Bitcoin Wallet for Android

[Andreas Schildbach]

Import public and / or private key by scanning QR code, so you can monitor and/or spend

Using a vanity address?

Trying out several mobile wallet apps, using the same set of keys?

Those will probably never be supported. Importing keys is dangerous. Vanity addresses are a broken concept. If you want to try out different wallet apps, why don't you try them out how they're supposed to work and send coins between them?

Keep private key on paper, and public key in wallet. To spend money, QR scan the private key, store only in memory, spend from private key, and wipe from memory, never saving to storage

This is a recipe for disaster. If you try that with Bitcoin Wallet, you likely will loose all your change from that paper wallet. So say you have stored your lifetime savings of 500 BTC on one paper wallet. Now you decide to pay a hefty doctor's bill from that wallet, let's say 10 BTC. The doctor will receive 10 BTC, the other 490 BTC will disappear into the void. So don't ever do this!

That said, I would like to support swiping paper wallets entirely. The trouble is, a true SPV client cannot do that. Someone would need to invent a new paper wallet format that not only includes the private key, but also the unspent outputs that go to the address (a bit simplified). If someone comes up with a BIP standard for that and manages to get community concensus, I'd happily be amongst the first to support that. Contact me if you're interested.

Delete private key and only keep public to monitor amount.

Generating a key offline for security reasons?

Another feature I would love to see is deterministic wallets. Back up only backs up the deterministic seed. Every time you spend from an address, all bitcoins are spent, with part going to the person receiving, and the change part going into a new address. The only empty address gets archived and is unused, but can be restored if needed.

Those should be covered with implementing BIP32. Work is on the way, but there is still much to do. Bitcoinj already has the algorithm, but somebody's got to do the wallet integration. And then of course, the UI needs to be adapted.

[1714022553]

1714022553

[1714022553]

1714022553

[1714022553]

1714022553

[1714022553]

1714022553

[Mike Hearn]

(Edit) It's worse now!  Unfortunately, there has been an insidious new thing added to this app.  It now automatically starts up in the background, on a timer!  Every few minutes, it pops up.  That's maddening, to say the least.  This happens no matter if your phone is on battery or on charger, so not only will it waste your network, it will waste your battery as well.  Beyond frustrated.  The developer, unfortunately, does not understand that this would be a problem to many people.  I have no choice but to empty my wallet and delete this app.

How are you observing this, by the way? Have you enabled the connection bars in the notification tray? I agree that would be annoying, which is why the indicator is now disabled by default. Try the same thing and you won't be able to see it start up.

The app doesn't "waste network or battery". Go and look at the actual usage in your data/battery usage screens. It's probably 1% or less. This issue exists in your head only.

[Rassah]

Keep private key on paper, and public key in wallet. To spend money, QR scan the private key, store only in memory, spend from private key, and wipe from memory, never saving to storage

This is a recipe for disaster. If you try that with Bitcoin Wallet, you likely will loose all your change from that paper wallet. So say you have stored your lifetime savings of 500 BTC on one paper wallet. Now you decide to pay a hefty doctor's bill from that wallet, let's say 10 BTC. The doctor will receive 10 BTC, the other 490 BTC will disappear into the void. So don't ever do this!

What? Why can't the change address simply be the paper wallet itself? Plus isn't this how Android Bitcoin Wallet works already, sending from it's main address, and sending all change right back to the same main address?

[Carlton Banks]

Sigh. I should have known better considering this app comes from a Google culture.

People do have a right to be able to choose when they run the software on devices that belong to them, disabling choice after so much good work has been done to get this app where it is is a real shame.

I shall be voting with my feet in the future: roll on Ubuntu phone project, they're much more likely to respect the right to choose, as well as people's intelligence. [...]

[Carlton Banks]

Please remove or re-label the "Disconnect" option, it is now clear that the function it implies is disingenuous

[Andreas Schildbach]

Please remove or re-label the "Disconnect" option, it is now clear that the function it implies is disingenuous

For now, you can uncheck "Connectivity Indicator" in the prefs. It will remove the Disconnect option at the same time.

[Mike Hearn]

What? Why can't the change address simply be the paper wallet itself? Plus isn't this how Android Bitcoin Wallet works already, sending from it's main address, and sending all change right back to the same main address?

The app doesn't know you imported a key from a paper wallet. Most wallets will not replace keys but add to them. Hence the problem.

Once again, you can disable background connectivity if you are running ICS+ using a feature in the OS. By the way, Andreas doesn't work for Google and never did, so that's a pretty stupid comment.

[Rassah]

What? Why can't the change address simply be the paper wallet itself? Plus isn't this how Android Bitcoin Wallet works already, sending from it's main address, and sending all change right back to the same main address?

