Bitcoin Forum

I read some guide posts about custodial vs. non-custodial wallets but only a few about open vs. closed source. I often read them brought up by other users in the comments. I think many beginners don't have the slightest idea about the difference between closed and open source yet. I don't claim to be an expert on this but I will try to highlight that in this post based on what I understand so far.

Closed source: Since nobody else knows the codes except the developers, it is mainly them who can check the wallet for any bug or other vulnerabilities. I'm not sure how many are they but their number is surely fewer than the devs monitoring open source wallets. If a hacker finds a malware, it could probably take them longer time to fix that. The longer the time, the greater the risks to the funds of users.  

Another factor is you have to completely trust or at least highly trust the team. I think being a "trust-based" wallet alone is a potential red flag already and you should think carefully before using them. Why? The developers can do a lot of changes in the wallet. I can't remember who said this but here's an example, the developers can ask you to pass KYC verification before you can access your funds again. That sounds crazy and the chances of that happening are low but it is still a possibility.

Non-custodial mobile wallets used by many beginners today are probably unaware that they are closed source. Here are some of them:
- Coinomi
- Exodus
- Enjin
- Jaxx
- Trust Wallet (Android)


Open source: Huge advantage over closed source is there are more people who can check the codes for any bugs or malwares. The more eyes to inspect, the faster it is to find and fix any vulnerabilities. The wallet becomes more secure to store funds. There is also no need to put trust to a few developers and this idea truly supports decentralization too.

Example of non-custodial and open source mobile wallets:
- Electrum
- MyCelium
- Bread Wallet
- Trust Wallet (IOS) **

**some evidence suggest that it is not open source anymore.

I am sure there are similar or differing opinions from the pro users here and I would like to hear them.
Please share your thoughts, add more, or rectify if you see something inaccurate in my post.  


P.S.
I'm not promoting any of the above-mentioned wallets. If you want to use any of them, please do it at your own discretion.

They can do much worse than arbitrarily demand KYC. They can use pre-generated seeds so they already know the private key to every address the wallet generates, or in the cases of people importing seeds, they can simply program the wallet to send the seed back to the developers. They can even insert a few lines of code to an update that simply sends everything in the wallet to them. With closed source wallets, you have to trust the developers completely.

I still don't understand why the trustwallet folks claim that their wallet is open source even on their website  and yet its only the iOS version that's open source. It's misleading since the Android version probably has even much more users than the iOS version.

Hey, great article.

I would like to add another wallet to the OpenSource wallets list, the name is Atomic Wallet.

https://atomicwallet.io/
https://github.com/Atomicwallet

i have been using this wallet in the past months and is the best one i have ever seen. It has features like swap, buy cryptos, staking, and multiple coins and tokens wallet... So far so good, and i think it deserve a mention in this thread.

TrustWallet's not-so-good excuse:

It has come to our attention that some dishonest developers have been cloning Trust Wallet and either scamming users or using the code without permission as their own product.

source: https://medium.com/@trustwallet/why-open-sourcing-android-app-could-be-a-harm-to-the-crypto-community-fb3ae1707dc6

Quite a non-acceptable excuse in my opinion. It's not like scammers aren't scamming people by creating clones of closed-source platforms. Though making the wallet closed source protects them ever so slightly, sacrificing their software's open-ness isn't worth it in my opinion. But then again, I assume most people don't even know that the Android version is closed source.

hehe Coinomi was already doing the second part. it was sending the seed to their servers to be "checked" for spelling errors, etc. and it is closed source so there isn't that much information about what the hell was going on really. all we know was that it communicated the mnemonic with a server and the devs were evasive about it.

Hi pooya87, Coinomi never has access to any of its users' phrases, passwords or any kind of personal information. You can read the forensic analysis here regarding this spelling error issue you are referring to: https://twitter.com/kimionis/status/1131945228506738688

I was gonna add that closed source wallets will resort to third party audits or other analysis in an attempt to increase their reputation. The representative from coinomi beats me to it.

Regardless of the outcome of this particular issue, it doesn't address the wider problem, in that your wallet is still closed source. Even if Google didn't have access to the seed as you state (which again, because they are closed source, we will never know), the issue is that they could have. All users of Coinomi have to have complete trust in both your programming skills and your honesty.

The oft repeated mantra of "Don't trust. Verify." is apt here. With closed source software, it is impossible to verify, and you are forced to trust. Why will you not transition to open source?

I am using coinomi and atomic wallet. I first got coinomi but o_e_l_e_o let me know about open and close source, I later checked for open source wallet which are better than closed source. So, I found atomic wallet to be open source. No kyc, no email, it has private keys, and seed phrase, it is completely non-custodian wallet. But this wallet even including coinomi do not have 2fa. So, I use them to store only altcoins. For bitcoin, I prefer electrum, I can enable 2fa on electrum wallet but because I use two phones, I store my private key offline and I use the other one as a watch only wallet. This is the safest way for me to store bitcoin because nobody have access to my offline private key. And electrum is also open source.

Coinomi was open source years ago and we had to make the tough decision of closing it. The developers still contribute to several open source projects. Reopening the source is not completely out of the question, but it's not a simple decision to make either.

