Bitcoin Forum

Bitcoin => Project Development => Topic started by: giszmo on December 14, 2019, 03:19:08 AM



Title: New project to scrutinize Bitcoin wallets: walletscrutiny.com
Post by: giszmo on December 14, 2019, 03:19:08 AM
We've been working on walletscrutiny.com (https://walletscrutiny.com/) for about two months now as a side project and hope to see many wallets that are currently "only" open source to care more about verification and make it into the "verifiable" category but the resonance in the community so far was underwhelming. How can we get users to care about the integrity of the wallets they are using?

With the community's support, this project could turn into a permanent thing, with new wallet versions automatically being checked as they are being published and we certainly would also expand to other platforms and more attributes.

Currently, being verifiable unfortunately doesn't mean that anybody would verify any code and we also have ideas how to fix that, starting with bug bounties, so security researchers actually care.

Any feedback welcome!


Title: Re: New project to scrutinize Bitcoin wallets: walletscrutiny.com
Post by: Patatas on December 14, 2019, 01:46:12 PM
This is a very good service indeed! Really loved the way you guys have analyzed wallets and detailed the errors while running it locally. I was surprised to see Blockchain.com's wallet doesn't match with their source code. Do you have an automated process of doing this or has to be done manually?


Title: Re: New project to scrutinize Bitcoin wallets: walletscrutiny.com
Post by: Patatas on December 14, 2019, 02:35:41 PM
That's not the definition of "Not verifiable!", it means they can't verify/compare blockchain.com application with it's source code.

Generally only open source project with deterministic build support which can be verified.
That's what I meant? Quoting the article,

Quote
Not verifiable: The provided Open Source Code could not be verified to match the app released on Google Play

Meaning, when OP's team tried to compile the wallet from the source provided by Blockchain.info, the compiled version didn't match the production version which was released on Google-Play. So they assumed it's Not verifiable?


Title: Re: New project to scrutinize Bitcoin wallets: walletscrutiny.com
Post by: DaveF on December 14, 2019, 05:20:28 PM
There is another discussion about his site here: https://bitcointalk.org/index.php?topic=5209504 (https://bitcointalk.org/index.php?topic=5209504)

Except for my 1 post there and this post I am going to stay out of it since he is a Mycelium developer and my current view of the app has greatly degraded. Because of the issues costing people a lot of time & effort to get their BTC, I don't think I am going to be able to provide a fair view and ranting is not going to help anything.

-Dave


Title: Re: New project to scrutinize Bitcoin wallets: walletscrutiny.com
Post by: bitmover on December 14, 2019, 07:34:55 PM
Any feedback welcome!


Congrats on your initiative!!

Let me ask you a question. I was though Samourai Wallet was open source. Why you couldn't verify that the published code matches the app? Don't they have a gitlab github or something?


Title: Re: New project to scrutinize Bitcoin wallets: walletscrutiny.com
Post by: giszmo on December 15, 2019, 12:40:27 AM
This is a very good service indeed! Really loved the way you guys have analyzed wallets and detailed the errors while running it locally. I was surprised to see Blockchain.com's wallet doesn't match with their source code. Do you have an automated process of doing this or has to be done manually?
So far it has to be done all manually. There are some different ways of building the apps and I will automate stuff once I see people care.

This is amazing idea. Most people who prefer open-source sofware actually don't bother or could verify it by themselves.

The "could" part doesn't matter if others can and do and the built apk is verifiable. That's the point of this project.

Meaning, when OP's team tried to compile the wallet from the source provided by Blockchain.info, the compiled version didn't match the production version which was released on Google-Play. So they assumed it's Not verifiable?
Right. You can read the detailed analysis (https://walletscrutiny.com/posts/2019/11/blockchainwallet/). We ran into a known issue from their issue tracker.

But verifying/auditing application and it's source code is complex task, so i might be wrong.
We don't verify/audit applications and their source codes. We test if it could theoretically be done. We test verifiability. We do not verify.

