Cryptograph Release Notes
1.2.0 Summary
Cryptograph 1.2.0 tightens the rule that matters most: the Apple Watch must show the consequential transaction details before it can approve a signature, and those details must be bound to the bytes that are actually signed.
- Watch approval screens now fail closed when transaction details are missing, incomplete, stale, or inconsistent.
- WalletConnect, native send, Solana, TRON, XRP, Bitcoin/UTXO, EVM, and Zcash signing paths received additional display-to-signature binding checks.
- Zcash syncing and sending were updated for NU6.2, with stronger PCZT verification before watch approval.
- Recovery Sheet and Photo Backup restore handoff is more reliable when phone/watch sync stalls.
- Proxy, push, cache, pricing, dependency, and build-integrity checks were hardened across the release.
Signing and Approval Safety
- Added final EIP-712 digest display on Apple Watch approval screens and mirrored digest-boundary coverage on Android.
- Verified the exact bytes signed by the watch before completing approvals.
- Added a keyed display-bound commitment between phone and watch signing requests.
- Bound native-send recipient, amount, fee, SPL token accounts, and XRP tags against the decoded payload on iOS and Android.
- Rejected native-send approvals when displayed amount or fee metadata could not be proven against the signed payload.
- Blocked hidden or unverifiable WalletConnect fields across EVM, Solana, TRON, XRP, and UTXO signing flows.
- Hardened EVM WalletConnect display binding, EVM chain ID validation, and dynamic ERC-20 decimal formatting.
- Fetched ERC-20 token decimals on the watch so approval amounts match token precision at review time.
- Derived native approval totals on the watch instead of trusting phone-provided totals.
- Duplicated WalletConnect display-binding guards at sign time to catch tampering after presentation.
- Reserved Solana broadcast time only after watch approval so stale SOL requests expire safely.
- Fixed Solana WalletConnect response formats for message signing, transaction signing, and sign-and-send requests.
- Prevented Solana message signatures from being treated as pending transactions after watch approval.
- Made Base wstETH transaction summaries clear enough to approve safely on the watch.
- Reconciled the watch approval display contract so approval controls do not appear before required details are visible.
Zcash
- Restored Zcash sync and send compatibility after the NU6.2 network upgrade.
- Updated bundled Zcash libraries, manifests, Android verification metadata, and package pins for the new network state.
- Consolidated Zcash consensus branch ID handling into a single source.
- Bounds-checked lightwalletd protobuf slice reads and hardened Zcash signer panic handling.
- Bound Zcash PCZT outputs to viewing keys, including change output, own receiver, memo, transparent value, and ZEC-4 checks.
- Added Zcash PCZT roundtrip validation so phone-built transaction summaries and watch signatures stay bound.
- Added randomized fuzz coverage for PCZT watch entrypoints.
- Verified Zcash PCZT details before the watch displays approval controls.
- Kept ZEC Time Lock enforcement local to the watch for Zcash approvals.
- Shared watch-signing transport across Zcash send and shielding services.
- Cleaned up Zcash shielding screens and amount formatting.
Recovery and Onboarding
- Improved Recovery Sheet QR and Photo Backup restore handoff so the Apple Watch can pull pending recovery data from the phone if initial sync stalls.
- Clean-retested QR handoff and recorded the recovery path for regression coverage.
- Restored Android mnemonic unlock binding after merge churn.
- Improved phone and watch log writing reliability to avoid dropped or partial log files during troubleshooting.
Portfolio and Watch UI
- Fixed stale token price refresh so cached token values can update again.
- Blocked spam-token pricing from inflating displayed wallet totals.
- Hardened watch token price sync so token values stay aligned across phone and watch.
- Stamped authoritative portfolio totals into widget snapshots for consistency.
- Cleaned up stale scan artifacts and steadied sparkline formatting.
- Refreshed watch asset pages with shared layout components for more consistent balance and token presentation.
- Corrected product naming in the Functions Tour intro for Cryptograph, Databank, and Cartouche faces.
Proxy, Push, and API Hardening
- Required proof of possession for push client registration and unregister operations.
- Verified relay webhook signatures.
- Hardened proxy notification privacy.
- Added per-request input caps and per-client rate limiting.
- Capped arbitrary-address push subscriptions and documented the boundary as a non-goal.
- Removed the screenshot upload route and gated cache clearing behind an admin key.
- Hardened signing parsers and proxy token identifier boundaries.
- Fixed RPC injection, provider encoding, error-body allowlist, and cache-clear route coverage gaps.
- Consolidated proxy route validation across balances, metadata, prices, transactions, UTXOs, NFTs, approvals, and RPC routes.
- Added generic stale-cache batch fetch handling for proxy providers.
Dependencies and Build Integrity
- Fixed an integer-overflow trap in PSBT parser bounds checking.
- Bumped wallet-core advisory crates and completed WalletCore security-fix gap analysis.
- Verified build artifact cache integrity against git-tracked hashes.
