Mycelium Bitcoin Wallet

[RGBKey]

Bounty offered to Mycelium developers

We are developping the BitID authentication protocol. Basicaly it's an open standard to facilitate user's registration in login on a service using its Bitcoin key (it could be compared to "Facebook connect" on the UX and flow). User scans a QRcode which contains a bitid:// URI, it's parsed for validity by the wallet and a confirmation is prompted. After choosing a Bitcoin address, the URI is signed and a POST is made in the callback addres contained in the URI.

For the full explication of the protocol, examples and demo please refer to our GitHub :
https://github.com/bitid/bitid

To be successfull, BitID must be implemented in most of the popular wallets. We would like to start the development with Mycelium (because it has already the signing message functionality). To motivate developers we are offering a bounty of 1 BTC.

What is needed to do :

• register the bitid:// scheme (so it is activated in case of click)
• throw a bitid:// intent when scanning a BitID QR code
• decode the URI and verify its format
• display a request for authentication showing the domain name callback and ask for validation
• ask the user to pick up or create a Bitcoin address for the authentication (show the last Bitcoin address used if this is a known callback address)
• sign the BitID URI with the private key
• POST the signature, the URI and the public key to the callback URL
• completion dialog : success/retry/cancel

Please PM me for more details and specifications.

Eric

I saw this today, and Mycelium, PLEASE ADD THIS

[Jan]

Bounty offered to Mycelium developers

We are developping the BitID authentication protocol. Basicaly it's an open standard to facilitate user's registration in login on a service using its Bitcoin key (it could be compared to "Facebook connect" on the UX and flow). User scans a QRcode which contains a bitid:// URI, it's parsed for validity by the wallet and a confirmation is prompted. After choosing a Bitcoin address, the URI is signed and a POST is made in the callback addres contained in the URI.

For the full explication of the protocol, examples and demo please refer to our GitHub :
https://github.com/bitid/bitid

To be successfull, BitID must be implemented in most of the popular wallets. We would like to start the development with Mycelium (because it has already the signing message functionality). To motivate developers we are offering a bounty of 1 BTC.

What is needed to do :

• register the bitid:// scheme (so it is activated in case of click)
• throw a bitid:// intent when scanning a BitID QR code
• decode the URI and verify its format
• display a request for authentication showing the domain name callback and ask for validation
• ask the user to pick up or create a Bitcoin address for the authentication (show the last Bitcoin address used if this is a known callback address)
• sign the BitID URI with the private key
• POST the signature, the URI and the public key to the callback URL
• completion dialog : success/retry/cancel

Please PM me for more details and specifications.

Eric

Hi Eric, I have been toying around with a VERY similar login mechanism, just never got around to spec it. Great minds think alike :-)
Classical password authentication is an insecure mess that could be solved nicely with public key cryptography. The problem however is that it offloads a lot of complexity and responsibility on the user. Managing private keys securely is really hard. The good news is that this is already being solved in bitcoinland, simply because we have to (if you don't have exclusive control over your private keys you don't have any bitcoin), so doing public key authentication is practically a free lunch to bitcoiners.

PM sent.

Comments:

• This should be formalized as a BIP
• The bitid request should optionally contain (a prefix of) the bitcoin address to sign with to allow automatic private key selection for the user
• I suggest that the callback URL is reduced to https only and possibly only to the host name and path (no parameters), and then URL encoded. This makes the bitid shorter and human readable. Instead of ...&c=aHR0cHM6Ly93d3cuc2l0ZS5jb20vY2FsbGJhY2s%3D it would just have ...&c=www.site.com%2Fcallback
• The server side does not need to have the public key of the user, the bitcoin address + signature is enough for verification
• The signature on the bitid should be prefixed with "Bitcoin Signed Message:\n" as any other Bitcoin signed message

This is just what I had in my head, I am certain that others want to chip in too.
Please make a separate thread for discussing the BIPification of bitid.

[EricKennedy]

Following Jan's advice, I published a draft BIP in the development section of the forum :
https://bitcointalk.org/index.php?topic=557037.0

Thanks Jan for your suggestions, I already updated some of the document to take them into account.

I took the liberty of quoting you in the "Rationale" section. Your "free lunch" text was really good

[runam0k]

Is it intentional that when you scan in a new private key it doesn't ask you to make a new backup?

Yes. The wallet only requires you to verify backups of keys generated internally. Imported keys already have an external source, and are assumed to be backed up already.

Makes sense but an option to back up each/all wallets would be nice.

[RGBKey]

Is it intentional that when you scan in a new private key it doesn't ask you to make a new backup?

Yes. The wallet only requires you to verify backups of keys generated internally. Imported keys already have an external source, and are assumed to be backed up already.

Makes sense but an option to back up each/all wallets would be nice.

I still made a new backup and it included the private key I imported. I destroyed the original copy of the private key, it was a vanity address generated piecewise.

