Bitcoin Forum

So there is a post here:
https://bitcointalk.org/index.php?topic=5209504.0 (https://bitcointalk.org/index.php?topic=5209504.0)

About is your Android wallet secure. Now I have some issues with the article, and how it is written, and some other things, but that is me. It basically discusses if the github version matches the compiled download for Android devices. Is it open source, is it custodial, etc.

But that brings up another point which is, is that important? And what is?

Going back to here: https://bitcointalk.org/index.php?topic=5205304.0 (https://bitcointalk.org/index.php?topic=5205304.0) where I was talking about how to help new people pick their wallet, this also brings up the point of what is secure and good for you might not matter what it good and secure for me. I used to like Mycelium more but I have really started to drift away from it. For my own personal use I have moved to 2 separate mobile wallets. Both of which would make most people scream ARE YOU NUTS?? one is closed source (with some unverified complaints) and the other is custodial. But for me they do work,for others they might not.

So this point here is:

Since most of us can't really read the 1000s and 1000s of lines of code, and even if we could we may or may not compile it to verify what is on github matches what we just downloaded, which may or may not matter if they admit github might be a version or 2 behind what is being downloaded but the phone auto-updates the app anyway. Which then does not matter since we probably don't know the security procedures in place for them to upload the update to the playstore anyway.

Aren't we just making ourselves feel good? Think about it. Coinomi is closed source. If they put in code to send all the coins in all their installed wallets to them, we can't do anything about it. And we will not know till all our funds are gone.

BUT

Blockstream Green Wallet is open source, and you can verify the build same way as listed it in the article. But still auto updates from the play store. Do we really know if the username and password for account that they use to upload to the store is secure along with the 2fa? Or is the user / pass on a post-it note on the monitor with the 2fa usb device left sitting plugged into the USB port on the computer that does the uploads? If someone goes evil Friday at 3:45PM as everyone is walking out of the office. By the time everyone figures it out Monday AM it's all over.

Same with custodial vs non custodial? Yeah Coinbase has it's issue, but you know what else it has? Insurance & a phone number to call. I KNOW Not your keys / not your coins. But if you trade just about any financial instrument (stocks / bonds / currency) 99% of the time you don't have the actual bonds / stock certificates / cash anyway. Other then logging into my trading account I really can't prove I own "X" shares of "Y" stock. If I want the actual certificate I have to PAY a lot to have created it mailed to me. So long it's at a place like Coinbase and not Dave's unknown exchange does it matter that much? Yeah, they can spring KYC on you at any moment. But you know what, so can any payment gateway. I'm not saying leave real amounts of BTC there.
With that being said...
But, in a hot phone wallet does it matter? If you have more then spending amounts in your phone isn't this all kind of moot? Because...wait for it....phones & PCs are not that secure by themselves at the end of the day....

I can go on, but I just wanted to put this all down again

-Dave

For you and me, I'd say kind of.  I certainly don't have the knowledge necessary to verify any wallet's code to make sure it's secure--I don't know any coding whatsoever, so I have to rely on the expertise of people with that knowledge who vouch for which wallets are safe.  That's good enough for my purposes.

Then again, I don't use mobile wallets much anymore, nor did I ever keep many coins on the Coinomi wallet which I was a fan of for a long time.  I don't like the fact that they're closed source, and using a hardware wallet is just the smarter move for storing altcoins. 

There haven't been any hacks on Mycelium, Electrum, or any of the software wallets for mobile as far ask I know, and you would think that if the devs had the ability to steal your coins they would have done that long ago.  So I tend to trust those two wallets and a couple more, even though I can't verify that everything is safe myself.  That's just how it goes with me; there has to be some level of trust in the makers of these wallets--and other apps, too.

Always like hearing your opinions, Dave.

no, it doesn't really matter. mobile apps and custodial wallets are both high risk. it's always prudent to limit risk exposure either way. tbh i just avoid both. brick-and-mortar spending usually calls for buying gift cards, so i just buy those at home and keep all my private keys offline.