- Added Gradle verification metadata, protobuf and aiohttp updates, SPM pins, and TssSigner supply-chain hygiene.
- Added WalletCore protobuf coverage gates.
- Promoted Android build helpers and fixed Android build/test issues uncovered by security merges.
- Fixed iOS build cache hydration and build-deps cache integrity behavior.
- Centralized hex and digest encoding helpers across Shared, app, watch, Tron, EVM, and QR signing code.
- Extracted iOS persistence stores and shared watch components to reduce duplicated state handling.
The 1.2.0 list omits release-build commits, QA-note commits, blog-only changes, and review-fix commits where the substantive fix is already represented above.
Previous Public Releases
These entries summarize public App Store releases only. Internal TestFlight builds, QA notes, release bookkeeping, and development-only changes are folded into the public release where they shipped or omitted when they did not affect users.
1.1.3
Privacy wording, watch recovery input, and defensive signing fixes. Public boundary: TestFlight build 114.
- Clarified the App Store and product wording around the core privacy model: keys stay on Apple Watch, protected by the Secure Enclave; no account, email, analytics, trackers, or customer database.
- Changed watch seed phrase recovery so the radial picker waits for an explicit word selection instead of auto-accepting the final matching word.
- Blocked EIP-7702 set-code WalletConnect requests until the watch can verify and present them safely.
- Added detection and clearing support for delegated EVM accounts during Revoke All flows.
- Added a watch-side fallback to recover pending signing requests when live WalletConnect delivery is missed.
- Stopped advertising unsupported Bitcoin
signMessagesupport to avoid incompatible dApp requests. - Fixed long Bitcoin approval details on Apple Watch and improved watch balance refresh responsiveness by moving cache work off the main UI path.
- Improved portfolio and complication delivery when Apple Watch wakes after being out of reach.
1.1.2
WalletConnect permit handling, watch refresh reliability, and price reliability. Public boundary: TestFlight build 107.
- Improved WalletConnect permit review so trusted finite ERC-2612 permits do not look like ownership handoff requests.
- Bound watch background refresh work so scheduled balance refreshes can finish more reliably.
- Improved token price refresh reliability for Alchemy-backed app data.
- Removed a retired price-history fallback from the app proxy path.
- Removed a retired NFT detail sheet path so gallery image handling stays on the current flow.
1.1.1
DApp connection hardening, richer signing disclosure, and recovery fixes. Public boundary: TestFlight build 104.
- Required Face ID or device passcode before connecting a dApp.
- Preserved approval fetch failures so approval screens no longer look empty when the server cannot load data.
- Tightened known-contract matching to require explicit chain context for safer approval and threat checks.
- Warned before the first send to a recipient this wallet has not used before.
- Screened WalletConnect URLs against known phishing domains before connection.
- Expanded Apple Watch signing details with nested Safe calldata, EIP-712 domain/message/Safe hashes, EVM nonce, and signing digest visibility.
- Added transaction QR verification export and animated UR signing handoff.
- Improved receive receipt recovery when iPhone and Apple Watch reconnect during verification.
- Aligned Apple Watch portfolio exposure totals with priced holdings.
1.1
WalletConnect, Bitcoin PSBT review, portfolio widgets, Time Lock polish, and broader protocol coverage. Public boundary: TestFlight build 99.
- Simplified watch signing into a one-glance review with clearer protocol and action headers, cleaner token change rows, and improved permit/supply copy.
- Added Bitcoin WalletConnect PSBT review with verified output details and fail-closed handling for unverifiable change outputs.
- Improved WalletConnect delivery when the phone app is backgrounded and added a Done control to WalletConnect request sheets.
- Aligned WalletConnect Time Lock enforcement with spend policy, kept blocked requests visible, and replaced frozen countdowns with live timers.
- Expanded trusted app, spender, router, and protocol recognition across major EVM apps and chains.
- Improved Base balance refresh consistency and transaction history decoding.
- Restored cached portfolio totals on launch so balances stay visible while fresh data loads.
- Added and refined iOS Home Screen portfolio widgets with token prices, period changes, date-range context, and cleaner holding rows.
- Included XRP in watch portfolio exposure allocation and aligned exposure grouping between watch and widgets.
- Improved post-send receipts, pending-row reconciliation, and Solana blockhash refresh during watch signing.
- Improved Photo Backup recovery handoff and watch seed phrase entry.
- Refreshed app and watch branding and removed the in-app news browsing surface.
1.0.1
Launch follow-up fixes. Public boundary: TestFlight build 76.
- Fixed App Store builds so they use the production API proxy.
- Improved portfolio loading with smarter cache-first reads and live provider fallback.
- Fixed ZEC price display on launch.
- Improved sparkline chart accuracy and timeframe labels.
- Fixed NFT metadata and gallery sync paths between phone and watch.
- Improved watch and phone gallery controls, zoom, paging, safe-area handling, and hidden-item sync.
- Updated App Store metadata and localized screenshots for supported locales.
For the security architecture behind these changes, read the Technical Security Overview.
Buy at Apple