The app doesn't know you imported a key from a paper wallet. Most wallets will not replace keys but add to them. Hence the problem.

So, then, what are the risks with Mycelium that people should be worried about? Is there a change that, when you tell it to spend from a paper wallet, that it can create an address it doesn't own private keys to to send change to? I'm having trouble getting this, as I thought the sending and receiving change was typically straightforward...

P.S. sorry for pestering you, I just want to make sure I understand this right.

[Carlton Banks]

By the way, Andreas doesn't work for Google and never did, so that's a pretty stupid comment.

It aids the comprehension of your insults (and the understanding of your character) if:

- they're addressed at the person you're quoting
- failing that, that they address the assertions of any comments that your name calling could possibly be attributed to
- failing that, that your stated solution to the pertaining comments is anything more than heaping inconvenience upon conceited and unnecessary cultural impositions. There is no good reason to follow these cultural dogmas

Your conduct sounds, well, pretty stupid in light of the above

[Jan]

What? Why can't the change address simply be the paper wallet itself? Plus isn't this how Android Bitcoin Wallet works already, sending from it's main address, and sending all change right back to the same main address?

The app doesn't know you imported a key from a paper wallet. Most wallets will not replace keys but add to them. Hence the problem.

So, then, what are the risks with Mycelium that people should be worried about? Is there a change that, when you tell it to spend from a paper wallet, that it can create an address it doesn't own private keys to to send change to? I'm having trouble getting this, as I thought the sending and receiving change was typically straightforward...

P.S. sorry for pestering you, I just want to make sure I understand this right.

When you use the Cold Storage spending feature in Mycelium it knows that you are spending from an external private key (e.g. paper). It creates an in-memory one-key wallet for this one spending. After that it is wiped from memory. If there is any change left it gets sent back to the one key where it came from (e.g. paper). Note that even though Mycelium only has the private key in memory very briefly your private key is only as safe as your device was at the time of spending. A very sophisticated app that has root privileges on you device might snag it from memory. For optimal security use a dedicated device. An old second hand device will do if you nuke it to factory defaults, install cyanogenmod, no SIM, and only install and use for this purpose.

[Mike Hearn]

Right, the difference is that Mycelium Wallet has explicit support for the paper wallet use case, so it knows how to manage keys appropriately. At the moment Bitcoin Wallet doesn't.

Probably the right way to support paper wallets in SPV clients is to have the app take you through the process of creating them, printing them out, etc. The app can then keep the public key on the device all the time so it's always synchronised. There's no "import" step and no need for rescanning. The app knows it's a paper wallet and can manage change appropriately. Android is now integrated with the "cloud print" thingy that Google is pushing so you could print a wallet directly from your tablet or phone. Or it can just create a PDF and let you print that however you want, both are easy. Or encode the key as words and you write them down by hand.

I think a part of doing this feature is also to separate out the "paper wallet as a backup" use case, from the "paper wallet as offline storage against malware protection" use case. The latter is less convincing to me than the former, because as Jan points out sufficiently well written malware can just wait until you want to access the money in your offline wallet. Support for Trezor is possible on phones and tablets - that's probably the better way to fight malware. Paper wallets then become a last-chance backup mechanism in case your online backups are destroyed or lost. You'd make a backup of your root key and can then import it if you lose your regular backups. Import doesn't have to be fast because losing your regular digital backups should be a rare occurrence.

[Andreas Schildbach]

Sure, having a backup of the root key / seed of your deterministic wallet is a very understandable usecase. Though I'd personally rather write the numbers down manually - you only need to do it once.

Anyway, I think when people ask for paper wallets most of them want to give them away, use them as a form of offline payment.

[Mike Hearn]

Yeah, so use them as a bearer token effectively.

Raw private keys aren't a great way to do that. An actual wallet stored somewhere online is better. Then the qrcode can just contain a URL to the wallet. It could be encrypted and the password hidden under a scratch card if need be.

[hgmichna]

Android is now integrated with the "cloud print" thingy that Google is pushing so you could print a wallet directly from your tablet or phone.

Hoping, of course, that none of Google's cloud administrators is into collecting private keys to beef up his pension after resigning from that highly lucrative job.

Seriously, I would not even let my private key run through any Windows computer, much less through a cloud. If you cannot print without the key making larger rounds outside your well-protected wallet (a single-purpose Android device or similar), it is much safer to copy and write it down manually, as Andreas already recommended.

[TierNolan]

Hoping, of course, that none of Google's cloud administrators is into collecting private keys to beef up his pension after resigning from that highly lucrative job.

Armory has a "print-safe" system.  You write an additional (short) unlock key on the paper backup.

