CakeWallet always leaking OS information to Reown/WalletConnect with an Ethereum wallet

[kopalni]

Even with the most private Ethereum wallet setup possible (own Etherum node, Fiat API disabled, Swap API disabled, toggled "Disable Exchange option" and "Disable service status bulletin", disabled Etherscan history, disabled domain look-ups), Cake Wallet is still starting the Reown webkit, which can be easily seen by logging DNS requests.

Cake uses Reown's WalletConnect connector. Reown constructs a user agent identifier, and passes it as a parameter to relay.walletconnect.org.

This user agent is not very private. In the case of Linux desktop, it contains the kernel build time and version. It will reveal if a person is using Qubes or Tails for example.

For Android and IOS, it reveals the version of Android or IOS. This can be especially problematic in case of an old Android or IOS version running on the user's device, or if Waydroid is being used.

All of this happens even if the user is not using at all any DApps / WalletConnect, but just connecting to an own node to check the balance in their Ethereum wallet.

There is no way to avoid sending this fingerprinting information to Reown, short of blocking dns requests or outbound traffic to Reown's ips.