Exactly, and I think that is actually what got me annoyed at the post / article. I really could not figure it out. Now I can.
It's the title. "Is your wallet secure" The next line really should have been. "Duh, of course not, it's on a phone that is vulnerable, in an environment that is vulnerable. But these wallets might possibly be a tiny bit safer then others"


Thanks :-)

Enjoy the rest of the weekend everyone.
-Dave

I have mostly used an exchange as a hot wallet and my Ledger Nano S as a cold wallet..
Also having a seed memorized and being able to get to that coin from anywhere in the world incase of some emergency, yet being very secure, is quite appealing to me..

I don't really trust anything on a phone, or do much of anything on a phone, but have used Mycelium wallet and probably played with a few other app wallets but I don't trust them much at all..

if we don't look at things in black and white (100% safe or 100% scam) then we can see that there is a big range of possibilities between being safe and being completely risky. then we can come up with an assessment and a rate that can help us decide how much bitcoin we want to put in that wallet.

you can start a list of things to look at:
1) what device it runs on?
PC is safer than a ("portable") phone, since you carry phone around!
then a cold storage (like paper) is safer than hot wallet on PC.

2) what programming language it is written in and how it handles its dependencies?
i just leave this here: https://bitcointalk.org/index.php?topic=5206906.0

3) how old and how popular is the project?
being older and being more popular means more people have looked at the code and have been using it. it is not just about being scam but also about having bugs and more popularity means less bugs since they are found easier and fixed.

4) being open source?
this is not about "you" looking at the code. it goes hand in hand with popularity and how many others have looked at the code.

5) having deterministic builds?
being open source is not enough since majority of users are downloading the binaries. there is a simple solution for that called "reproducible or deterministic builds", it simply means no matter who builds the binaries from source code they all end up with the same final file hash. unfortunately majority of wallets don't have that: https://bitcointalk.org/index.php?topic=5195281.0

---

now we can rate different wallets. example out of 10:

#  electrum  coinomi
1) 8          3
2) 8          6
3) 9          5
4) 10         0
5) 10         0
----------------
   45        14

now it is easier to decide how much money to leave where.

I agree with most of the things Dave said. I certainly don't have the knowledge to inspect a piece of code and know what it does. But I do like the fact that others who know what they are looking for have the possibility to inspect it. That is why I stick to the well-known brands. I prefer names who have been in the game for several years. I skeptical towards new brands, open sources or closed source. I'd rather give the community time to inspect the new wallets before I use them. I use both open source and closed source wallets. Even my Ledger is partially closed source. I have used Coinomi on my Android phones with small amounts and mostly for altcoins and have never had any issues with it.   

I believe that this should never ever be encouraged in the community. The more of Bitcoin is held under the custody of a "centralized service", the more it becomes vulnerable under central banking schemes.

Encourage the development of new protocols for exchange, like BISQ.

For context, https://bitcointalk.org/index.php?topic=5209931.0

Not sure if it's mentioned in that article but there are at least 2 ways you can compile some code (might not be true for compiling sfraignto something the os can run):
[ul]

• compiling for memory efficiency
• compiling for cpu efficiency

[/ul] .

There are things you can do to test the build of a wallet too. You don't have to go through something line by line exactly, you just have to look at what's run at what point (normally passing it to an interpreter) or what's sent along the network (typically if communications aren't encrypted). It's much faster to do a dry run or look at each line in turn to work out what it does. It'd take a really advanced programmer to hide some code that looks and acts like it does something different to what it actually does and randomly does something harmful that it'd probably take more effort than it's worth as it may not be possible in a few strict languages.

---

With trusting an exchange to hold your funds you're putting a lot of trust in its team and its insurance. Have you checked the documents and what they actually cover if they store funds there?

---

On the topic of people who love to check signatures and go solely of that, it's good but it's not perfect because you're trusting that person to not have accidentally stored their key somewhere they shouldn't and you're also trusting their version of the compiled key signing engine... If they didn't verify that install or even a piece of rogue software on their machine then you could also be at risk if that adds malicious code to the binary.

I think this is the bottom line. There is no set up in the world which is 100% secure. There is a quote I like from Gene Spafford (https://en.wikipedia.org/wiki/Gene_Spafford) which goes as follows:


Similarly, there is no wallet which is truly secure. Every wallet carries a risk, and every wallet involves trusting a third party at some point of the process. All we can do is evaluate how big that risk is for each wallet, and try to choose the ones with the smallest amount of risk.