[Krellan]

(Edit) It's worse now!  Unfortunately, there has been an insidious new thing added to this app.  It now automatically starts up in the background, on a timer!  Every few minutes, it pops up.  That's maddening, to say the least.  This happens no matter if your phone is on battery or on charger, so not only will it waste your network, it will waste your battery as well.  Beyond frustrated.  The developer, unfortunately, does not understand that this would be a problem to many people.  I have no choice but to empty my wallet and delete this app.

How are you observing this, by the way? Have you enabled the connection bars in the notification tray? I agree that would be annoying, which is why the indicator is now disabled by default. Try the same thing and you won't be able to see it start up.

The app doesn't "waste network or battery". Go and look at the actual usage in your data/battery usage screens. It's probably 1% or less. This issue exists in your head only.

Yes, I enabled the connection bars.  However, we're at a fundamental misunderstanding here.  Hiding the connection bars will only mask the problem, making it less visible.  The problem is that this app wakes up in the background and does its stuff, and the user has no way to disable this unwanted behavior.  Do you see this?  Do you realize this?

Before I deleted it, it had used 5% of my battery.  That's not just in my head!

[Krellan]

Sigh. I should have known better considering this app comes from a Google culture.

People do have a right to be able to choose when they run the software on devices that belong to them, disabling choice after so much good work has been done to get this app where it is is a real shame.

I shall be voting with my feet in the future: roll on Ubuntu phone project, they're much more likely to respect the right to choose, as well as people's intelligence. [...]

Thank you!

Somebody agrees with me!

I'm not the only one who thinks that this app running in the background, burning up data plan and battery, is not the best idea!

It's a great app, don't get me wrong on that, I just wish it would have a way of not running until it was time for the user to actually want to use it.

A single checkbox, that would be strictly obeyed by the app, would make all the difference:

[ ] Run in background

Uncheck this, and it would never run except when in the foreground.  No hooking the reboot event, to run then.  No hooking the charger connection event, to run then.  No running on a periodic timer, either.  Simply do not run at all, unless the app is in the foreground.  That's really it.  That's all we want.

Your words are effective.  I can't seem to communicate to the developers, they are deflecting my requests, and patronizing me by merely adding a link to the "Data Usage" settings screen.

[Carlton Banks]

Sigh. I should have known better considering this app comes from a Google culture.

People do have a right to be able to choose when they run the software on devices that belong to them, disabling choice after so much good work has been done to get this app where it is is a real shame.

I shall be voting with my feet in the future: roll on Ubuntu phone project, they're much more likely to respect the right to choose, as well as people's intelligence. [...]

A single checkbox, that would be strictly obeyed by the app, would make all the difference:

[ ] Run in background

Uncheck this, and it would never run except when in the foreground.  No hooking the reboot event, to run then.  No hooking the charger connection event, to run then.  No running on a periodic timer, either.  Simply do not run at all, unless the app is in the foreground.  That's really it.  That's all we want.

Your words are effective.  I can't seem to communicate to the developers, they are deflecting my requests, and patronizing me by merely adding a link to the "Data Usage" settings screen.

It's a cultural thing with the Android apps, there's ostensibly a performance advantage to having all apps as background processes, and so developers are (seemingly) ushered into this mentality. But the same reason that makes that true (low latency persistent Flash memory) also makes it false, so it seems more like just hiding usability from the user: why not let the user choose? Would that really be so unconscionable? With so many apps that require network permissions, it just seems like it's increasing the attack surface for any potential hacker. Maybe they prefer to simplify the interface, but I don't believe that, they must realise that the older generation are less likely to take Android on, and the young can adapt to mostly anything, and that's what bothers me about their whole disfigurement of computing culture: it's like they're trying to indoctrinate people to expect a narrower range of choices, all for the sake of removing a single menu item. Can't wait til they disable use of apps without a signature from the Play store  

[arklan]

Anyone know how to disable that sound the app makes when sending payments?

[hgmichna]

… it's like they're trying to indoctrinate people to expect a narrower range of choices, all for the sake of removing a single menu item. …

Removing a menu item is very valuable, particularly if the menu item is superfluous. Android is for mobile phones, and mobile phones are for everybody, not just for technophiles.

Here are some utterly negative examples from the advanced Wi-Fi settings: "Keep Wi-Fi on during sleep", "Scanning always available", "Avoid poor connections", "Wi-Fi frequency band", and in a sarcastic sense my personal favorite: "Wi-Fi optimization" - "Minimise battery usage when Wi-Fi is on". Next they will probably introduce: "Minimise battery usage when Wi-Fi is off". None of these settings should be there, as the phone can make a much better decision for each of them than any normal phone user. They are outstanding examples of the designed-by-engineers-for-engineers category.

An app should never offer the user any choice that has no significant effect on the result for the ordinary end user.