Mycelium Bitcoin Wallet

[Rassah]

Is Mycelium ready for the changes coming with 0.90? I expect we should have support for lower fees very soon after official release and support for payment requests later on?

Fees are a quick fix, so should be out soon after 0.9. Merchant protocol will take a while longer. BIP32 HD wallets are more important

[1715054765]

1715054765

[1715054765]

1715054765

[1715054765]

1715054765

[soullyG]

Thanks.

We have started adding rates from sources that are not actual exchanges such as Coinbase and BitPay.
Many users have requested this as it allows them to see what their coins are worth when buying at for instance Coinbase or spending at a BitPay enabled merchant. Since these sources do not have a volume associated we cannot really calculate a weighted average.

In the testnet version (released 2 days ago) we have added BitcoinAverage. They make a business out of monitoring and selecting relevant exchange sources, and we believe that they track the markets closer than the Mycelium developers.

The default choice is right now Bitstamp, and it is up to the user to select a source that he/she finds valuable and trustworthy.

Thanks Jan, that makes sense - I think BitcoinAverage would be more than enough for my needs (I just like extra options to play with )

One more thing: I had the chance to use message signing for the first time the other day, and it got me thinking - it's currently only possible to do this for keys that are stored on the device - would it be possible to integrate this feature with the cold storage spending functionality, so that we can sign messages on an ad-hoc basis, without needing to fully import the private key?

[apetersson]

One more thing: I had the chance to use message signing for the first time the other day, and it got me thinking - it's currently only possible to do this for keys that are stored on the device - would it be possible to integrate this feature with the cold storage spending functionality, so that we can sign messages on an ad-hoc basis, without needing to fully import the private key?

yes. this makes a lot of sense. it is just a question of how to integrate it in the UI.

[RGBKey]

One more thing: I had the chance to use message signing for the first time the other day, and it got me thinking - it's currently only possible to do this for keys that are stored on the device - would it be possible to integrate this feature with the cold storage spending functionality, so that we can sign messages on an ad-hoc basis, without needing to fully import the private key?

yes. this makes a lot of sense. it is just a question of how to integrate it in the UI.

Maybe instead of putting the sign option as an address option, add it as a menu option (like cold storage) and then you can choose an address or to scan, etc. Also, not sure if you noticed the new samsung discovery of a backdoor/feature. I personalky use a galaxy, and was concerned enough to move it onto my computer for a bit. Can you advise on that?

[Jan]

...Also, not sure if you noticed the new samsung discovery of a backdoor/feature. I personalky use a galaxy, and was concerned enough to move it onto my computer for a bit. Can you advise on that?

Was actually in the process of writing about that... gimme a minute

[Jan]

A vulnerability has been discovered which seems to affect certain Samsung devices:
http://redmine.replicant.us/projects/replicant/wiki/SamsungGalaxyBackdoor

What can it do?
It appears that this could be used to gain read access to Mycelium private keys on the android file system for the following device types:

• Nexus S (I902x)
• Galaxy S (I9000)
• Galaxy S 2 (I9100)
• Galaxy Note (N7000)
• Galaxy Nexus (I9250)
• Galaxy Tab 2 7.0 (P31xx)
• Galaxy Tab 2 10.1 (P51xx)
• Galaxy S 3 (I9300)
• Galaxy Note 2 (N7100)

How should I react?
For a start, please don't store more in a hot wallet than what you are prepared to loose. This is a general recommendation regardless of whether you use Mycelium or any other wallet. Mycelium offers cold storage spending where the private key never touches the file system. With cold storage spending your private key is safe from this exploit. Use it.

What will Mycelium do?
We will make an update that makes Mycelium warn the user if he is running on one of those devices.
We will get in contact with other Bitcoin android developers and figure out what the best course of action is.

[Jan]

Let me add that you need to install an app that exploits the back door to be vulnerable (or update an existing app which adds an exploit)

[hgmichna]

Let me add that you need to install an app that exploits the back door to be vulnerable (or update an existing app which adds an exploit)

Are you sure? It reads more like remote file access.

But anyway, things are moving fast at least at CyanogenMod's. There is already a software problem report in their bug tracker with priority "critical".

I, for one, may have to switch over to CyanogenMod a bit sooner than I had planned. My phone is a Samsung Galaxy Nexus, which is affected.

Replicant is another choice. After all they found the backdoor.

[soullyG]

One more thing: I had the chance to use message signing for the first time the other day, and it got me thinking - it's currently only possible to do this for keys that are stored on the device - would it be possible to integrate this feature with the cold storage spending functionality, so that we can sign messages on an ad-hoc basis, without needing to fully import the private key?

yes. this makes a lot of sense. it is just a question of how to integrate it in the UI.

