We’ve released our BitBox02 JavaScript API, including a reference implementation, for easy integration of the BitBox02 hardware wallet into online services. With the lightweight BitBoxBridge, we support using the BitBox02 in all browsers. Reach out if you want to add the BitBox02 into your service, we’re happy to help!

Everything goes web

Hardware wallets like the BitBox02 add a great deal of security to holding your own Bitcoin and other cryptocurrencies. They are mainly designed to work with their companion application, like the BitBoxApp.

But everything moves online. More and more services and applications are built on web technology, running directly in your browser. This can be very convenient, as it provides cross-platform and even mobile support and can be used from anywhere.

But how is that compatible with the idea of self-sovereignty? Data is either stored centrally on a web server, or locally managed by the browser on the device. Adding hardware wallet integration, and allowing online services to either outsource private key management to, or directly interact with, a user-controlled keystore gets us back on track.

This is why we are releasing our BitBox02 JavaScript API as free open source for every service that wants to implement direct support of the BitBox02 hardware wallet.

Use cases

There are many instances where direct integration of a hardware wallet makes sense, both for the service and their users:

  • Secure key management for web wallets
    Imagine using a web wallet like MyEtherwallet to manage significant amounts, but having the private keys managed by your web browser. Scary. The option to store your keys on a hardware wallet adds a lot of security.
  • Direct integration into web services
    Exchanges or custodial solutions can directly interact with the hardware wallet, for example to allow more secure withdrawals, minimizing manual errors and avoiding copy/paste (with the associated clipboard hijacking risks).
  • Multisignature platforms
    Especially useful when using web-based multisignature solutions, the BitBox02 allows you to store the relevant information of all co-signers directly on the device. This information can be provided to the hardware wallet directly and — once verified over a second channel — can be used for all future transactions.
  • Dollar Cost Averaging (DCA) without address reuse
    Online services can securely send future transactions to you without reusing addresses. All it takes is to share the extended public key of a dedicated account with the service, which can be achieved conveniently through a direct integration. This is especially helpful for users who buy cryptocurrencies on a regular basis using the DCA method.

A bit outside the scope of this article, but still worth mentioning: even without direct integration of the BitBox02, it can still add login security as a second-factor authentication device. Finally, get rid of these darn SMS!

How it works

The goal of our JavaScript library is to allow any web-service to easily integrate with the BitBox02. In order to do that, the browser needs to be able to communicate with the USB device. We use the BitBoxBridge, a lightweight dedicated background service running locally, to establish that connection. We decided to build the BitBoxBridge to support all platforms and browsers, as other options like WebUSB or U2F-hijack are either limited to certain browsers, experimental in nature or very unstable.

The BitBoxBridge acts as a proxy and accepts requests from the browser for whitelisted web addresses, relaying them to the BitBox02 over an end-to-end encrypted channel.

In that context, we need to trust the browser security model to not accept spoofed websites. Also, malicious browser extensions could potentially still interfere with the communication from browser to the server, so services need to be implemented with the right safeguards in place.

What we provide

Our hardware wallet integration framework uses the following two components:

  • BitBoxBridge is a simple, lightweight proxy that only needs to be updated to add new whitelisted web addresses.
  • BitBox02 JavaScript library contains the full client implementation compiled to JavaScript from our Go backend used in the BitBoxApp.

Additionally, the /demo folder in the JavaScript library repository contains our fully functional sandbox reference implementation.

Need help?

If you want to add BitBox02 integration to your project, we’re happy to help. Reach out to us at labs@shiftcrypto.ch so that we can discuss how to get it done!

The Shift Team