphawallet.app.entity.DApp;
+import com.google.android.gms.common.util.HttpUtils;
 import com.google.gson.Gson;
 import com.google.gson.reflect.TypeToken;
 
@@ -253,6 +254,23 @@ public static List<DApp> getDappsList(Context context)
         return dapps;
     }
 
+    public static boolean isInDappsList(Context context, String candidateURL)
+    {
+        List<DApp> knownDapps = getDappsList(context);
+        //strip the URL to get only the domain
+        String candidateDomain = Utils.getDomainName(candidateURL);
+
+        for (DApp dapp : knownDapps)
+        {
+            String thisDomain = Utils.getDomainName(dapp.getUrl());
+            if (candidateDomain.equals(thisDomain))
+            {
+                return true;
+            }
+        }
+        return false;
+    }
+
     private static void saveHistory(Context context, List<DApp> history)
     {
         if (context != null)

diff --git a/app/src/main/java/com/alphawallet/app/viewmodel/DappBrowserViewModel.java b/app/src/main/java/com/alphawallet/app/viewmodel/DappBrowserViewModel.java
@@ -1,6 +1,7 @@
 package com.alphawallet.app.viewmodel;
 
 import static com.alphawallet.app.C.Key.WALLET;
+import static com.alphawallet.app.repository.SharedPreferenceRepository.DEVELOPER_OVERRIDE;
 import static com.alphawallet.app.util.Utils.isValidUrl;
 
