Some thoughts about wallets. Random thoughts from Dave.

[DaveF]

So there is a post here:
https://bitcointalk.org/index.php?topic=5209504.0

About is your Android wallet secure. Now I have some issues with the article, and how it is written, and some other things, but that is me. It basically discusses if the github version matches the compiled download for Android devices. Is it open source, is it custodial, etc.

But that brings up another point which is, is that important? And what is?

Going back to here: https://bitcointalk.org/index.php?topic=5205304.0 where I was talking about how to help new people pick their wallet, this also brings up the point of what is secure and good for you might not matter what it good and secure for me. I used to like Mycelium more but I have really started to drift away from it. For my own personal use I have moved to 2 separate mobile wallets. Both of which would make most people scream ARE YOU NUTS?? one is closed source (with some unverified complaints) and the other is custodial. But for me they do work,for others they might not.

So this point here is:

Since most of us can't really read the 1000s and 1000s of lines of code, and even if we could we may or may not compile it to verify what is on github matches what we just downloaded, which may or may not matter if they admit github might be a version or 2 behind what is being downloaded but the phone auto-updates the app anyway. Which then does not matter since we probably don't know the security procedures in place for them to upload the update to the playstore anyway.

Aren't we just making ourselves feel good? Think about it. Coinomi is closed source. If they put in code to send all the coins in all their installed wallets to them, we can't do anything about it. And we will not know till all our funds are gone.

BUT

Blockstream Green Wallet is open source, and you can verify the build same way as listed it in the article. But still auto updates from the play store. Do we really know if the username and password for account that they use to upload to the store is secure along with the 2fa? Or is the user / pass on a post-it note on the monitor with the 2fa usb device left sitting plugged into the USB port on the computer that does the uploads? If someone goes evil Friday at 3:45PM as everyone is walking out of the office. By the time everyone figures it out Monday AM it's all over.

Same with custodial vs non custodial? Yeah Coinbase has it's issue, but you know what else it has? Insurance & a phone number to call. I KNOW Not your keys / not your coins. But if you trade just about any financial instrument (stocks / bonds / currency) 99% of the time you don't have the actual bonds / stock certificates / cash anyway. Other then logging into my trading account I really can't prove I own "X" shares of "Y" stock. If I want the actual certificate I have to PAY a lot to have created it mailed to me. So long it's at a place like Coinbase and not Dave's unknown exchange does it matter that much? Yeah, they can spring KYC on you at any moment. But you know what, so can any payment gateway. I'm not saying leave real amounts of BTC there.
With that being said...
But, in a hot phone wallet does it matter? If you have more then spending amounts in your phone isn't this all kind of moot? Because...wait for it....phones & PCs are not that secure by themselves at the end of the day....

I can go on, but I just wanted to put this all down again

-Dave

[1713945134]

1713945134

[1713945134]

1713945134

[1713945134]

1713945134

[The Sceptical Chymist]

Aren't we just making ourselves feel good?

For you and me, I'd say kind of.  I certainly don't have the knowledge necessary to verify any wallet's code to make sure it's secure--I don't know any coding whatsoever, so I have to rely on the expertise of people with that knowledge who vouch for which wallets are safe.  That's good enough for my purposes.

Then again, I don't use mobile wallets much anymore, nor did I ever keep many coins on the Coinomi wallet which I was a fan of for a long time.  I don't like the fact that they're closed source, and using a hardware wallet is just the smarter move for storing altcoins. 

There haven't been any hacks on Mycelium, Electrum, or any of the software wallets for mobile as far ask I know, and you would think that if the devs had the ability to steal your coins they would have done that long ago.  So I tend to trust those two wallets and a couple more, even though I can't verify that everything is safe myself.  That's just how it goes with me; there has to be some level of trust in the makers of these wallets--and other apps, too.

Always like hearing your opinions, Dave.

[figmentofmyass]

But, in a hot phone wallet does it matter? If you have more then spending amounts in your phone isn't this all kind of moot? Because...wait for it....phones & PCs are not that secure by themselves at the end of the day....

no, it doesn't really matter. mobile apps and custodial wallets are both high risk. it's always prudent to limit risk exposure either way. tbh i just avoid both. brick-and-mortar spending usually calls for buying gift cards, so i just buy those at home and keep all my private keys offline.

