At
WalletScrutiny today we finished our first round of assessing the 84 apps we had found to look like maybe being relevant Android Bitcoin wallets. The results are grim:
- 3 are verifiably built from the project's published source code
- 21 apps claim to be open source but either we failed to compile them from the information provided on their repositories or the compilation result differed non-trivially from the app found on Google Play. Trivial differences would be file timestamps, differences in few files that can be quickly understood to be harmless, like an API key not being included in the repository, although that is pointless as it sticks out in the diff even more.
- 25 apps are closed source meaning neither the Playstore description, nor their website nor GitHub searched for their appId revealed any source code
- 19 apps are for custodial services, the biggest being Coinbase. Coinbase recently reached 10 million downloads and with no other app reviewed having even 5 million, that is more users on Coinbase than on all open source wallets combined. Being your own bank ... not so much
- 18 apps turned out to be either not wallets, not for Bitcoin or they had only 1000 downloads or less.
This project is only getting started. If you want to look behind the curtain and maybe want to contribute,
source for the website is public.
Now the next steps are:
- Automate verification for wallets that were verifiable once
- Efficiently collect wallet updates
- Alert when verification fails
- Build awareness
