[BTCfx] MtGox Android Trading Client with Live Candlestick Charts

[sacrelege]

Hi all,

I'm happy to announce the version 0.5.0 beta of BTCfx a Android Bitcoin Trading Client with Live Candlestick Charts and other cool features:

Key Features:
- Live candlestick charts
- Full Market Depth: Order book & latest live Trades
- Trade: Buy/sell @ market or create limit orders
- Full Account Overview, with Wealth Pie Chart & complete trading history for every wallet.
- Multi currency support

https://play.google.com/store/apps/details?id=ch.btcfx

https://lh3.ggpht.com/iM-CL6xBjeHUpPHNTgo7e1FnMziNxrNn5lWt_zuzt5steixYpabcAo0IDEPrY_wvXVw=h900

https://play.google.com/store/apps/details?id=ch.btcfx

i appreciate every feedback.

Regards,
Sacrelege

[Remember remember the 5th of November]

Cool, where is the source located at?

[sacrelege]

Cool, where is the source located at?

On my SSD, SVN and my Backup NAS. 

I need to pay for food somehow... 

[Remember remember the 5th of November]

So no source? How do you expect people will trust you with their Bitcoins without it?

[sacrelege]

So no source? How do you expect people will trust you with their Bitcoins without it?

Good question, but it seems you didn't saw the App description in the Play Store.
The App only needs "trade" and "get_info" permissions, you can choose this, when you create an application access key in the mtgox security center. There is a tutorial after starting the app, including pictures, which describes exactly how to accomplish this.
So there is no way, this app can withdraw your bitcoins.

Plus, you can track me down easily. You will see the App was listed by my Swiss Company "Nextgen Computing GmbH".
I have nothing to hide.

[Remember remember the 5th of November]

Is the application utilizing custom candlestick chart code or https://code.google.com/p/stock-chart/?

[31337157]

Awesome app! My goodness, it does everything needed for quick day trading. I just loaded it up and connected acct, no trading yet but I am looking forward to it. Thank you.

[sacrelege]

Is the application utilizing custom candlestick chart code or https://code.google.com/p/stock-chart/?

It is based on stock-chart with a few modifications.

[Remember remember the 5th of November]

Is the application utilizing custom candlestick chart code or https://code.google.com/p/stock-chart/?

It is based on stock-chart with a few modifications.

Would you be willing to provide these changes to stock-chart for free? I know it's MIT license, but no harm in asking . I was interested(before this thread) in making a similar application for executing trades on Bitstamp, as it is the superior exchange.

[sacrelege]

Awesome app! My goodness, it does everything needed for quick day trading. I just loaded it up and connected acct, no trading yet but I am looking forward to it. Thank you.

Thank you very much! Feedback like yours are motivating me to make it even better .
Please consider it is still in the beta phase and I'm working almost every day on it. I have a few more cool features planned for it .

[sacrelege]

Would you be willing to provide these changes to stock-chart for free? I know it's MIT license, but no harm in asking . I was interested(before this thread) in making a similar application for executing trades on Bitstamp, as it is the superior exchange.

Since I don't have any other job/income, it is kind a conflict of interest. I hope you can understand that. But on the other side; I didn't change much or mostly cosmetic aspects. The part which included more work, is to pre-process the data before feeding it to stock-chart and that part is done server side.

[foggyb]

this could be a good app to find accounts that are ripe for hacking.

Not saying you're a criminal, but if its not open source.... who knows?

[sacrelege]

this could be a good app to find accounts that are ripe for hacking.

Not saying you're a criminal, but if its not open source.... who knows?

Whats the difference to the official mtgox mobile trading app or any other trading app?
They all use application access (without withdrawal permissions).

- One connection is a simple http GET request for getting the history candlestick data (feel free to intercept and review it).
- All other connections are only made to mtgox.

Regards,
Christian Strässle
Founder of Nextgen Computing GmbH - www.nextgen.ch - A registered Company in Switzerland.

