Bitcoin Forum

I've been longing for learning how secure is  Bitcoin wallet in my pocket and recently me has stumbled upon the site that allows  to get some idea of it. WalletScrutiny (https://walletscrutiny.com/) separated almost all  available Android specific wallets into four categories: “Reproducible”  that lists   6 names, “Not Reproducible” with 24 wallets, “No Source” – 38 wallets  and Custodial comprising 60 names .  As I take it “reproducible” meant that the code shared by developers matches the published app, "no source" speaks for itself.




My favorite wallet for Bitcoin is  Electrum. That all said, without thinking twice I checked it with  scrutiny and got this: (https://walletscrutiny.com/android/org.electrum.electrum/)




Surprisingly for me  it is not reproducible.  Verdict  set the record straight: (https://walletscrutiny.com/android/org.electrum.electrum/)





Did you check the wallet your use for Bitcoin? Tell why did you install and use it.

Please don't dwell exceptionally on Electrum, that is just an example.

Not reproducible from source provided means that every time you compile the app's source code you get a different binary file.
Electrum app is not reproducible from source, indeed. This information was already mentioned on their github repo:
https://github.com/spesmilo/electrum/blob/dependabot/pip/contrib/deterministic-build/cryptography-3.2/contrib/android/Readme.md

The Readme file describes how to build the .apk file by yourself (debug mode) if you don't trust / want-to-download the one shared on their website :)

Aside from the post above, there's another inconsistency on that site:

It was published on 2019 Dec 11:
But it said that the latest version is v4.0.4.0:
FYI, electrum v4.0.4 (not v4.0.4.0) was only released on 2020-October-15.

I wouldn't trust that page if I were you since they can't differentiate fake electrum and the original.
Update: I have read the whole article and it looks like that the version written in the page was updated somehow but other links like readme.md aren't.
The date and version are still misleading.

I doubt on reviews on that site. The Cryptowisser.com has its informative review page for wallets. Go ahead and check their reviews at:

• https://www.cryptowisser.com/wallets/.
• For Electrum only: https://www.cryptowisser.com/wallet/electrum-wallet/

There is a lot of information available in this forum about good Bitcoin wallets. Why do you need to go to other website?

I have been using Mycelium wallet for a long time now as my priority was to have a mobile based wallet and I have not faced any issue with it to date.

I have used Electrum desktop but for altcoins and not for Bitcoin.

The point of this topic is to share one more source with 100+ wallets  where everyone can check his  own one  rather than to provide info for single Electrum.  :(
Please don’t dwell on one thing. Share info on your wallets obtained from the site.


Thanks but no valuable info behind those "\/"and "X" on that site you suggested.


Thanks for your interpretation.


Is something changed with 4.0.4 in respect the verdict has said?


 WalletScrutiny provides info that is not available in this forum  ;)

that is only about the Android version of the wallet not the desktop wallet, Electrum wallet IS reproducible for desktop which is the important thing because for storage and security purposes you want to use desktop versions not a mobile wallet. there are certain obstacles in the Android version that are causing issues.

Yeah, WalletScrutiny doesn't mention desktop version of Electrum. Younger generation prefer mobile computers in their pockets rather that desktops or laptops.

The verdict is fine since there's no way to produce a reproducible build for the android version (latest post of the issue (https://github.com/spesmilo/electrum/issues/5839#issuecomment-605540958)).

They also got a point when they mentioned that the google play version is different from the development build that they successfully compiled
since Electrum Devs are working on the "master branch" rather than a development branch, the source at that point has a few/lot of commits ahead from the google play version.

---

Okay, this is the last of Electrum-specific discussion for me here.

If you are not sure at your wallet then why not use the legit wallets like electrum which is not reproducible from the source.I haven't use other wallet  except electrum imtoken and trustwallet when I want to store bitcoin or eth. Anyway, my bitcoin in my pocket is safe and even if it is custodial and also local in my country.

I still prefer Electrum's mobile version rather than any other alternative, because I'm very satisfied with their desktop wallet, so I trust that there's nothing shady going on. Plus, I don't have any coins in my mobile wallet, I use it only in watch mode to occasionally check my cold wallet and to broadcast transactions. In general, it's recommended to only store small amounts in mobile wallets, because the platform itself is less secure than good open-source OS', and plus it's nearly always online.