[DaveF]

But, in a hot phone wallet does it matter? If you have more then spending amounts in your phone isn't this all kind of moot? Because...wait for it....phones & PCs are not that secure by themselves at the end of the day....

no, it doesn't really matter. mobile apps and custodial wallets are both high risk. it's always prudent to limit risk exposure either way. tbh i just avoid both. brick-and-mortar spending usually calls for buying gift cards, so i just buy those at home and keep all my private keys offline.

Exactly, and I think that is actually what got me annoyed at the post / article. I really could not figure it out. Now I can.
It's the title. "Is your wallet secure" The next line really should have been. "Duh, of course not, it's on a phone that is vulnerable, in an environment that is vulnerable. But these wallets might possibly be a tiny bit safer then others"

Always like hearing your opinions, Dave.

Thanks :-)

Enjoy the rest of the weekend everyone.
-Dave

[eddie13]

I have mostly used an exchange as a hot wallet and my Ledger Nano S as a cold wallet..
Also having a seed memorized and being able to get to that coin from anywhere in the world incase of some emergency, yet being very secure, is quite appealing to me..

I don't really trust anything on a phone, or do much of anything on a phone, but have used Mycelium wallet and probably played with a few other app wallets but I don't trust them much at all..

[pooya87]

if we don't look at things in black and white (100% safe or 100% scam) then we can see that there is a big range of possibilities between being safe and being completely risky. then we can come up with an assessment and a rate that can help us decide how much bitcoin we want to put in that wallet.

you can start a list of things to look at:
1) what device it runs on?
PC is safer than a ("portable") phone, since you carry phone around!
then a cold storage (like paper) is safer than hot wallet on PC.

2) what programming language it is written in and how it handles its dependencies?
i just leave this here: https://bitcointalk.org/index.php?topic=5206906.0

3) how old and how popular is the project?
being older and being more popular means more people have looked at the code and have been using it. it is not just about being scam but also about having bugs and more popularity means less bugs since they are found easier and fixed.

4) being open source?
this is not about "you" looking at the code. it goes hand in hand with popularity and how many others have looked at the code.

5) having deterministic builds?
being open source is not enough since majority of users are downloading the binaries. there is a simple solution for that called "reproducible or deterministic builds", it simply means no matter who builds the binaries from source code they all end up with the same final file hash. unfortunately majority of wallets don't have that: https://bitcointalk.org/index.php?topic=5195281.0

now we can rate different wallets. example out of 10:

#  electrum  coinomi
1) 8          3
2) 8          6
3) 9          5
4) 10         0
5) 10         0
----------------
   45        14

now it is easier to decide how much money to leave where.

[Pmalek]

I agree with most of the things Dave said. I certainly don't have the knowledge to inspect a piece of code and know what it does. But I do like the fact that others who know what they are looking for have the possibility to inspect it. That is why I stick to the well-known brands. I prefer names who have been in the game for several years. I skeptical towards new brands, open sources or closed source. I'd rather give the community time to inspect the new wallets before I use them. I use both open source and closed source wallets. Even my Ledger is partially closed source. I have used Coinomi on my Android phones with small amounts and mostly for altcoins and have never had any issues with it.   

[Wind_FURY]

Same with custodial vs non custodial? Yeah Coinbase has it's issue, but you know what else it has? Insurance & a phone number to call. I KNOW Not your keys / not your coins. But if you trade just about any financial instrument (stocks / bonds / currency) 99% of the time you don't have the actual bonds / stock certificates / cash anyway. Other then logging into my trading account I really can't prove I own "X" shares of "Y" stock. If I want the actual certificate I have to PAY a lot to have created it mailed to me. So long it's at a place like Coinbase and not Dave's unknown exchange does it matter that much? Yeah, they can spring KYC on you at any moment. But you know what, so can any payment gateway. I'm not saying leave real amounts of BTC there.

-Dave

I believe that this should never ever be encouraged in the community. The more of Bitcoin is held under the custody of a "centralized service", the more it becomes vulnerable under central banking schemes.

Encourage the development of new protocols for exchange, like BISQ.