Web wallets require a huge amount of trust. You have to trust the company running it (and everyone in that company) to not have written malicious or sloppy code, to not try to steal your coins, to not collaborate with an attacker, to have good security practices, to be storing your coins securely, and so on. You need to trust your web browser, your OS, your ISP, and so forth to not try to steal your login details, log your key presses, direct you to a phishing page, MITM attack you, not be infected with malware, and so on.

On the other end of the spectrum, a fully air-gapped machine or paper wallet, is much safer, but is it 100% trustless? Did you generate your own entropy? Did you evaluate the program you used to turn that entropy in to a seed, private keys, public keys, and addresses? What about the hardware it is being run on? What about the software on the printer you used to print it out? The chances of losing your coins to something like this are minuscule, but never 0%, hence the quote from Gene Spafford.

Having said all that, I use every type of wallet except web wallets. I appreciate that each has a different risk profile, and I store appropriate amounts of money in each. The amounts stored are inversely related to the safety and risk profile of each wallet: Large amounts in air-gapped and paper wallets, medium amounts in a hardware wallet, small amounts on a desktop and mobile wallet.

Nothing is completely safe, risks are what makes things valuable.
You can download 33 wallets to get some altcoins (you must download 33 open-source wallets, which many verified.)
If it is difficult, you have to sacrifice some security to easily download one wallet with one recovery seed.


On the other hand, web wallets are not bad, especially with small amounts that require the use of more than one device in more than one place.

The essential thing is to know and understand all the words before downloading any wallet. For example: Before a period I was using greenaddress and I did not understand the meaning of multi-sig, which faced me a lot when I wanted to extract the private keys.

Fair point you made, and I just commented elsewhere about Coinbase BUT it's worth noting that insurance and a contact number don't mean squat if the customer service is unhelpful and the insurance doesn't pay out.

I tell a lot of people the reason I don't have everything in BTC is because I'm hedging my risk. My fiat may lose value over time, but it also gains interest (so somewhat slows down devaluation) AND is fully insured for free by my government. YES, there is a chance they'll renege that promise, but they haven't yet.

Same why I tell people regulations could be a good thing for traders and speculators. Thanks to MtGox now all licenced exchanges in Japan MUST cover customer deposits with insurance. Hard to beat that kind of protection.

Like you said, until we all know better about coding and shit, we should practice typical security and safety. Don't put it all in one basket. And try and choose baskets that are better protected/insured.

Regardless what other people said, being open-source or partially open-source should be important aspect when looking for Bitcoin wallet.
People should remember than Bitcoin and most P2P protocol (Tor, BitTorrent, BitTorrent's DHT etc.) only able to success because they are open-source.

It's not a fair point. The ones who are "OK" with KYC/AML are probably the people who forgot about one of the reasons why cryptogtaphy, Bitcoin, exists. A path to socio-political change of the system. A system that tells you that you are a "criminal" unless you go through KYC/AML.

I know that it is sometimes impossible not to go through it, especially in times of necessity. But we should not forget.

I agree. I also like to think of being open-source as decentralizing trust. If you don't have the ability or time as DaveF points out to review the code yourself, at least if it is open source then other people can and will flag up any issues. With a closed source wallet I have to trust the developer(s). With an open source wallet I can decentralize that trust from a single person or small team to an entire community.

---

Don't want to go too far off topic here, but it's entire possible not to go through it. I've never completed KYC for any bitcoin or crypto exchange, service, third party, what have you, and I have absolutely no trouble interacting with the bitcoin ecosystem. In fact, I would wager that I use bitcoin more often than the average person, spending it both online and in person on actual goods or services several times each week.

But, unless someone is checking every build that gets released to the play store vs what is in github in somewhat real time it is as I said a false security for most people.

As I said above, do you know who has the access to push the apk to the play store? Do you know what access and security controls they have to that PC that they upload the file from? Do you know what kind of internal reviews exist to make sure all code is internally reviewed? Oh, and can you prove all of the above?