Is there any data to support this statement? I think I can be considered as one of those young generations and I don't really prefer a mobile wallet. IMO anyone who understands the risk wouldn't use a mobile wallet as their main wallet unless there's something else going on.

Interesting list at first glance, but on a second thought, ... hmmm.
I mean that I would not keep more than 100$ worth of funds on any Android wallet, no matter how legit it is and how reproducible the build is; Android security is .. weak.

OK, a legit and maybe reproducible Android wallet is necessary, but not enough (imho).
If one uses Android a lot for Bitcoin transfers, I'd say that a proper hardware wallet is a must. I think that this is actually one important use case for hardware wallets (and not holding, as many use them for).

My 25-30 yrs surrounding proves this. However if you need data in form of statistics  then dyor, WEB is infested with relevant surveys. Forget about risk, buy HW  and use your Android app connected with it.


Never fear,  we, youngsters, are aware of  hardware wallets that can be connected to Android mobiles. ;)

I agree that android wallets are the easiest way in storing your Bitcoin or other crypto assets.  But I will never consider this as storing a huge fund, hardware wallets are still the best for the large transfer and for the long time holding of your assets.  There are too many circumstances that may happen while holding a large number of a crypto asset in your android wallet, it might be easy to compromise or might your device goes missing while in your pocket and it is easy to access your private key.

But still, that isn't advisable.  For Electrum desktop app version is better than the android app.  They should know and understand the risk that I mentioned above.  A small amount can be considerable while in the android wallet, but if that is thousands of dollar worth, a hardware wallet is a must.,

That's a bold statement.

One could argue that android is by far more secure than a windows computer.

Android uses the linux kernel and user roles as a security concept where the end-user doesn't have root privileges.
On windows, the user (and the malware he installs) can do anything.


I'd always choose an updated android device over an updated windows computer.

Thanks, but we. youngsters, are aware that hardware wallets transfer nothing, they need software app connected  to do this. They also hold nothing except priv keys. ;)

Do you need anything but your private key to access your money?

As for the app, they keep your private key safe even in case something wrong happens with the app and you're unable to use it. You can use your backup words to access the wallet even when hardware or software becomes inaccessible.

I've been using Electrum for many years and never had a problem with updates or downloads. You just have to be careful and verify files each time.

So you will carry around your HW everywhere? I don't think that's a good idea. Well, maybe a card HW like Keycard could be used but I personally won't count it as my main wallet. I mean, what's the point of buying a HW if you bring it every time you go? Might as well set-up your mobile wallet as a hot wallet and leave the HW on your home for cold-storage.

Definitely yes, priv key alone can't parse blockchain and build  transaction when needed ,  it needs to be accompanied either you brain or software app which would do all math.


Different options with mobile and HW can be considered  and everyone chooses the one that suits  better. ;)

I agree with this. While it's not prohibited to carry hardware in a pocket, I prefer to leave it at home safely and use a mobile wallet instead. Carrying it in pocket might be riskier if something happen that could damage the HW itself like an accident or something. But people have the right to decide what they want to do, they are responsible for the asset and wallet they own.

You should aim for more secure solutions, not those that are easier and more user friendly or what the younger generation prefers.

Safe and custodial seldom go within the same sentence. You believe it is safe, but it is only as safe as the people you entrusted to protect it. You have given your Bitcoins to another party and if they decide that you can have it back, they will return it.

Perfect! I still find useful to say this whenever possible because many (especially youngsters, I think) may not use hardware wallets "because they're expensive" (and they actually are not).
And there was (is) no mention of the topic that on Android the use of HW is necessary (maybe it's not a bad idea to add it even now).

---

The comparison with Windows is accurate. However the statistics tell that overall you are wrong. You inserted an interesting keyword: "updated android". Well, this is the part with problems.
Most Android phones in use are outdated. Many of them badly.
Yes, the youngsters "get newest phones" ... in theory (not always happens either). I can't argue they may change them more often than I do. However, most don't change the phone every 8-12 months. And most manufacturers don't care to make updates to the older phones. Before 8-12 months one can say his Android is up to date. After that period he may be pretty much wrong. (I may not be very accurate on the time period, however I should not be too far either, and I think that I was clear.).

Stop spamming with the same kind  of messages saying what has been already said. The topic has been  created not for this.