For context, https://bitcointalk.org/index.php?topic=5209931.0

[jackg]

Not sure if it's mentioned in that article but there are at least 2 ways you can compile some code (might not be true for compiling sfraignto something the os can run):
[ul]

• compiling for memory efficiency
• compiling for cpu efficiency

[/ul] .

There are things you can do to test the build of a wallet too. You don't have to go through something line by line exactly, you just have to look at what's run at what point (normally passing it to an interpreter) or what's sent along the network (typically if communications aren't encrypted). It's much faster to do a dry run or look at each line in turn to work out what it does. It'd take a really advanced programmer to hide some code that looks and acts like it does something different to what it actually does and randomly does something harmful that it'd probably take more effort than it's worth as it may not be possible in a few strict languages.

With trusting an exchange to hold your funds you're putting a lot of trust in its team and its insurance. Have you checked the documents and what they actually cover if they store funds there?


On the topic of people who love to check signatures and go solely of that, it's good but it's not perfect because you're trusting that person to not have accidentally stored their key somewhere they shouldn't and you're also trusting their version of the compiled key signing engine... If they didn't verify that install or even a piece of rogue software on their machine then you could also be at risk if that adds malicious code to the binary.

[o_e_l_e_o]

phones & PCs are not that secure by themselves at the end of the day

if we don't look at things in black and white (100% safe or 100% scam) then we can see that there is a big range of possibilities between being safe and being completely risky.

I think this is the bottom line. There is no set up in the world which is 100% secure. There is a quote I like from Gene Spafford which goes as follows:

The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.

Similarly, there is no wallet which is truly secure. Every wallet carries a risk, and every wallet involves trusting a third party at some point of the process. All we can do is evaluate how big that risk is for each wallet, and try to choose the ones with the smallest amount of risk.

Web wallets require a huge amount of trust. You have to trust the company running it (and everyone in that company) to not have written malicious or sloppy code, to not try to steal your coins, to not collaborate with an attacker, to have good security practices, to be storing your coins securely, and so on. You need to trust your web browser, your OS, your ISP, and so forth to not try to steal your login details, log your key presses, direct you to a phishing page, MITM attack you, not be infected with malware, and so on.

On the other end of the spectrum, a fully air-gapped machine or paper wallet, is much safer, but is it 100% trustless? Did you generate your own entropy? Did you evaluate the program you used to turn that entropy in to a seed, private keys, public keys, and addresses? What about the hardware it is being run on? What about the software on the printer you used to print it out? The chances of losing your coins to something like this are minuscule, but never 0%, hence the quote from Gene Spafford.

Having said all that, I use every type of wallet except web wallets. I appreciate that each has a different risk profile, and I store appropriate amounts of money in each. The amounts stored are inversely related to the safety and risk profile of each wallet: Large amounts in air-gapped and paper wallets, medium amounts in a hardware wallet, small amounts on a desktop and mobile wallet.

[hugeblack]

Nothing is completely safe, risks are what makes things valuable.
You can download 33 wallets to get some altcoins (you must download 33 open-source wallets, which many verified.)
If it is difficult, you have to sacrifice some security to easily download one wallet with one recovery seed.


On the other hand, web wallets are not bad, especially with small amounts that require the use of more than one device in more than one place.

The essential thing is to know and understand all the words before downloading any wallet. For example: Before a period I was using greenaddress and I did not understand the meaning of multi-sig, which faced me a lot when I wanted to extract the private keys.

[buwaytress]

Fair point you made, and I just commented elsewhere about Coinbase BUT it's worth noting that insurance and a contact number don't mean squat if the customer service is unhelpful and the insurance doesn't pay out.

I tell a lot of people the reason I don't have everything in BTC is because I'm hedging my risk. My fiat may lose value over time, but it also gains interest (so somewhat slows down devaluation) AND is fully insured for free by my government. YES, there is a chance they'll renege that promise, but they haven't yet.

Same why I tell people regulations could be a good thing for traders and speculators. Thanks to MtGox now all licenced exchanges in Japan MUST cover customer deposits with insurance. Hard to beat that kind of protection.

Like you said, until we all know better about coding and shit, we should practice typical security and safety. Don't put it all in one basket. And try and choose baskets that are better protected/insured.