Thanks, I think the best place to put it would be on the screen after selecting the "cold storage" menu option (and likely only once the private key has been scanned) to keep it separate from the standard message signing, but RGBKey's proposal is also good:

Maybe instead of putting the sign option as an address option, add it as a menu option (like cold storage) and then you can choose an address or to scan, etc.

[RGBKey]

Let me add that you need to install an app that exploits the back door to be vulnerable (or update an existing app which adds an exploit)

This is not true. The exploit gives access to anybody broadcasting a pirate signal from capable equipment also. Correct?

[apetersson]

Let me add that you need to install an app that exploits the back door to be vulnerable (or update an existing app which adds an exploit)

This is not true. The exploit gives access to anybody broadcasting a pirate signal from capable equipment also. Correct?

As far as i understand, you need to have actual malware installed, which in turn can bypass the process isolation. Of course, this malware can request access rights to Internet, Bluetooth or whatever, which could be used to abuse this remotely. But this is still quite fresh now, maybe i'm wrong.

[apetersson]

as this story develops, it looks like it might be exaggerated reporting. apparently, you would need a modified kernel that this needs to be exploited:

http://www.xda-developers.com/android/samsung-backdoor-may-not-be-as-wide-open-as-initially-thought/

http://arstechnica.com/security/2014/03/virtually-no-evidence-for-claim-of-remote-backdoor-in-samsung-galaxy-phones/

accoring to these articles, only the Galaxy S would be really affected.

Anyways, this serves as a reminder that one should store significant amounts on Paper only, and verify that the backup works.

[RGBKey]

as this story develops, it looks like it might be exaggerated reporting. apparently, you would need a modified kernel that this needs to be exploited:

http://www.xda-developers.com/android/samsung-backdoor-may-not-be-as-wide-open-as-initially-thought/

http://arstechnica.com/security/2014/03/virtually-no-evidence-for-claim-of-remote-backdoor-in-samsung-galaxy-phones/

accoring to these articles, only the Galaxy S would be really affected.

Anyways, this serves as a reminder that one should store significant amounts on Paper only, and verify that the backup works.

I wasn't too concerned since I had only 1.8% of my coins on my phone, and of course a verified backup, but always have to be wary about these things.
EDIT: My phone is a Galaxy S III mini.

[hgmichna]

I wasn't too concerned since I had only 1.8% of my coins on my phone, and of course a verified backup, but always have to be wary about these things.
EDIT: My phone is a Galaxy S III mini.

We are so relieved!

[RGBKey]

Think I disovered a small backup related bug. (Does not affect integrity of backups)

My wallet currently has 1 active address, 8 watch only addresses and an archived address. In the backup, the active one is listed as 1 out of 9, and then the 8 watch only addresses are listed as 1-8 of 9. There is no 9 out of 9.

[RGBKey]

Think I disovered a small backup related bug. (Does not affect integrity of backups)

My wallet currently has 1 active address, 8 watch only addresses and an archived address. In the backup, the active one is listed as 1 out of 9, and then the 8 watch only addresses are listed as 1-8 of 9. There is no 9 out of 9.

Any comment?

[apetersson]

Think I disovered a small backup related bug. (Does not affect integrity of backups)

My wallet currently has 1 active address, 8 watch only addresses and an archived address. In the backup, the active one is listed as 1 out of 9, and then the 8 watch only addresses are listed as 1-8 of 9. There is no 9 out of 9.

Any comment?

I know we had a bug in the labels of the PDF. i assume just the numbering is wrong and the actual backup is fine.

if so, i'll put it in the low-prio bug category. we will eventually fix it someday or sooner if we get a pull request for it.

(what is more annoying is the lack on UTF-8 support in the pdf... ) this needs a major rewrite with a different PDF generation engine.

[Jan]

Think I disovered a small backup related bug. (Does not affect integrity of backups)

My wallet currently has 1 active address, 8 watch only addresses and an archived address. In the backup, the active one is listed as 1 out of 9, and then the 8 watch only addresses are listed as 1-8 of 9. There is no 9 out of 9.

Any comment?

I know we had a bug in the labels of the PDF. i assume just the numbering is wrong and the actual backup is fine.

if so, i'll put it in the low-prio bug category. we will eventually fix it someday or sooner if we get a pull request for it.

(what is more annoying is the lack on UTF-8 support in the pdf... ) this needs a major rewrite with a different PDF generation engine.

The numbering has been fixed and if you use non-ASCII characters in address labels we will not not display it (as it would look like gibberish). This will be part of the next release.

[SherdonIke]

Are you going to make a new version? if so  when about
Excuse me, am I right it does work with Samsung ? I wonder cause my friend has samsung

[RGBKey]

ETA on Mycelium with the new standard fee?