{"ID":2840114,"CreatedAt":"2026-06-01T04:54:23.091178241Z","UpdatedAt":"2026-06-01T04:54:23.091178241Z","DeletedAt":null,"paper_url":"https://arxiv.org/abs/2511.14611","arxiv_id":"2511.14611","title":"SecureSign: Bridging Security and UX in Mobile Web3 through Emulated EIP-6963 Sandboxing","abstract":"Mobile Web3 faces catastrophic retention (\u003c 5%) yielding effective acquisition costs of \\$500 - \\$1,000 per retained user. Existing solutions force an impossible tradeoff: embedded wallets achieve moderate usability but suffer inherent click-jacking vulnerabilities; app wallets maintain security at the cost of 2 - 3% retention due to download friction and context-switching penalties. We present SecureSign, a PWA-based architecture that adapts desktop browser extension security to mobile via EIP-6963 provider sandboxing. SecureSign isolates dApp execution in iframes within a trusted parent application, achieving click-jacking immunity and transaction integrity while enabling native mobile capabilities (push notifications, home screen installation, zero context-switching). Our drop-in SDK requires no codebase changes for existing Web3 applications. Threat model analysis demonstrates immunity to click-jacking, overlay, and skimming attacks while maintaining wallet interoperability across dApps.","short_abstract":"Mobile Web3 faces catastrophic retention (\u003c 5%) yielding effective acquisition costs of \\$500 - \\$1,000 per retained user. Existing solutions force an impossible tradeoff: embedded wallets achieve moderate usability but suffer inherent click-jacking vulnerabilities; app wallets maintain security at the cost of 2 - 3% r...","url_abs":"https://arxiv.org/abs/2511.14611","url_pdf":"https://arxiv.org/pdf/2511.14611v1","authors":"[\"Charles Cheng Ji\",\"Brandon Kong\"]","published":"2025-11-18T16:02:46Z","proceeding":"cs.CR","tasks":"[\"cs.CR\",\"cs.HC\"]","methods":"[]","has_code":false}