How does Safe prevent Safe apps doing malicious actions?

[akasuv]

Hi team! How does Safe prevent Safe apps from doing malicious actions? For example, If I followed the rule to create an app first, after it's released on Safe Apps, I deploy a malicious version to call MetaMask directly to take over users' assets, how can Safe prevent this?

[DaniSomoza]

Hi @akasuv

We've implemented a variety of measures to prevent potential malicious actions:

1. Sandboxed iframe: One of the main protections we employ is the use of a sandboxed iframe. When we load a Safe App, it is contained within this iframe, which has strict permissions defined by the sandbox attribute. This effectively isolates the Safe App from the parent environment, ensuring that it can't make unrestricted actions outside its own context. You can read more about this in the mozilla iframe docs.

<iframe
  ...
  sandbox={IFRAME_SANDBOX_ALLOWED_FEATURES}
  ...
/>

2. Communication using our safe-apps-sdk: All communication between the parent frame (our Safe interface) and the Safe App (inside the iframe) is managed through our safe-apps-sdk. This SDK provides a standardized way of communication, enabling Safe Apps to interact with the parent frame in controlled and expected ways.
3. Before accessing any Safe App, users are presented with a disclaimer informing them that they are interacting with third-party apps outside our control. This serves as a clear reminder of the potential risks and ensures users are aware of their responsibilities:

4. I'd like to highlight that our review process for adding a new Safe App to our official list is quite strict. For a detailed look into our review criteria and procedure, you can refer to this template.

More links:

• Our Iframe set up: https://github.com/safe-global/safe-wallet-web/blob/dev/src/components/safe-apps/AppFrame/SafeAppIframe.tsx#L18
• Our communication logic: https://github.com/safe-global/safe-wallet-web/blob/b7287acb23fdf594eb5505c5e494ae5acaa7649e/src/components/safe-apps/AppFrame/useAppCommunicator.ts
• safe-apps-sdk communication logic: https://github.com/safe-global/safe-apps-sdk/blob/main/packages/safe-apps-sdk/src/communication/index.ts

[akasuv]

Thanks for the quick and detailed answer, this helps a lot! @DaniSomoza