[giszmo]

Any Bitcoin-Related Android App might just sit there, waiting for the next 0day to become available to wipe all my Spinners, Myceliums, Schildbachs, MtGoxes that have more access than the app originally asked for. A criminal could empty all these in one second with code he introduces in the next update and that is triggered by a timestamp. No prior wrong behavior can help you assess the security of this app.

But to be realistic: I use Mycelium and the fact it is open source makes it about 1% safer than your app as I doubt that more than 1% of the users actually compiled it themselves. I don't know if there is a way but theoretically it should be possible to sign an app with a merchant key and still allow others to review if the APK is in fact compiled from the open source code, so with updates that don't come from the repository could sound an alarm with people who prefer using the market.

[sacrelege]

Any Bitcoin-Related Android App might just sit there, waiting for the next 0day to become available to wipe all my Spinners, Myceliums, Schildbachs, MtGoxes that have more access than the app originally asked for. A criminal could empty all these in one second with code he introduces in the next update and that is triggered by a timestamp. No prior wrong behavior can help you assess the security of this app.

I think your right. It might help if the other Apps (Spinners, Myceliums, Schildbachs, MtGoxes..) are prepared for unauthorized access. For example by an encryption process besides the default android internal storage one.

But to be realistic: I use Mycelium and the fact it is open source makes it about 1% safer than your app as I doubt that more than 1% of the users actually compiled it themselves. I don't know if there is a way but theoretically it should be possible to sign an app with a merchant key and still allow others to review if the APK is in fact compiled from the open source code, so with updates that don't come from the repository could sound an alarm with people who prefer using the market.

What if you compiled yourself, but didn't read through the complete source code? Did you check the checksum after downloading? What if the server got compromised and the checksum is already up to date? What if the server checking the key gets compromised too? Maybe you read the code but didn't find the security hole?

How do the most open source projects check, what and by whom is checked into the repository? Is there an established process / guide line for doing that?

1% more or less security is for nothing if you loose your bitcoins. :-/  maybe we shouldn't use anything at all. :-o

[giszmo]

Any Bitcoin-Related Android App might just sit there, waiting for the next 0day to become available to wipe all my Spinners, Myceliums, Schildbachs, MtGoxes that have more access than the app originally asked for. A criminal could empty all these in one second with code he introduces in the next update and that is triggered by a timestamp. No prior wrong behavior can help you assess the security of this app.

I think your right. It might help if the other Apps (Spinners, Myceliums, Schildbachs, MtGoxes..) are prepared for unauthorized access. For example by an encryption process besides the default android internal storage one.

But to be realistic: I use Mycelium and the fact it is open source makes it about 1% safer than your app as I doubt that more than 1% of the users actually compiled it themselves. I don't know if there is a way but theoretically it should be possible to sign an app with a merchant key and still allow others to review if the APK is in fact compiled from the open source code, so with updates that don't come from the repository could sound an alarm with people who prefer using the market.

What if you compiled yourself, but didn't read through the complete source code? Did you check the checksum after downloading? What if the server got compromised and the checksum is already up to date? What if the server checking the key gets compromised too? Maybe you read the code but didn't find the security hole?

How do the most open source projects check, what and by whom is checked into the repository? Is there an established process / guide line for doing that?

1% more or less security is for nothing if you loose your bitcoins. :-/  maybe we shouldn't use anything at all. :-o

Google (Mike Hearn? Ping!) should have a feature to distribute trusted open source apps. Some mechanism where they directly upon request by a maintainer pull the head of the master branch from a githubcode.google repo.

Sure, I don't read all the code but: If a repo lays untouched for months on github I feel quite confident some other dev would have noticed malicious revisions, so as I generally trust github and their timestamps (I wanted to check if you can fake these), I feel safish when I compile from source.

[goebat]

How much is the subscription fee?  It doesn't seem to be clearly advertised anywhere.