Hardware Device App Contest - Part 1. Ledger

I don’t know if juries read this before voting, but due to latest jury comments (and only 2 submissions) this will dot the i’s and cross the t’s.

Ledger has a template/skeleton app called Boilerplate app: GitHub - LedgerHQ/ledger-app-boilerplate
This app also defines API specification: ledger-app-boilerplate/api.asc at master · LedgerHQ/ledger-app-boilerplate · GitHub

Checking other Ledger apps will show same docs and application structure:

Ledger application has a fixed flow that limits developer’s choices (Application Structure and I/O — Ledger Documentation Hub 2 documentation).
Ledger security guidelines (Developing Secure Ledger Apps — Ledger Documentation Hub 2 documentation) explicitly say that “You should never roll your own crypto primitives (including encryption/derivation schemes, hashing functions, HMAC, etc.)”. So, you can’t just start using NaCl library for encryprion (similar to some Free TON libraries).

Given all that developers don’t have a lot of room left for self expression.
Also, extremely small storage size on Ledger Nano S forces developers to write least possible code.

1 Like

Hello @SuperArmor and @Lykovaleksey, I would like to use one of your solutions for the Ledger Nano S.
Let us assume I’m not able to perform the code audit before use due to missing competence.
Is such code audit necessary at all or the security is granted by strict limitations in the mentioned Boilerplate? I doubt, the audit was done by judges during the contest. Please advise.

Hello @aicracy.
We do not do an audit, but I’m using Ledger for myself. I’m not sure about the audit from judges too. Anyway, it is open-source, you can ask somebody else to check our code and open issue If you find any problem.