[drakoin]

I have just tried out your mycelium, in the 1.1.10 version, in my android emulator "bluestacks".
Great program! Kudos.


I was very interested to see this:
http://www.cryptocoinsnews.com/news/the-mathematically-secure-way-to-accept-zero-confirmation-transactions/2014/02/13
But neither sending nor receiving, I could find that "transaction confidence" display. Please advise.
As a funny sidenote, my multibit is still busy confirming the first tx while the money is already back in a 2nd tx.


Secondly, I have a feature request ... even easier handling for local non-nerdy people:

Show not one but two fields for the amount to send/receive,
one in bitcoin (like now), and one in Euro (USD/Yen/...);
when I choose to input into either,
the other one is automatically updated.

Then someone can type in 99 Euros,
and it's immediately calculated into 0.30228085 BTC,
using the current exchange rate.


Thirdly, feature request, and easier than the above:
Show the current exchange rate always and everywhere, not only in the main dialog. It's very important e.g. on the send tab. Not so important anymore when you have implemented the above - but now it is.


Thanks a million. Love your program!

;-)

tip me for my ideas and my work here,
in many currencies: www.tiny.cc/drakointip

[Newar]

Show not one but two fields for the amount to send/receive,
one in bitcoin (like now), and one in Euro (USD/Yen/...)

That's there already, just tap the blue BTC field in the "amount" dialog. It will switch to your currency (selected in settings).

[drakoin]

Show not one but two fields for the amount to send/receive,
one in bitcoin (like now), and one in Euro (USD/Yen/...)

That's there already, just tap the blue BTC field in the "amount" dialog. It will switch to your currency (selected in settings).

Ah, very nice.

I works very well, thanks. It's just not so obvious to notice.


I adapt my feature request:

Have an option to switch "default input currency" from BTC to (EUR/USD/YEN ...)



Plus still the other feature request, and the transaction-confidence question in https://bitcointalk.org/index.php?topic=293472.msg6077458#msg6077458

[apetersson]

Our systems have been patched to be protected from CVE-2014-0160. Nevertheless, we must assume that - for 8 hours after publication of this bug - it was theoretically possible to extract the ssl private keys. therefore, we will exchange the hard-pinned SSL keys on the clients to continue to protect the privacy of our users.

see also:
http://filippo.io/Heartbleed/#mws1.mycelium.com
http://filippo.io/Heartbleed/#mws2.mycelium.com

of course, this has nothing to do with the user private keys. even if we kept that bug open, your funds would still be safe.

[Jan]

Is there more information on this? I am confused with how mycelium was affected by the heartbeat exploit, and what the possible repercussions may be.

Sincerely, 
Mycelium user

The Heartbleed attack allows an attacker to read the memory of the targeted server if it uses HTTPS.
The Mycelium backend servers use apache as a front end and Heartbleed allowed an attacker to read the memory of the apache server. This could potentially enable the attacker to get to the https certificate private key of the server. Our servers were patched within hours of the announcement, and the probability of anyone targeting our servers in that time frame is low. In any case we are in the process of rotating the certificates with new ones.

Are my bitcoins safe?
Yes. Our servers hold no passwords or private keys (other than the HTTPS certificate). Our servers function as a super fast index over the blockchain, which is public data held on every bitcoin node out there. Your Bitcoin private keys are only on your device (and hopefully in your encrypted backups)

What is the worst thing that can happen if your https certificate private key is leaked?
In the worst case scenario someone has a copy of our https certificate private key, which means that the communication between your wallet and our servers is not encrypted (to them). We consider this very unlikely but will rotate certificates anyway. Have in mind that the communication on the bitcoin network is also not encrypted.

[Suzuki]

This wallet for Android has become my favorite one. I have been very happy with it so far.
Wish it is going to update and become even better ! I have no complaints  - really glad to use it!

[birr]

I just installed mycelium on my android tablet and I have a question about the backup.  

The pdf says it contains "keys."  Does it contain keys or does it contain one key?  Basic users (who don't operate in expert mode) only have one key, from what I understand.
A previous post in this thread seems to indicate that the backup does include other imported keys.
The pdf wording is pretty skimpy.  If it's backing up the entire wallet, it should say so.  Could you please explain it better?

[runam0k]

Is there an ETA for the buying/selling platform?

[apetersson]

I just installed mycelium on my android tablet and I have a question about the backup.  

The pdf says it contains "keys."  Does it contain keys or does it contain one key?  Basic users (who don't operate in expert mode) only have one key, from what I understand.
A previous post in this thread seems to indicate that the backup does include other imported keys.
The pdf wording is pretty skimpy.  If it's backing up the entire wallet, it should say so.  Could you please explain it better?

The "Keys" tab is really only needed if you want to do complicated things in expert mode, or if you want to restore a backup.