[ABCbits]

Regardless what other people said, being open-source or partially open-source should be important aspect when looking for Bitcoin wallet.
People should remember than Bitcoin and most P2P protocol (Tor, BitTorrent, BitTorrent's DHT etc.) only able to success because they are open-source.

[Wind_FURY]

Fair point you made, and I just commented elsewhere about Coinbase BUT it's worth noting that insurance and a contact number don't mean squat if the customer service is unhelpful and the insurance doesn't pay out.

I tell a lot of people the reason I don't have everything in BTC is because I'm hedging my risk. My fiat may lose value over time, but it also gains interest (so somewhat slows down devaluation) AND is fully insured for free by my government. YES, there is a chance they'll renege that promise, but they haven't yet.

Same why I tell people regulations could be a good thing for traders and speculators. Thanks to MtGox now all licenced exchanges in Japan MUST cover customer deposits with insurance. Hard to beat that kind of protection.

Like you said, until we all know better about coding and shit, we should practice typical security and safety. Don't put it all in one basket. And try and choose baskets that are better protected/insured.

It's not a fair point. The ones who are "OK" with KYC/AML are probably the people who forgot about one of the reasons why cryptogtaphy, Bitcoin, exists. A path to socio-political change of the system. A system that tells you that you are a "criminal" unless you go through KYC/AML.

I know that it is sometimes impossible not to go through it, especially in times of necessity. But we should not forget.

[o_e_l_e_o]

Regardless what other people said, being open-source or partially open-source should be important aspect when looking for Bitcoin wallet.

I agree. I also like to think of being open-source as decentralizing trust. If you don't have the ability or time as DaveF points out to review the code yourself, at least if it is open source then other people can and will flag up any issues. With a closed source wallet I have to trust the developer(s). With an open source wallet I can decentralize that trust from a single person or small team to an entire community.

I know that it is sometimes impossible not to go through it, especially in times of necessity.

Don't want to go too far off topic here, but it's entire possible not to go through it. I've never completed KYC for any bitcoin or crypto exchange, service, third party, what have you, and I have absolutely no trouble interacting with the bitcoin ecosystem. In fact, I would wager that I use bitcoin more often than the average person, spending it both online and in person on actual goods or services several times each week.

[DaveF]

Regardless what other people said, being open-source or partially open-source should be important aspect when looking for Bitcoin wallet.

I agree. I also like to think of being open-source as decentralizing trust. If you don't have the ability or time as DaveF points out to review the code yourself, at least if it is open source then other people can and will flag up any issues. With a closed source wallet I have to trust the developer(s). With an open source wallet I can decentralize that trust from a single person or small team to an entire community.

But, unless someone is checking every build that gets released to the play store vs what is in github in somewhat real time it is as I said a false security for most people.

As I said above, do you know who has the access to push the apk to the play store? Do you know what access and security controls they have to that PC that they upload the file from? Do you know what kind of internal reviews exist to make sure all code is internally reviewed? Oh, and can you prove all of the above?

Which is safer? A closed source wallet that has 2 levels of review and a separate PC in a secure area of an of a data center for uploading OR an open source one where the main developer has every password saved on his laptop that they leave in their car so they can work in the coffee shop where they connect to the open WiFi?

Now, if you don't auto update and wait for people to review the code before compiling yourself that is a different story. But if you have your phone / tablet do the normal daily checks for updates then everything above is moot. 

Step 1 develop new wallet
Step 2 publish code and release app.
Step 3 update on a regular basis
Step 4 become evil
Step 5 keep updating as normal
Step 6 repeat #5 for a while
Step 7 release an update that steals coins to the app store / play store
Step 8 Run with the BTC

Yes you have to trust some people at some times, that is just a fact. But, saying that open source is better or more secure that is really pushing it. It lets you find bugs / security issues quicker. It does not make it more secure. Unless you can verify the whole process.

What we should be telling people IMO is "Over time open source things have had better security but you cannot always rely on that fact. Use separate hardware wallets when possible and don't store life altering amounts of coin in a hot wallet"

https://blog.sucuri.net/2016/03/when-wordpress-plugin-goes-bad.html

As someone who deals with it likes to say to me.
"When the PCI compliance (Payment Card Industry)  audit comes remember to answer truthfully. They ask you if you store customers credit card information on your computer, and you don't. They don't ask you if you have that information on post it notes stuck to the wall in the warehouse so you don't need to tell them that.

