Spring Browser

Apps23 min readAndroid Nostr browser, app launcher, NIP-07 style window.nostr provider, local key and nsecBunker signer paths, permission prompts, Nostr app discovery and Android intent handling

Spring Browser

Spring Browser is not a normal mobile browser with a Nostr bookmark folder. It is an Android Nostr app container: it keeps keys, exposes a NIP-07-style `window.nostr` API to web apps, asks the user before signing or decrypting, and tries to make Nostr micro-apps safer to open on a phone.

What Spring Browser really is

Spring Browser is an Android Nostr browser. That phrase needs unpacking. It is not the Java Spring framework, not a desktop browser extension and not just a catalog page. It is a mobile app that opens Nostr web apps inside a controlled browser shell and exposes Nostr signing methods to those apps.

The Play Store listing calls it Spring - the Nostr browser and says it lets users explore Nostr micro-apps, store Nostr keys safely, discover new and trending content and switch between Nostr apps. The GitHub repository is `nostrband/nostr-universe`, maintained by the Nostr.Band team, with the homepage set to `https://spring.site` and an MIT license.

The most concise technical description comes from the code. Spring injects a NIP-07-style `window.nostr` object into pages opened through its Cordova InAppBrowser. That object can give the page a public key, ask the app to sign an event, and support NIP-04 encryption and decryption. In other words, Spring tries to give Android users a signer layer similar to what desktop browser extensions give web users.

That is why Spring belongs in the Nostr app map. It is a browser, but its purpose is Nostr-specific: open micro-apps, protect the private key from arbitrary web pages, and place a permission prompt between the web app and the user's identity.

Why it belongs in Miscellaneous

Spring Browser could be described as a signer, a client, an app launcher, a catalog, a WebView container or a Nostr protocol browser. None of those labels is complete. It belongs in Miscellaneous because it connects several roles without being just one of them.

It is not a normal social client because its main job is not to show one feed. It is not only a signer because it also discovers and opens apps. It is not only a browser because its important feature is the Nostr bridge it exposes. It is not a wallet even though the codebase contains walletstore plumbing and the wider NWC ecosystem lists Spring Browser among app surfaces.

The Miscellaneous label keeps the reader from expecting the wrong thing. If you want a timeline client, Spring may open one. If you want a mobile signing shell for web clients, Spring is closer to the target. If you want a custody-reviewed wallet, this is not that category.

That mixed identity is the product's point. Mobile Nostr users need a way to open many small web apps without pasting an nsec into each one. Spring is one attempt to make that pattern feel native on Android.

The Android and Cordova stack

Spring is built as an Android Cordova app. The repository README tells builders to install Java, Android Studio, Android SDK tools, build the React/Vite app, then add Cordova plugins for a Nostr keystore, InAppBrowser, walletstore, clipboard, sharing, status bar, native logs, local notifications and Android intents.

The Cordova config identifies the app as `com.nostr.universe`, version 0.15.0, name Spring, description The Nostr browser, and author Nostr.Band Team. It also registers an Android intent filter for the `nostr:` URI scheme, which lets Android route Nostr links into the app.

This stack is practical, but it has boundaries. WebView apps are only as safe as their native bridge and injected APIs. A Cordova browser can give Nostr web apps useful capabilities, but it also has to mediate every request carefully. The bridge between the page and native code is where user trust lives.

The repository has not published a new GitHub release after v0.15.0 on 2023-12-28, and the Play Store listing also shows a December 28, 2023 update. That does not necessarily mean the app is unusable, but it does mean users should check current Android compatibility, Play Protect status and open issues before treating it as actively maintained infrastructure.

How `window.nostr` is exposed

The browser module is the heart of Spring's Nostr behavior. It defines an `initWindowNostr` function that creates a `window.nostrCordovaPlugin` request bridge and then assigns `window.nostr` with methods for `getPublicKey`, `signEvent`, and `nip04.encrypt` / `nip04.decrypt`. The comments in the file call this the NIP-07 API.

When a web app inside Spring calls one of those methods, the call is not supposed to get raw key material. It sends a request through the Cordova bridge, and Spring can ask the native or app-side signer to handle it. That is the basic safety improvement over pasting an nsec into every website.