 import android.app.Activity;
@@ -481,4 +482,9 @@ public GasService getGasService()
     {
         return gasService;
     }
+
+    public boolean getDeveloperOverrideState(Context context)
+    {
+        return PreferenceManager.getDefaultSharedPreferences(context).getBoolean(DEVELOPER_OVERRIDE, false);
+    }
 }
diff --git a/app/src/main/res/values-es/strings.xml b/app/src/main/res/values-es/strings.xml
@@ -996,4 +996,8 @@
     <string name="override_warning_text">Es posible que esté a punto de firmar una transacción sin saberlo, lo que podría vaciar sus fondos. Es posible que desee firmar el código de bytes como desarrollador y puede anular esta advertencia si configura el modo de desarrollador en la configuración avanzada.</string>
     <string name="constructor">Constructor</string>
     <string name="use_tokenscript_viewer">Visor de TokenScript</string>
+    <string name="not_recommended_to_visit">Esta URL no está en la lista blanca. Aún es posible visitarla modificando las opciones de protección en la configuración, pero no se recomienda. Podrías estar a punto de perder tus fondos, especialmente si se trata de una inversión en minería de criptomonedas. Hay muchos sitios de inversión en criptomonedas regulados.</string>
+    <string name="developer_override_warning">Advertencia: estás a punto de desactivar la protección estándar. Esto evita que te estafen. Utiliza el modo de desarrollador solo si estás probando tu dapp o si estás 100 % seguro de que el sitio es seguro. Recuerda: si alguien te dice que actives esta configuración, es casi seguro que perderás tus fondos de criptomonedas.</string>
+    <string name="warning">Advertencia</string>
+    <string name="i_accept">Acepto el riesgo</string>
 </resources>
diff --git a/app/src/main/res/values-fr/strings.xml b/app/src/main/res/values-fr/strings.xml
@@ -1010,4 +1010,8 @@
     <string name="override_warning_text">Vous êtes peut-être sur le point de signer sans le savoir une transaction, ce qui pourrait vider vos fonds. Vous souhaiterez peut-être signer le bytecode en tant que développeur et vous pouvez ignorer cet avertissement si vous définissez le mode développeur dans les paramètres avancés.</string>
     <string name="constructor">Constructor</string>
     <string name="use_tokenscript_viewer">Visionneuse TokenScript</string>
+    <string name="not_recommended_to_visit">Cette URL n\'est pas sur liste blanche. Il est toujours possible de la visiter en modifiant les options de protection dans les paramètres, mais cela n\'est pas recommandé. Vous pourriez être sur le point de perdre vos fonds, surtout s\'il s\'agit d\'un investissement dans le minage de crypto-monnaies. Il existe de nombreux sites d\'investissement en crypto-monnaies réglementés.</string>
+    <string name="developer_override_warning">Attention : vous êtes sur le point de désactiver la protection standard. Cela vous évite de vous faire arnaquer. N\'utilisez le mode développeur que si vous testez votre dapp ou si vous êtes sûr à 100 % que le site est sûr. N\'oubliez pas : si quelqu\'un vous dit d\'activer ce paramètre, vous êtes presque certainement sur le point de perdre vos fonds cryptographiques.</string>
+    <string name="warning">Attention</string>
+    <string name="i_accept">J\'accepte le risque</string>
 </resources>
diff --git a/app/src/main/res/values-id/strings.xml b/app/src/main/res/values-id/strings.xml
@@ -1001,4 +1001,8 @@
     <string name="override_warning_text">Anda mungkin tanpa sadar menandatangani transaksi, yang dapat mengosongkan dana Anda. Anda mungkin ingin menandatangani bytecode sebagai pengembang, dan Anda dapat mengabaikan peringatan ini jika Anda menyetel mode pengembang di Setelan lanjutan.</string>
     <string name="constructor">Constructor</string>
     <string name="use_tokenscript_viewer">Penampil TokenScript</string>
+    <string name="not_recommended_to_visit">URL ini tidak masuk daftar putih. Anda masih dapat mengunjunginya dengan mengubah opsi perlindungan di pengaturan, tetapi tidak disarankan. Anda bisa kehilangan dana, terutama jika itu adalah investasi dalam penambangan kripto. Ada banyak situs investasi kripto yang teregulasi.</string>
+    <string name="developer_override_warning">Peringatan: Anda akan menonaktifkan perlindungan standar. Ini mencegah Anda dari penipuan. Gunakan mode pengembang hanya jika Anda sedang menguji dapp Anda, atau jika Anda 100% yakin bahwa situs tersebut aman. Ingat: jika seseorang memberi tahu Anda untuk mengaktifkan pengaturan ini, Anda hampir pasti akan kehilangan dana kripto Anda.</string>
+    <string name="warning">Peringatan</string>
+    <string name="i_accept">Saya menerima risikonya</string>
 </resources>
diff --git a/app/src/main/res/values-my/strings.xml b/app/src/main/res/values-my/strings.xml
@@ -1031,4 +1031,8 @@
     <string name="override_warning_text">သင့်ငွေများကို အချည်းနှီးဖြစ်စေနိုင်သည့် ငွေပေးငွေယူတစ်ခုအား သင်မသိလိုက်ဘဲ လက်မှတ်ထိုးပါတော့မည်။ သင်သည် ဆော့ဖ်ဝဲအင်ဂျင်နီယာတစ်ဦးအနေဖြင့် bytecode ကို လက်မှတ်ထိုးလိုနိုင်ပြီး၊ Advanced ဆက်တင်များတွင် developer မုဒ်ကို သင်သတ်မှတ်ပါက ဤသတိပေးချက်ကို အစားထိုးနိုင်ပါသည်။</string>