-Dave

[o_e_l_e_o]

But, unless someone is checking every build that gets released to the play store vs what is in github in somewhat real time it is as I said a false security for most people.

Oh absolutely. I think the Google and Apple app stores give people a lot of false security, not just in terms of apps matching their open source code, but also apps not spying on them, being outright malicious or malware, invasive permission, faulty, and so on. The criteria for being published on the stores is very minimal, and no one should assume something that has been published has been vetted or that automatically makes it safe or trustworthy.

Which is safer? A closed source wallet that has 2 levels of review and a separate PC in a secure area of an of a data center for uploading OR an open source one where the main developer has every password saved on his laptop that they leave in their car so they can work in the coffee shop where they connect to the open WiFi?

Sure, but how can you prove the closed source wallet has 2 levels of review on a secure PC if not without trust?

Now, if you don't auto update and wait for people to review the code before compiling yourself that is a different story.

I don't, and I don't think anyone should. I don't feel comfortable giving any app, program, or software the ability to automatically download and execute code on my devices.

Step 1 develop new wallet
Step 2 publish code and release app.
Step 3 update on a regular basis
Step 4 become evil
Step 5 keep updating as normal
Step 6 repeat #5 for a while
Step 7 release an update that steals coins to the app store / play store
Step 8 Run with the BTC

Something similar happened last year with the Copay wallet: https://www.coindesk.com/fake-developer-sneaks-malicious-code-into-bitpays-copay-wallet. Copay is open source, but a malicious third party obtained control over a JavaScript library dependency and it was pulled in to Copay updates without anyone realizing.

But, saying that open source is better or more secure that is really pushing it. It lets you find bugs / security issues quicker. It does not make it more secure. Unless you can verify the whole process.

I never said open source was automatically better, but it is better than closed source if you evaluate and verify the code before installing or updating. If you do this, then your point about it being edited from a coffee shop is moot. It doesn't really matter where the code was edited or who edited it if you are going to check it all first.

What we should be telling people IMO is "Over time open source things have had better security but you cannot always rely on that fact. Use separate hardware wallets when possible and don't store life altering amounts of coin in a hot wallet"

Agree with this.

[BrewMaster]

let me add an additional thought. when it comes to wallets and being open source i have seen some beginners think that just having a github link means they are open source. but unfortunately it is becoming a common scam method where the hacker releases the compiled malicious wallet on github and tries fooling beginners into thinking it is safe.

[DaveF]

Something similar happened last year with the Copay wallet: https://www.coindesk.com/fake-developer-sneaks-malicious-code-into-bitpays-copay-wallet. Copay is open source, but a malicious third party obtained control over a JavaScript library dependency and it was pulled in to Copay updates without anyone realizing.

I forgot about that. I know last week there was the discussion about the malicious Python libraries https://bitcointalk.org/index.php?topic=5206906.0
Makes you wonder what else is lurking out there.

Sure, but how can you prove the closed source wallet has 2 levels of review on a secure PC if not without trust?

You can't because most places will not. BUT lets put this hypothetical out there.
Take a well regulated exchange. Since Gemini is taken lets call it Aires.
Aires is in NY so they have all the NY and USA regulators looking at everything they do. They decide all the wallets out there are crap so they release their own.
They have auditors give a list of all the security processes but at the end of the day it's still closed source.
Do you trust it more or less then say Mycelium?

Now, if you don't auto update and wait for people to review the code before compiling yourself that is a different story.

I don't, and I don't think anyone should. I don't feel comfortable giving any app, program, or software the ability to automatically download and execute code on my devices.

That is very rare, most people just set it and forget it.

-Dave

[Wind_FURY]

I know that it is sometimes impossible not to go through it, especially in times of necessity.

Don't want to go too far off topic here, but it's entire possible not to go through it. I've never completed KYC for any bitcoin or crypto exchange, service, third party, what have you, and I have absolutely no trouble interacting with the bitcoin ecosystem. In fact, I would wager that I use bitcoin more often than the average person, spending it both online and in person on actual goods or services several times each week.

You should teach everyone. Please open a new topic about your method, and which services you use. I believe avoiding KYC has become its own art form. Hahaha.