NIP-07 itself says browsers or extensions may provide a `window.nostr` object with methods like `getPublicKey` and `signEvent`. Spring adapts that idea to Android. Instead of a Chrome extension, the provider is the app container that owns the WebView.

The reader should still stay alert. Exposing `window.nostr` makes Nostr web apps usable, but it also makes permission design critical. A bad web app can ask to sign events. A confusing UI can make users approve more than they understand. The provider protects the key only if the prompts are clear and the user reads them.

Key custody and signer paths

Spring has more than one signer path. The README installs a Nostr keystore Cordova plugin, and the code imports `NostrKeyStore` when Cordova is available. The keystore module also contains a localStorage stub path used outside the native plugin environment. That stub stores private keys in localStorage for development-like contexts, while the Cordova target is meant to use the native plugin.

The signer hook shows how signing, encryption and decryption are routed. If the current pubkey is in the nsecBunker key list, Spring uses Nostr.Band remote signing helpers. Otherwise it uses the keystore. Signed events are also recorded through the app's local database path so the user can inspect what was signed.

No Bullshit Bitcoin's v0.3.0 release note specifically highlighted nsecBunker support. That is important because remote signing changes the custody model. The private key may be held behind a remote signer rather than directly in the Android app, but the user still needs to understand which signer is active and what it will approve.

The practical advice is conservative. If you test Spring, create or import a low-risk Nostr key first. Do not start with your most important identity. Confirm whether the app is using a local key, Android keystore plugin or remote signer. Then review the signed-events history after using a few apps.

Permission prompts are the product

Spring's permission request modal is not a minor UI detail. It is the security boundary the user actually sees. The modal code distinguishes between a pubkey request, a payment request, signing an event of a specific kind, encrypting a message and decrypting a message.

That is exactly the kind of differentiation a Nostr browser needs. Asking for a public key is not the same as asking to sign an event. Signing a kind 1 text note is not the same as signing an app-specific event, a list, a deletion request or a wallet-related payload. Decryption is more sensitive still, because it can expose private message content.

The modal can only help if the user has context. A web app should explain why it needs a permission before triggering the prompt. Spring should show enough event detail to let the user reject suspicious requests. Users should avoid tapping approve from muscle memory.

For this reason, Spring is best read as a signer education tool as well as a browser. It makes the invisible contract between a Nostr web app and a private key visible. That contract is where many Nostr safety mistakes happen.

App discovery and micro-apps

The Play Store text focuses on the universe of Nostr micro-apps. The source tree contains app cards, sortable app lists and Nostr application handling logic. The app is designed to help users discover, open, pin and switch between Nostr apps rather than live inside one client forever.

This matters because Nostr's portability promise needs good handoff surfaces. A note, profile or event should be openable in different handlers. A mobile user should not need to copy and paste raw event IDs across apps. Spring's `nostr:` Android intent handling and app-launcher UI are attempts to make that flow feel normal.

There is a tradeoff. A curated app browser can make discovery easier, but it also becomes a gatekeeper for what users see first. If app lists become stale, biased or incomplete, users may assume the ecosystem is smaller than it is. If a web app inside the browser breaks, users may blame Spring even when the hosted app is at fault.

The best use is exploratory. Use Spring to try Nostr web apps without handing each one your raw key. Keep mental separation between Spring the container and the app you open inside it.

Relays and local cache

Spring ships with explicit relay defaults. The code lists `wss://relay.nostr.band/`, Damus, nostr.bg, nostr.mom and Current for reads, adds Mutiny's relay for writes, and defines a local cache relay hostname at `localcache.spring.site`. It also includes an all-relays list with `wss://relay.nostr.band/all`.

That is a product opinion. Relay defaults shape what a user sees, how fast pages load and which events are available. A Nostr browser can feel broken if relay defaults are stale or unreachable. It can feel magical if the defaults cover common content well.

The local cache idea is also worth noting. Mobile apps benefit from cached event data and local databases because relays can be slow or fragmented. But cached data creates freshness and privacy questions: what is stored locally, how it is cleared, and whether another app or device user can inspect it.

Before relying on Spring, test relay behavior with a known event and a known profile. If something does not appear, compare with another client. A missing event may be a relay coverage issue, not a signer issue.