P.S. Kong Hey Pakboy"s message was deleted due to the spam

https://i.postimg.cc/cJ86jSbS/6789d.jpg

Windows is the most vulnerable device when it is attacked by malware. Even when the antivirus used is not up to date it will be very dangerous. On average, users who lose their private keys and wallet passwords are Windows users who don't really care about security on their windows. all kinds of sites are visited and eventually end up on sites that contain lots of malware.

The bitcoin wallet on Android is also important to pay attention to its security by always filtering every application that will be installed and not giving full access rights to the installation of applications with unknown sources or other than Playstore.

try to keep  no more than 100 bucks on it.

The point would be that a hardware wallet is more secure than your always-online mobile.
Whether you carry it with you or not doesn't matter if you look at the attack surface with network access  (e.g. via the internet). Your mobile might be vulnerable to some specific attacks, your HW wallet shouldn't.

However, i agree with you that carrying a hardware wallet containing all of your balance with you (i.e. more than you would carry with you in cash) is kind of bad practice and shouldn't be done (e.g. because of the wrench attack).

There are a lot of experts/advisors  on different off-topics  here but not many who use Android wallets. I’d still like to listen to exactly those users for whom these wallets became  the integral part of their Bitcoin use.

P.S. The 2nd spamming post was deleted.

Hi. Creator of WalletScrutiny here. Just found this thread and thought to comment on some doubts:


No, not exactly. That would be "builds are not deterministic". WalletScrutiny is about the reproducibility of the binary provided by Google Play in this case. In many cases the build is perfectly deterministic but yields something other than what's on Google Play and in many cases the build fails completely. Both those cases are "not reproducible", too. Distinction is not really worth own categories as only reproducibility of the binary in question gives an assurance of the binary being compiled from the source provided.


... which doesn't change the problem of not even the team being able to check on their release manager. Do you think the release manager would refuse to release an evil update with a gun to his head? Or he might catch a backdoor? Or he might "catch a backdoor"? How much money is under that wallet's control?


Feel free to make a pull request to our public git repository (https://gitlab.com/walletscrutiny/walletScrutinyCom). Working mostly alone on this, covering more than 200 apps, keeping it up to date with every new release of a reproducible wallet is kind of a challenge.


82 wallets, many of which don't even support Bitcoin and none of the review goes much to explain how the result came to be. WalletScrutiny is about reproducibility and the provider's potential to pull an exit scam or actually lose all the funds of all the users at once.


I'm incidentally also the release manager of Mycelium, so thank you for your trust. WalletScrutiny is my side project.

Please consider the incentives for long cons! Just because the wallet of your choice had no issues so far doesn't mean it will not lose yours and all the other users' funds in an instance at some point.


Sadly, the very non-free systems Android and iPhone are actually quite secure by not giving the user root access and by sand-boxing apps. Android and iPhone were designed from the start to run hundreds of adversarial apps on the same system. A random Windows user should not use his desktop for Bitcoin but rather a modern mobile phone or better a hardware wallet.


Weak compared to what exactly? Android has an excellent track record of keeping apps in their respective sandboxes. As the release manager of an Android Bitcoin wallet I am biased but also quite knowledgeable about the security aspects I would think. If you don't root your phone or at least don't grant root access to the wrong apps, your coins are certainly safer in an Android wallet than on your average Windows machine.


I agree. To quote from our methodology page (https://walletscrutiny.com/methodology/):



HW wallets are a bit of a pain on the go but feasible. I'd still consider HW wallets primarily for hodling.

Keep in mind that security is not just about the OS but about the fact that you don't carry around your (desktop) PC in your pocket but you do carry around your phone. Storing and carrying a large amount of money in your pocket is never safe. It can be damaged or stolen from you very easily.
Not to mention that is nearly impossible to cut off your phone from connecting to the outside world. There is just too many ways it could make a connection (by design) while you can easily cut off your PC from the outside world.

And of course when I say "desktop" I don't mean the backdoored Windows OS.

One of the reasons hard wallet is said to be risky is because people carry it all about, there are many cases mobile phone owners lost their phones, the practice with hardware wallets because they are potable is not idea and can lead to the hardware wallet to be stolen or lost. Like you said, it is best to just leave it at home, in a place also very safe and not reachable to anyone like intruders.

Not only private key, it stores all everything normal wallet had to store, including public keys and addresses.