SecureSign: Bridging Security and UX in Mobile Web3 through Emulated EIP-6963 Sandboxing

TL;DR

SecureSign introduces a PWA-based architecture for mobile Web3 that enhances security and usability by sandboxing dApps, preventing click-jacking, and enabling native features without code changes.

Contribution

It adapts desktop browser extension security models to mobile Web3 through EIP-6963 sandboxing, improving security and user experience simultaneously.

Findings

Achieves click-jacking immunity and transaction integrity.

Enables native mobile capabilities like push notifications.

Requires no code changes for existing Web3 apps.

Abstract

Mobile Web3 faces catastrophic retention (< 5%) yielding effective acquisition costs of \$500 - \$1,000 per retained user. Existing solutions force an impossible tradeoff: embedded wallets achieve moderate usability but suffer inherent click-jacking vulnerabilities; app wallets maintain security at the cost of 2 - 3% retention due to download friction and context-switching penalties. We present SecureSign, a PWA-based architecture that adapts desktop browser extension security to mobile via EIP-6963 provider sandboxing. SecureSign isolates dApp execution in iframes within a trusted parent application, achieving click-jacking immunity and transaction integrity while enabling native mobile capabilities (push notifications, home screen installation, zero context-switching). Our drop-in SDK requires no codebase changes for existing Web3 applications. Threat model analysis demonstrates immunity to click-jacking, overlay, and skimming attacks while maintaining wallet interoperability across dApps.