Wallet and NWC boundaries

Spring appears in NWC ecosystem listings, and the repository contains a walletstore module and wallet-related UI. That does not make Spring a mature Lightning wallet. The walletstore code is a bridge to a Cordova plugin and contains stub wallet data in the non-native path, including example relays for Mutiny and Alby.

The browser module also defines a `getInfo` bridge for wallet information and comments that it is for NIP-47 NWC. This is a sign of wallet-connect awareness, not proof that Spring should be treated as your money app. The core public identity of the product remains Nostr browser and signer shell.

If a Nostr web app opened inside Spring requests a payment or wallet action, read the prompt as carefully as a signing prompt. Payment capability and signing capability are different powers. A browser shell that handles both must keep them visually distinct.

For now, the safest public statement is narrow: Spring is relevant to NWC because it is listed in that ecosystem and has walletstore/NWC-adjacent code paths, but the article should not frame it as an NWC wallet or Lightning backend.

Android-specific risks

Android makes Spring useful and risky in specific ways. A phone is where users actually want Nostr web apps to work, but phones also have shared clipboard history, app overlays, WebView updates, OS-level permissions, screen locks and app-store distribution concerns.

The Cordova config requests coarse and fine location permissions. A Nostr browser does not always need location, so users should check the current Android permission screen and deny anything they do not understand. A permission in a config does not prove the app abuses it, but it does widen the review checklist.

WebView boundaries matter too. If an app opened inside Spring can navigate to arbitrary sites, Spring has to decide which pages get `window.nostr`, how permissions are scoped by origin, how URLs are displayed and whether phishing pages can imitate trusted clients. The browser module tracks URL state and context menus, but users still need to watch the address.

Use the same discipline you would use with a password manager or crypto wallet. Keep Android updated, install from the official store or verified release, avoid sideloaded builds from random chats, and do not approve signing requests while distracted.

Release and maintenance signal

The GitHub release list shows a fast run of releases during late 2023: app of the day, search click history, local event database, full-screen feeds, pin folders, trust scores and finally v0.15.0 on 2023-12-28. The Play Store listing also shows an update on December 28, 2023.

That release cadence tells a story. Spring was actively iterated during the early Nostr app-discovery wave, then appears to have slowed. The repository API still shows recent metadata activity, but the code push date and release dates are old enough that users should check current issue activity and store compatibility.

This is not a reason to dismiss the app. Many Nostr tools are small-team projects and remain useful after their release pace slows. It is a reason to avoid treating Spring as a guaranteed long-term security product without checking maintenance.

For a signer/browser, maintenance matters more than for a static directory. Android WebView, Nostr standards, browser APIs and phishing patterns change. A tool that holds keys or signs events needs ongoing attention.

What Spring is good for

Spring is good for trying Nostr web apps on Android without pasting your private key into each one. It is good for understanding how a mobile NIP-07-like provider feels. It is good for app discovery and for seeing the difference between a web app asking for a public key, a signature or decryption.

It is also useful for developers who want to understand how a Nostr browser container might be built. The code shows Cordova bridge design, injected APIs, NDK usage, relay defaults, app metadata handling, permission queues and signed-event storage.

It is less appropriate for a beginner who cannot yet read signing prompts. It is not ideal for high-value keys until you have verified the app, device, signer path and maintenance status. It is not a substitute for a dedicated mobile client if all you need is a normal timeline.

The healthiest use is a low-risk identity and a handful of known apps. Learn how prompts look, learn where signed events are shown, and only then decide whether to import a more important key.

What to test before trusting it

Install only from the Play Store or a release you can verify. Confirm the package name `com.nostr.universe`, the publisher context and the current update date. If you sideload, compare the APK source with the GitHub release and understand why you are sideloading.

Create or import a test Nostr key. Open a simple Nostr web client. Watch the public-key request, sign one harmless note and inspect the signed-events view. Then try a page that asks for encryption or decryption and confirm the prompt is clear enough for you.

Check Android app permissions. Deny location unless you have a concrete reason. Clear the clipboard after copying secrets or invoices. Lock the phone. If you use nsecBunker or another remote signer path, verify which signer is active before approving events.

Finally, test portability. Open the signed event in another client. If it appears and behaves normally, Spring is doing the job of a signer/browser shell. If it only works inside one path, slow down and investigate.