If you have a default install you have only one key. Yes, the PDF could be nicer and more precise in its wording. We have good reasons to rewrite the PDF rendering (UTF support) but we are still looking for the right library to do this. most libraries which do it properly use proprietary closed source binaries.
the very nice PdfDocument is unfortunately only for Android 4.4: https://developer.android.com/reference/android/graphics/pdf/PdfDocument.html

And to answer your question: YES, it backs up the entire wallet, and if you verified the backup you don't need anything else. unlike bitcoin-core you will not be required to repeat the backup process.

[apetersson]

Is there an ETA for the buying/selling platform?

Yes. basically, it is launched already if you join the beta testers group or if you compile it from source yourself. there you will be able to create offers and trade already.

it will be pushed via the official channel very soon. we are just coordinating on the media releases.

[birr]

I want to use mycelium on two devices. 
How can I sync them?

[MfJonesy]

I'm no expert but can't you just import the encrypted PDF backup from the first device into the second? I think you would also need to import into the second device any addresses that were imported into the first device, as these aren't included in the PDF backup, I think. But I'm still new to all this and haven't tried it so I hope the devs will give a proper response.

Posted From bitcointalk.org Android App

[Rassah]

http://youtu.be/2_h9ZZwhwBg

The latest major Mycelium feature, called Local Trader, is finally out of beta and available to everyone.

With Local Trader, the development team at Mycelium sought to answer a question often posed by those new to bitcoin: Now that I have a bitcoin wallet, how do I get some bitcoins?

Local Trader lets those who already have bitcoins to offer them for sale, and those who are looking to obtain bitcoins an easy to use interface to find those sellers in their area. This allows sellers  to support their local Bitcoin economy and earn a little in the process.

Local Trader at a glance:

• All trades are person-to-person with cash for BTC.
• The servers mediating the trades hold no bitcoins or fiat.
• Bitcoin sellers create geographically pinned sell orders where they sell at a chosen exchange rate +/- a percentage.
• Bitcoin buyers can search for sell offers geographically, look for the best deals, and start a trade session.
• All trades use in-app end-to-end encrypted chat between the buyer and seller. Not even the Local Trader servers can read the contents.
• Buyer and seller can negotiate price and meeting place.
• As with the Mycelium Bitcoin Wallet, the source code of the Local Trader feature is open for review. You can compile and roll your own.
• The seller does not need to put funds into escrow; they are spent directly from his Mycelium Wallet.
• The buyer does not have to wait for confirmations - our revolutionary transaction confidence graph provides additional feedback on whether the transaction will in fact go through.
• A small 0.2% fee per side of the deal goes to supporting the infrastructure that we provide.

Initially, the trader options will be limited to standing sell offers and instant buy offers. Meaning only those who wish to offer to sell bitcoins for local currency will be able to create standing offers for buyers to search through. Later on, Local Trader will also add standing buy offers, for those who wish to offer the option of converting bitcoins to other currencies as well.

To enhance privacy, Local Trader eschews the login and password authentication method, and instead uses your wallet's private key to register and authenticate with the server, using the well established bitcoin key message signing feature. Also, all communication between buyers and sellers, such as when and where to meet, is encrypted using the traders' respective private keys. This means that the Mycelium servers that manage trades only know the bitcoin addresses, pseudonyms, coarse location, and trade history of the people involved, in effect making the system almost as pseudonymous as Bitcoin itself from the company's point of view.

Finally, when the traders meet and exchange cash, Mycelium's other new feature, the transaction confidence graph (currently limited to Local Trader) goes into effect, displaying the probability that the transaction that sends coins to the buyer's wallet will get included in the next block. To achieve this, Mycelium servers track the transaction as it propagates through thousands of nodes, as well as check it for possible double-spends, transaction malleability, long chains of unconfirmed inputs, proper transaction fees, and other possible issues. With this, traders can exchange cash and be on their way, fairly confident that the transaction was legitimate, without having to wait 10 minutes for a confirmation.

With the recent issues involving centralized exchanges shutting down or running away with money, and governments forcefully shutting down methods of getting money into exchanges, Mycelium hopes that this new feature will let anyone be a walking ATM, making exchanging bitcoins for other currencies much easier, and allowing traders to earn a bit of money in the process.

You can download the most recent verson from Google Play store here, or directly from mycelium.com.

Fore more info and HOWTO refer to: http://www.mycelium.com/lt/help.html

TL;DR: This is the most decentralized exchange you can use today. Decentralize ALL the things.

[apetersson]

I want to use mycelium on two devices. 
How can I sync them?

create a backup on one phone, enable expert mode on the other phone and restore the backup.

(the key that was already generated there before is most likely not needed any more so you can delete it or move to archive)

[Technomage]

The new Local Trader feature is very impressive, at least on paper. Haven't tested it yet but that sounds reeeaally good.