Bitcoin Forum
March 04, 2021, 09:56:21 AM *
News: Latest Bitcoin Core release: 0.21.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: WalletScrutiny finished assessing 86 Android apps. Only 3 are verifiably ...  (Read 94 times)
giszmo
Legendary
*
Offline Offline

Activity: 1764
Merit: 1043


WalletScrutiny.com


View Profile WWW
December 30, 2019, 10:06:05 AM
Merited by Welsh (4), OmegaStarScream (3)
 #1

At WalletScrutiny today we finished our first round of assessing the 84 apps we had found to look like maybe being relevant Android Bitcoin wallets. The results are grim:

  • 3 are verifiably built from the project's published source code
  • 21 apps claim to be open source but either we failed to compile them from the information provided on their repositories or the compilation result differed non-trivially from the app found on Google Play. Trivial differences would be file timestamps, differences in few files that can be quickly understood to be harmless, like an API key not being included in the repository, although that is pointless as it sticks out in the diff even more.
  • 25 apps are closed source meaning neither the Playstore description, nor their website nor GitHub searched for their appId revealed any source code
  • 19 apps are for custodial services, the biggest being Coinbase. Coinbase recently reached 10 million downloads and with no other app reviewed having even 5 million, that is more users on Coinbase than on all open source wallets combined. Being your own bank ... not so much Sad
  • 18 apps turned out to be either not wallets, not for Bitcoin or they had only 1000 downloads or less.

This project is only getting started. If you want to look behind the curtain and maybe want to contribute, source for the website is public.

Now the next steps are:

  • Automate verification for wallets that were verifiable once
  • Efficiently collect wallet updates
  • Alert when verification fails
  • Build awareness

ɃɃWalletScrutiny.comIs your wallet secure?(Methodology)
WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value.
ɃɃ
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!