     <string name="constructor">Constructor</string>
     <string name="use_tokenscript_viewer">TokenScript ကြည့်ရှုသူ</string>
+    <string name="not_recommended_to_visit">ဤ URL ကို တရားဝင်စာရင်းမသွင်းပါ။ ဆက်တင်များတွင် အကာအကွယ်ရွေးချယ်မှုများ ပြောင်းလဲခြင်းဖြင့် ဝင်ကြည့်ရန် ဖြစ်နိုင်သေးသော်လည်း ၎င်းကို အကြံပြုထားခြင်း မရှိပါ။ အထူးသဖြင့် crypto-mining တွင် ရင်းနှီးမြုပ်နှံပါက သင့်ရန်ပုံငွေများ ဆုံးရှုံးတော့မည်ဖြစ်သည်။ ထိန်းညှိထားသော crypto ရင်းနှီးမြှုပ်နှံမှုဆိုက်များစွာရှိသည်။</string>
+    <string name="developer_override_warning">သတိပေးချက်- သင်သည် စံကာကွယ်ရေးကို ပိတ်ပါတော့မည်။ ၎င်းသည် သင့်အား အလိမ်ခံရခြင်းမှ ကာကွယ်ပေးသည်။ သင့် dapp ကို စမ်းသပ်နေပါက သို့မဟုတ် ဆိုက်သည် 100% စိတ်ချရကြောင်း 100% သေချာပါက developer မုဒ်ကို အသုံးပြုပါ။ သတိရပါ- တစ်စုံတစ်ယောက်က ဤဆက်တင်ကိုဖွင့်ရန် သင့်အားပြောနေပါက၊ သင်သည် သင်၏ crypto ရန်ပုံငွေများကို ဆုံးရှုံးတော့မည်မှာ သေချာပါသည်။</string>
+    <string name="warning">သတိပေးချက်</string>
+    <string name="i_accept">အန္တရာယ်ကို ငါလက်ခံတယ်။</string>
 </resources>
diff --git a/app/src/main/res/values-vi/strings.xml b/app/src/main/res/values-vi/strings.xml
@@ -1010,4 +1010,8 @@
     <string name="override_warning_text">Bạn có thể sắp vô tình ký một giao dịch, điều này có thể khiến tiền của bạn bị rỗng. Bạn có thể muốn ký mã byte với tư cách là nhà phát triển và bạn có thể ghi đè cảnh báo này nếu bạn đặt chế độ nhà phát triển trong cài đặt Nâng cao.</string>
     <string name="constructor">Constructor</string>
     <string name="use_tokenscript_viewer">Trình xem TokenScript</string>
+    <string name="not_recommended_to_visit">URL này không nằm trong danh sách trắng. Bạn vẫn có thể truy cập bằng cách thay đổi tùy chọn bảo vệ trong cài đặt, nhưng không được khuyến khích. Bạn có thể sắp mất tiền, đặc biệt nếu đó là khoản đầu tư vào khai thác tiền điện tử. Có rất nhiều trang web đầu tư tiền điện tử được quản lý.</string>
+    <string name="developer_override_warning">Cảnh báo: Bạn sắp tắt chế độ bảo vệ tiêu chuẩn. Điều này giúp bạn tránh bị lừa đảo. Chỉ sử dụng chế độ nhà phát triển nếu bạn đang thử nghiệm dapp của mình hoặc nếu bạn chắc chắn 100% rằng trang web an toàn. Hãy nhớ rằng: nếu ai đó bảo bạn bật cài đặt này, bạn gần như chắc chắn sẽ mất tiền mã hóa của mình.</string>
+    <string name="warning">Cảnh báo</string>
+    <string name="i_accept">Tôi chấp nhận rủi ro</string>
 </resources>
diff --git a/app/src/main/res/values-zh/strings.xml b/app/src/main/res/values-zh/strings.xml
@@ -997,4 +997,8 @@
     <string name="override_warning_text">您可能会在不知情的情况下签署一项交易，这可能会清空您的资金。 您可能希望以开发人员的身份对字节码进行签名，如果您在高级设置中设置开发人员模式，则可以覆盖此警告。</string>
     <string name="constructor">Constructor</string>
     <string name="use_tokenscript_viewer">使用 TokenScript 查看器</string>
+    <string name="not_recommended_to_visit">此 URL 未列入白名单。仍可通过更改设置中的保护选项来访问，但不建议这样做。您可能会损失资金，尤其是如果这是对加密货币挖矿的投资。有很多受监管的加密货币投资网站。</string>
+    <string name="developer_override_warning">警告：您即将关闭标准保护。这可以防止您被骗。仅在测试 dapp 或 100% 确定网站安全时才使用开发者模式。请记住：如果有人告诉您打开此设置，您几乎肯定会失去您的加密货币资金。</string>
+    <string name="warning">警告</string>
+    <string name="i_accept">我接受风险</string>
 </resources>
diff --git a/app/src/main/res/values/colors_misc.xml b/app/src/main/res/values/colors_misc.xml
@@ -34,7 +34,7 @@
     <color name="arbitrum_test">#40678c</color>
     <color name="palm_main">#83488c</color>
     <color name="palm_test">#93589c</color>
-    <color name="klaytn_main">#FE3300</color>
+    <color name="klaytn_main">#9FD009</color>
     <color name="klaytn_test">#414597</color>
     <color name="iotex_mainnet">#00D4D5</color>
     <color name="aurora_mainnet">#6BBE47</color>

diff --git a/app/src/main/res/values/strings.xml b/app/src/main/res/values/strings.xml
@@ -1073,4 +1073,8 @@
     <string name="override_warning_text">You might be about to unknowingly sign a transaction, which could empty your funds. You may want to sign bytecode as a developer, and you can override this warning if you set developer mode in Advanced settings.</string>
     <string name="constructor">Constructor</string>
     <string name="use_tokenscript_viewer">Use TokenScript Viewer</string>
+    <string name="not_recommended_to_visit">This URL is not whitelisted. It is still possible to visit by changing protection options in the settings, but it is not recommended. You could be about to lose your funds, especially if it\'s an investment in crypto-mining. There are plenty of regulated crypto investment sites.</string>
+    <string name="developer_override_warning">Warning: You are about to switch off standard protection. This prevents you from getting scammed. Only use the developer mode if you are testing your dapp, or if you are 100% sure that the site is safe. Remember: if someone is telling you to switch this setting on, you are almost certainly about to lose your crypto funds.</string>
+    <string name="warning">Warning</string>
+    <string name="i_accept">I accept the risk</string>
 </resources>