Let me ask you a question. I was though Samourai Wallet was open source. Why you couldn't verify that the published code matches the app? Don't they have a gitlab github or something?
Please read our detailed analysis (https://walletscrutiny.com/posts/2019/11/samourai/). While we hope that many of the open source wallets come forward and fix their sloppy documentation or release code quicker or otherwise make it verifiable, we also assume that not all will do this. Let's see.



Title: Re: New project to scrutinize Bitcoin wallets: walletscrutiny.com
Post by: hugeblack on December 15, 2019, 01:58:38 PM
The idea of the project is excellent, you need some adjustments to the interface, but as a whole, the idea is very beautiful.

 - I donít know what the arrangement algorithm is, but I think there should be options for searching so that I can search for some features like Lightning Network, control over fees and others.
 - You can ask questions to choose the best wallet based on the answers, it is like ----> https://bitcoin.org/en/choose-your-wallet
 - One of the verified applications "Blockstream Green Wallet": I think that this wallet gives you a multi-signature address only so that the user can choose either a 2of2 or 2of3 signatures (that the company has control of one of the signatures.) It is especially bad with hardforks so I hope you reassess them.
 - you can add infinito & magnum wallets.
 - you can add Coinstarts price tracker.


Title: Re: New project to scrutinize Bitcoin wallets: walletscrutiny.com
Post by: giszmo on December 16, 2019, 01:46:45 AM
The idea of the project is excellent, you need some adjustments to the interface, but as a whole, the idea is very beautiful.

Thanks! The left side menu being on top on mobile is certainly not ok given almost all users were mobile so far :D

- I donít know what the arrangement algorithm is, but I think there should be options for searching so that I can search for some features like Lightning Network, control over fees and others.

Once we diverge into many more apps, we will need filters but at this stage it's not necessary yet.

I wouldn't want the user to filter out the good wallets just because he filtered for pink ones and there are only shitty pink ones. Once more wallets fix their verifiability, we might add more filters but I tend to rather raise the bar and push for actual code reviews so the next criteria to get on the top will be a bug bounty program.

- You can ask questions to choose the best wallet based on the answers, it is like ----> https://bitcoin.org/en/choose-your-wallet

Bitcoin.org is multi-platform. It makes sense to filter by platform, which we do: Android. Else, it's very brief and lacks accountability. Our project explains in much more detail our findings.

- One of the verified applications "Blockstream Green Wallet": I think that this wallet gives you a multi-signature address only so that the user can choose either a 2of2 or 2of3 signatures (that the company has control of one of the signatures.) It is especially bad with hardforks so I hope you reassess them.

We do not look at features yet and will probably only favourably consider hardware wallet and multisig support later.

Their design makes a lot of sense and I don't see an issue with hardforks there, neither. Sure, their company server will not create altcoin transactions but as you are in full control anyways, you can still work around this.

- you can add infinito & magnum wallets.

Have Playstore links for those? Ideally give me a block like this one:

Code:
---
title: "Coinomi Wallet :: Bitcoin Ethereum Altcoins Tokens"

wallet: true
users: 1000000
appId: com.coinomi.wallet
launchDate: 2014-11-01
latestUpdate: 2019-11-12
apkVersionName: 1.17.1
stars: 4.6
commentCount: 20727 # actually this is the rating count
permissions:
website: https://www.coinomi.com/
repository:
icon: "images/wallet_icons/coinomi.png"
bugbounty:
verdict: nosource # May be any of: wip, nowallet, custodial, nosource, nonverifiable, verifiable, bounty, cert1, cert2, cert3

date: 2019-11-14
permalink: /posts/2019/11/coinomi/
redirect_from:
  - /coinomi/
tags:
  - Android
  - Security
---


- you can add Coinstarts price tracker.

If it's not holding coins, it's not of interest for security audits.