That doesn't answer the question of why it isn't open source? Why, if it was open source, did you decide to close it? You say it was a tough decision, so there must of been lots of factors you considered. What were they?

I'm sure you will always have lots of users, but serious users on this forum are never going to use and never going to recommend closed source software.

Small warning: Being on Github does not mean that wallet is open source and therefore safe. Unless you check each line in the wallet code or trust that there are sufficient developers who have checked each line with the code, there is no difference between the open and closed wallets.

Many scammers give a false sense of security by inserting part of the code "compressed on Github" or uploading unverified/recent files.


Always check wallet reviews before downloading it.

It is true that many beginners doesn't know what closed and open source wallets and it's disadvantages and disadvantages using wallets. It is recommend that beginners should be aware of closed and open source wallets and be safe from losing funds because of such problems that the wallets may have experiencing.

Neat little guide.
To all users not too much tech savy, i would advice you to always choose open source wallets. They are more secure and more verified (so trusted) than closed source projects.
In Bitcoin security is almost everything in terms of using it, so no wallet should be closed source in reality.

Are you saying that the IOS version of trust wallet is open source while the Android version is closed source? I really doubt that, and maybe you don't know, running wallet apps on iOS are very dangerous, there is back doors on iOS

That was certainly the case for a while - they closed the source for the Android app to try to prevent malicious copies of the app appearing on the Google Play store: https://medium.com/@trustwallet/why-open-sourcing-android-app-could-be-a-harm-to-the-crypto-community-fb3ae1707dc6

However, looking at their GitHub repository it looks like both the Android and Apple apps are now closed source:
https://github.com/trustwallet/trust-wallet-android-source - archived, last commit October 2018
https://github.com/trustwallet/trust-wallet-ios - archived, last commit December 2018

It seems that their underlying libraries are open source (https://github.com/trustwallet/wallet-core), but not the wallet apps themselves.

One of the major reasons for closing the source were fake or cloned apps being distributed on the app store. Even in case of "benign" clones, their developers would keep all support links and the official logos and branding. We cannot provide support for modified versions, and both malicious and poorly implemented "benign" clones were having a negative effect on our image and ability to provide quality support for users.

---

Exactly, having the source code open doesn't guarantee that the files you download from app stores are the same. And even if they are, it's not guaranteed that the source code was inspected by someone who knows what to look for. One of the biggest proponents of open source wallets admitted himself that no one was checking his wallet.

the only thing an attacker needs for creating a malicious copy of a wallet is the name of the wallet and absolutely nothing else. the looks of the wallet can also be different, even the logo. a user that downloads such malicious wallets doesn't pay attention to those differences either, even if they do it would look like the new version's new looks. and since the attacker's intentions are to steal user's money the malicious wallet doesn't even have to provide majority of of functionality that the wallets normally do.

It is also trivially easy to create a clone the looks like another wallet. That's probably the easiest step in the entire process of creating a scam wallet. To program a wallet to steal seeds, keys, or coins, you at least have to know a bit of programming. Literally anyone can mimic fonts, colors, and layout. Being closed source doesn't help this at all, since the underlying code isn't the part a scammer needs to copy.

Which brings me back to my original point. I'm sure you will always have plenty of users, and people who blindly download apps from the app store don't care about the code being open source. But serious bitcoin users are going to be downloading open source wallets they can verify themselves direct from GitHub or the developer's site, and not from some scam filled Google or Apple store.

Towerbreeze, thank you for pointing that out. I went over their site https://apps.apple.com/app/trust-ethereum-wallet/id1288339409 and checked the app version history. I found out that the latest version was released April 2020. Comparing that to the last commit on github which was December 2018, I think that strongly supports the idea that the IOS Trust wallet app is not longer open source anymore.

I'm not going to comment on your feedback about IOS having backdoors

Thanks o_e_l_e_o for the github link.

As a newbie or beginner before, I am basically aware of the difference between closed & open-source wallets.

Although I'm not a programmer, we are talking about technology differences between closed systems wherein they are quite limited with regard to their flexibility and support, compared to their open-source counterparts which are the opposite situation instead by default.

Can you edit the OP.  Trustwallet iOS is no more open source. It is a close source wallet.

It's already clear, why you ignore this sentence?

The importance of open source wallets cannot be overemphasized, quite a lot of people think all that is necessary is for the wallet to be non-custodial, so they can have their keys, but when you have keys/seed phrase to your funds that you are not sure how it was generated or what the developers are actually doing, then you cannot say your funds are safe.

Having said that, take a look at the situation with Atomic wallet, it is a good reason to use only open source (non-custodial) wallets, thus as newbies and others get to know the difference between open and closed source wallets, it is imperative that they choose the one that's safest, and that is open source wallets.

I was advocating open source wallets for years and people told me several times that I am to extreme with this approach, but look what is happening with closed source wallets.
They get hacked, infected by malware all the time and who knows what else is happening below the hood, since nobody can check the code.
There is a high chance closed source hardware wallets have some hidden code or backdoor that can remain dormant for years and just waits to be activated.

Few more good examples of less known non-custodial open source wallets are Sparrow wallet, Airgap wallet, Unstoppable wallet, etc.