Mobile Web3 faces catastrophic retention (< 5%) yielding effective acquisition costs of \$500 - \$1,000 per retained user. Existing solutions force an impossible tradeoff: embedded wallets achieve moderate usability but suffer inherent click-jacking vulnerabilities; app wallets maintain security at the cost of 2 - 3% retention due to download friction and context-switching penalties. We present SecureSign, a PWA-based architecture that adapts desktop browser extension security to mobile via EIP-6963 provider sandboxing. SecureSign isolates dApp execution in iframes within a trusted parent application, achieving click-jacking immunity and transaction integrity while enabling native mobile capabilities (push notifications, home screen installation, zero context-switching). Our drop-in SDK requires no codebase changes for existing Web3 applications. Threat model analysis demonstrates immunity to click-jacking, overlay, and skimming attacks while maintaining wallet interoperability across dApps.

翻译：移动Web3面临灾难性的用户留存率（<5%），导致每位留存用户的有效获客成本高达500至1000美元。现有解决方案迫使开发者陷入两难选择：嵌入式钱包虽具备中等可用性，但存在固有的点击劫持漏洞；应用钱包虽能保持安全性，却因下载摩擦和上下文切换惩罚导致用户留存率降低2%至3%。本文提出SecureSign，一种基于渐进式网络应用（PWA）的架构，通过EIP-6963提供程序沙盒技术将桌面浏览器扩展的安全性适配至移动端。SecureSign将去中心化应用（dApp）的执行隔离在可信父应用程序的iframe中，在实现点击劫持免疫和交易完整性的同时，支持原生移动功能（推送通知、主屏幕安装、零上下文切换）。我们的即插即用软件开发工具包（SDK）无需对现有Web3应用程序的代码库进行任何修改。威胁模型分析表明，该系统能免疫点击劫持、覆盖攻击和侧录攻击，同时保持跨dApp的钱包互操作性。