Overview
Browser extensions require certain permissions to function properly. This page explains what permissions SubWallet requests and how they are used to provide you with a secure wallet experience.SubWallet follows the principle of least privilege - we only request permissions that are absolutely necessary for the wallet to function.
Required Permissions
SubWallet requests the following permissions from your browser:Storage
Permission:storage
Why it’s needed:
- Store encrypted account data locally
- Save wallet preferences and settings
- Cache network information and token metadata
- Persist transaction history
- All sensitive data is encrypted before storage
- Private keys never leave your device unencrypted
- No data is shared with third parties
Your encrypted wallet data is stored locally in your browser using Chrome’s secure storage API. Even if someone gains access to the storage, they cannot decrypt your data without your master password.
Tabs
Permission:tabs
Why it’s needed:
- Detect when you visit dApps that want to connect to your wallet
- Check URLs against phishing detection database
- Manage connections between your wallet and websites
- Display appropriate prompts for transaction signing
- SubWallet can see URLs of tabs you visit
- URL data is only used for phishing detection
- No browsing data is collected or transmitted
Notifications
Permission:notifications
Why it’s needed:
- Alert you to incoming transaction requests
- Notify you of completed transactions
- Inform you of important security warnings
- Display connection requests from dApps
- Notifications only display on your local device
- No notification data is sent to external servers
Side Panel
Permission:sidePanel
Why it’s needed:
- Provide an alternative interface alongside your browsing
- Allow quick access to wallet features without opening a popup
- Improve user experience on Chromium-based browsers
- No additional data access beyond the main extension
- Same security and privacy as the popup interface
Content Scripts
SubWallet injects content scripts into web pages to enable wallet functionality:What content scripts do:
- Inject Web3 Provider: Allows websites to detect and communicate with your wallet
- Handle Connection Requests: Manage when websites request wallet access
- Facilitate Transaction Signing: Enable dApps to request transaction approvals
- Phishing Detection: Check page URLs for safety
Matches:
file://*/*- Access local files (when explicitly permitted)http://*/*- Access HTTP websiteshttps://*/*- Access HTTPS websites
Content scripts run in an isolated environment and cannot access your wallet’s private keys or encrypted data directly.
What SubWallet Cannot Access
- Cannot read your passwords: Browser passwords are isolated from extensions
- Cannot access other extensions: Each extension runs in a sandbox
- Cannot modify most browser settings: Extensions have limited system access
- Cannot access your camera/microphone: Unless explicitly granted for QR scanning
- Cannot read your files: No access to your file system without user action
Data Privacy
What SubWallet Stores Locally:
- Encrypted private keys and seed phrases
- Account addresses and names
- Wallet preferences and settings
- Transaction history
- Connected website permissions
- Custom networks and tokens
What SubWallet Does NOT Collect:
- Your browsing history
- Personal identifying information
- IP addresses or location data
- Wallet balances (fetched in real-time from blockchain)
- Social media or email information
Managing Website Permissions
You have full control over which websites can interact with your wallet.Connecting to Websites
When a website requests access to SubWallet:- You’ll receive a connection request popup
- Review the website URL carefully
- Select which accounts to connect
- Approve or reject the connection
Viewing Connected Sites
- Go to Settings > Security > Manage Website Access
- See all websites with wallet access
- View which accounts are connected to each site
- Check connection timestamps
Revoking Access
- Navigate to Manage Website Access
- Find the website you want to disconnect
- Click on the website
- Select Disconnect or Forget Site
Disconnecting a website removes its ability to view your account addresses and request transactions. You can always reconnect later.
Transaction Permissions
SubWallet never signs transactions without your explicit approval.Transaction Authorization Process:
- Website Request: A dApp requests a transaction
- Popup Display: SubWallet shows transaction details
- User Review: You examine the transaction
- Password Entry: Enter your wallet password to sign
- Confirmation: Transaction is broadcast to the network
What You Should Review:
- Recipient address: Where funds/tokens are going
- Amount: How much is being sent
- Token/Asset: What is being transferred
- Network: Which blockchain is being used
- Gas fees: Transaction cost
- Contract interactions: What smart contracts are involved
Token Approvals
Some dApps request permission to spend your tokens on your behalf.Understanding Token Approvals:
- Allows smart contracts to transfer tokens from your wallet
- Common for DEXs, DeFi protocols, and NFT marketplaces
- Can be limited or unlimited amounts
- Remain active until manually revoked
Best Practices:
- Review carefully: Understand what contract you’re approving
- Limit amounts: Approve only what you need
- Revoke unused approvals: Remove old approvals periodically
- Be suspicious of unlimited approvals: These can drain your wallet if the contract is malicious
Security Best Practices
Extension Security:
- Keep Updated: Always use the latest version of SubWallet
- Official Sources Only: Install only from Chrome Web Store or official website
- Verify After Install: Check the extension ID matches the official one
- Review Permissions: Understand what you’re granting
- Lock Your Browser: Use browser profiles with passwords
Connection Security:
- Verify URLs: Always check website addresses before connecting
- Use HTTPS: Never connect to HTTP-only sites
- Review Permissions: Check what accounts you’re sharing
- Audit Regularly: Review connected sites monthly
- Disconnect Unused: Remove websites you no longer use
Account Security:
- Strong Password: Use a unique, strong master password
- Auto-Lock: Enable automatic locking after inactivity
- Separate Accounts: Use different accounts for different purposes
- Hardware Wallets: Connect hardware wallets for large holdings
- Test Accounts: Create test accounts for new/untrusted dApps
Content Security Policy
SubWallet implements strict Content Security Policy (CSP) to prevent code injection attacks:- Only SubWallet’s own code can execute
- WASM (WebAssembly) is allowed for cryptographic operations
- No external scripts can be injected
- Protection against XSS attacks
Minimum Browser Requirements
SubWallet requires modern browser features for security:- Chrome/Brave/Edge: Version 111 or higher
- Firefox: Latest version recommended
- Manifest V3: Modern extension architecture
- Web Crypto API: For secure encryption
Older browsers may lack security features necessary for safely storing cryptocurrency. Always keep your browser updated.
Transparency & Open Source
SubWallet is committed to transparency:- Open Source: Code is publicly available on GitHub
- Community Audits: Anyone can review the code
- Regular Updates: Security patches released promptly
- Bug Bounty: Responsible disclosure program
Verify the Code:
- Visit: https://github.com/Koniverse/SubWallet-Extension
- Review the source code
- Compare with your installed version
- Report security issues responsibly
Questions & Support
If you have questions about permissions or security:- Documentation: Read our comprehensive guides
- Discord: Join our community server
- GitHub: Open an issue for technical questions
- Email: Contact [email protected]