Which is safer? A closed source wallet that has 2 levels of review and a separate PC in a secure area of an of a data center for uploading OR an open source one where the main developer has every password saved on his laptop that they leave in their car so they can work in the coffee shop where they connect to the open WiFi?

Now, if you don't auto update and wait for people to review the code before compiling yourself that is a different story. But if you have your phone / tablet do the normal daily checks for updates then everything above is moot. 

Step 1 develop new wallet
Step 2 publish code and release app.
Step 3 update on a regular basis
Step 4 become evil
Step 5 keep updating as normal
Step 6 repeat #5 for a while
Step 7 release an update that steals coins to the app store / play store
Step 8 Run with the BTC

Yes you have to trust some people at some times, that is just a fact. But, saying that open source is better or more secure that is really pushing it. It lets you find bugs / security issues quicker. It does not make it more secure. Unless you can verify the whole process.

What we should be telling people IMO is "Over time open source things have had better security but you cannot always rely on that fact. Use separate hardware wallets when possible and don't store life altering amounts of coin in a hot wallet"

https://blog.sucuri.net/2016/03/when-wordpress-plugin-goes-bad.html (https://blog.sucuri.net/2016/03/when-wordpress-plugin-goes-bad.html)

As someone who deals with it likes to say to me.
"When the PCI compliance (Payment Card Industry)  audit comes remember to answer truthfully. They ask you if you store customers credit card information on your computer, and you don't. They don't ask you if you have that information on post it notes stuck to the wall in the warehouse so you don't need to tell them that.

-Dave

Oh absolutely. I think the Google and Apple app stores give people a lot of false security, not just in terms of apps matching their open source code, but also apps not spying on them, being outright malicious or malware, invasive permission, faulty, and so on. The criteria for being published on the stores is very minimal, and no one should assume something that has been published has been vetted or that automatically makes it safe or trustworthy.

Sure, but how can you prove the closed source wallet has 2 levels of review on a secure PC if not without trust?

I don't, and I don't think anyone should. I don't feel comfortable giving any app, program, or software the ability to automatically download and execute code on my devices.

Something similar happened last year with the Copay wallet: https://www.coindesk.com/fake-developer-sneaks-malicious-code-into-bitpays-copay-wallet. Copay is open source, but a malicious third party obtained control over a JavaScript library dependency and it was pulled in to Copay updates without anyone realizing.

I never said open source was automatically better, but it is better than closed source if you evaluate and verify the code before installing or updating. If you do this, then your point about it being edited from a coffee shop is moot. It doesn't really matter where the code was edited or who edited it if you are going to check it all first.

Agree with this.

let me add an additional thought. when it comes to wallets and being open source i have seen some beginners think that just having a github link means they are open source. but unfortunately it is becoming a common scam method where the hacker releases the compiled malicious wallet on github and tries fooling beginners into thinking it is safe.

I forgot about that. I know last week there was the discussion about the malicious Python libraries https://bitcointalk.org/index.php?topic=5206906.0 (https://bitcointalk.org/index.php?topic=5206906.0)
Makes you wonder what else is lurking out there.


You can't because most places will not. BUT lets put this hypothetical out there.
Take a well regulated exchange. Since Gemini is taken lets call it Aires.
Aires is in NY so they have all the NY and USA regulators looking at everything they do. They decide all the wallets out there are crap so they release their own.
They have auditors give a list of all the security processes but at the end of the day it's still closed source.
Do you trust it more or less then say Mycelium?


That is very rare, most people just set it and forget it.

-Dave

You should teach everyone. Please open a new topic about your method, and which services you use. I believe avoiding KYC has become its own art form. Hahaha.

Probably less.

For starters, an exchange is almost certainly going to release a custodial web wallet as opposed to a non-custodial wallet, so it's an immediately fail for me on that front.

However, assuming we are talking about it releasing a non-custodial wallet similar to Mycelium or Electrum, my answer is still probably less, for the exact reasons you have stated in your previous post. Release a genuine wallet, have the auditors examine it and state that it's all clear, become evil, keep updating as normal for a while, maybe have a second all clear audit performed to build even more trust, release a malicious update, steal coins.