What Spring is not

Spring is not a privacy browser in the Tor Browser sense. It can help separate a Nostr web app from direct private-key handling, but the opened web app, remote relays, Android WebView, IP address, app permissions and signer prompts still create observable behavior. If you need strong network anonymity, Spring is not enough by itself.

It is not a hardware wallet or a cold signer. Even if the native keystore plugin is better than pasting a key into random pages, the phone is still an internet-connected device with apps, notifications, clipboard access, screenshots and operating-system updates. A high-value identity deserves a signer setup chosen for that risk level.

It is not a guarantee that every Nostr web app is safe. Spring can mediate permissions, but it cannot make a malicious website honest. A site can request confusing events, show one thing before a prompt and ask to sign another, or use social pressure to make the user approve too quickly. The user still needs to inspect the event kind and context.

It is also not a promise that old micro-apps still work. Nostr web apps move, domains expire, relays change and app metadata becomes stale. Treat Spring's app-discovery surface as a starting point. Before using a web app with an important key, check whether that app itself is maintained and whether its domain, source and signer requests make sense.

Failure modes to expect

A Nostr browser can fail in ways that look unrelated. A page can load but never receive the `window.nostr` object. A signer prompt can appear behind another view. A relay can timeout after the event is signed. A remote signer can be offline. A `nostr:` link can open the wrong handler if Android has multiple Nostr apps installed. A clipboard copy can work while the app-level share path fails.

Encryption and decryption are especially easy to misunderstand. If a web app asks Spring to decrypt old NIP-04 messages, Spring can only do that for the active key and only for ciphertext that matches the expected peer. A user who imported the wrong key, selected the wrong nsecBunker identity or changed keys between sessions may see failures that feel like app bugs.

Payment-adjacent flows add another layer. If a web app opened inside Spring uses NWC, WebLN or zaps, Spring's own signer prompts and the wallet's payment prompts may appear in sequence. The user has to keep track of which app is asking for which power. Signing a zap request is not the same as paying the invoice. Approving a Nostr event is not the same as approving a Lightning payment.

The useful response is to test one thing at a time. Open a known page, approve only a public-key request, then sign a harmless event, then try encryption, then try a payment-related flow with a tiny amount. If any step is confusing, stop and review before stacking more permissions on top.

The practical close

Spring Browser matters because mobile Nostr needs this category. Desktop users can install a browser extension and let web apps request signatures. Android users need a safer path than pasting nsecs into every mobile web client. Spring is one of the clearest attempts to provide that path.

The app is also a reminder that signer UX is not solved by one API. `window.nostr` is useful only when origin boundaries, permission prompts, event previews, key storage, relay behavior and maintenance are handled carefully. A mobile Nostr browser is as much a security product as it is a discovery product.

Use Spring with curiosity and limits. Try it with a test key, inspect every prompt, deny unnecessary Android permissions, check current maintenance and keep high-value identities behind a signer setup you fully understand. In that lane, Spring is a useful bridge between Nostr's web-app world and the phone in your hand.

Sources worth opening

Open the Play Store listing, the Spring site, the nostrband/nostr-universe repository, README, Android config, browser injection code, keystore, signer hook, permission modal, No Bullshit Bitcoin release notes, NIP-07, NIP-04, NIP-46 and the NWC ecosystem listing before deciding how much trust to give the app.

• Spring official site
• Spring on Google Play
• nostrband/nostr-universe repository
• nostr-universe README
• nostr-universe GitHub API metadata
• Spring v0.15.0 release
• Spring releases list
• Spring Android Cordova config
• Spring app package metadata
• Spring browser module
• Spring keystore module
• Spring signer hook
• Spring walletstore module
• Spring relay defaults
• Spring permission request modal
• Spring permission request reducer
• Spring v0.1.0 release note
• Spring v0.3.0 nsecBunker release note
• Stacker News Spring browser discussion
• getAlby awesome-nwc listing
• getAlby awesome-nwc raw README
• Nostr Wallet Connect official site
• NIP-47 Nostr Wallet Connect
• NIP-07 window.nostr capability
• NIP-04 encrypted direct messages
• NIP-46 Nostr remote signing
• NIP-21 nostr URI scheme
• Awesome Nostr Android listing
• NostrApps directory
• Nostr.Band GitHub organization