I appreciate the above is also possible if you auto-update open source wallets without checking the code first, but at least with open source, checking the code is possible.

---

I'll consider that sometime, but there's no big secret to it. There are more and more on ramps for fiat now than ever before - P2P trading locally, P2P on this forum, decentralized exchanges (I generally use BISQ), ATMs, and so forth. I have little interest in most altcoins, but the couple that I do buy, again I simply trade peer-to-peer. There are also plenty of centralized exchanges such as Binance which will let you trade altcoins without KYC.

it is worth keeping in mind that risks aren't just about security and having your coins stolen. the bigger risks is usr privacy being invaded. a closed source wallet may not be stealing your coins but it can easily gather all kinds of information from your wallet and sell that!
for example Windows is closed source and Microsoft is not stealing your money but it is obviously gathering a lot of information by invading your privacy and abusing that.

It is not about if a wallet is open source and on GitHub, it is about how long they have been there, how many issues and fixes have their been and how many people have had a chance to inspect the code. I would never download a piece of software just because it is open source but it got released 2 days ago. 

But all that becomes irrelevant whenever an update is published. Taking the example that I discussed in a previous post, the Copay wallet is open source and has been on GitHub for 5 years. It has 75 contributors and over 16 thousands commits. Even then, malicious code managed to be introduced without people noticing for a short period of time.

Precisely, but you need to apply that same logic to all updates of existing software, and not just new software. Open source is only good if you ensure the code you are downloading matches the code that is published, and the code that is published is thoroughly vetted prior to you downloading it. Allowing automatic updates of anything that is pushed defeats the whole point.

Don't trust Binance. They can do shotgun-KYC, and hold your withdrawal anytime they want.

I want to see your guide for P2P trading plus BISQ done efficiently.

You can withdraw up to 2 BTC each day from Binance without verifying your identity. Have their been incidents where they have help user funds without reasonable grounds? They are on top of my list and I don't think they would damage their reputation just like that.

Although I agree with your argument, the critical and most important thing to note is that we're talking about mobile wallets, which are only as secure as your ability to prevent your phone from being lost, stolen, or unlocked.  Any mobile wallet should be considered the same as having cash in your pocket.  If you can't afford to lose your leather wallet and $20 cash, don't have more than $20 worth of BTC in your mobile wallet.

that's the problem with centralized exchanges, they can do whatever they want. of course when they "promise" not to ask for KYC for below 2 BTC they stick to that promise most of the times but there are always cases where they simply break that promise!
for instance Bittrex which was  the number one exchange before Binance was promising not to want KYC at all for old accounts and not change that rule. then overnight they changed that rule and blocked all accounts that hadn't completed KYC verification and also banned half a dozen countries from accessing their website and stole the balance of every user from those countries.

Taking that to the next step. Should be, any "hot wallet" that is not securely encrypted with a very safe encrypted backup.

It's nice that I have a PC in my house with a full node on it that has BTC on it.
It's secure in the fact that it's an Intel NUC ( https://www.intel.com/content/www/us/en/products/boards-kits/nuc/mini-pcs/nuc7i3bnhxf.html ) that unless you know where it is even if you rob the place you are probably not going to find it.
It's secure in the fact that it has a somewhat complex password on it that with current computing power and BTC price it's going to cost more to crack it then it's worth.
I have a backup of the wallet.dat file in a secure location with some other documents and recovery stuff.

But to say it's REALLY secure is a stretch. It's secure enough that if it does get stolen I am out more for the cost of the unit and the drive then the BTC I have on it if they do manage to actually crack the password before I get to the secure location and move it.

If my leather wallet with $20 get's stolen then I am out the cost of the wallet and the $20

If my phone get's stolen then I am out the cost of the phone.
Because I have the recovery words someplace safe and..the phone is pin / fingerprint protected and the wallets are both password / fingerprint protected and I can remote wipe the phone.

The security of the phone and PC are both moot however, if we go back to the original thought of what happens if the wallet software itself is compromised.

So multiple layers people. Hardware signing only for wallets with large amounts, cold properly created offline wallets for storage and hope that the hot wallets we use day to day with non critical amounts are properly written.

-Dave