[ANN] BitcoinSpinner

[pazor]

hello Jan,

can you please add to the app that the amount of bitcoins are shown in EUR also ?
thank you

may be as an option ?

greetings
pazor

[Jan]

After updating to the latest version, when I start spinner it just sits there with a black screen and a bar that says BitcoinSpinner at the top. It will stay like this as long as I let it. When I hit the back arrow (HTC Evo) it will finally show the app.

There is a known initialization issue which kicks in when leaving the app running in the background on low end devices. I am traveling this week, but have a fix which i will submit once properly tested. Sorry for the inconvenience.

This just happened on my Galaxy S2, so it's not limited to low end devices   That said, I am running a modded ROM for ICS, so that's probably not helping

I am not able to reproduce this myself. Help me fix it by answering the questions in this thread: https://bitcointalk.org/index.php?topic=53353.msg747989#msg747989

[Jan]

hello Jan,

can you please add to the app that the amount of bitcoins are shown in EUR also ?
thank you

may be as an option ?

greetings
pazor

Hi pazor,

It is on my list, but it may take some time before I get there.

1. Bug fixing
2. Address book
3. Transaction history improvements
4. EUR and other currencies
5. Relax and drink beer

Cheers,
Jan

[Stephen Gornick]

BitcoinSpinner uses private app storage, which is wiped at uninstall. However, this also has the nice feature that other apps cannot get to it, which is paramount. Another nice thing is that BitcoinSpinner only needs network access privileges. This lets you know that it does not try to snag your address book or keys from other apps using SD card storage.

In the Linode security breach trust given to their proprietary infrastructure was violated and bitcoins were stolen.

I'm wondering if there is a similar vulnerability with a mobile platform.  I read in the Android how-to for publishing an app that only an app signed with your private release key will get pushed out as an update.   What if, however, your system used for building was compromised and an attacker were to get your private release keys to build a rogue update (that stole bitcoin private keys).  If that roge release were published to the marketplace nobody would likely notice a problem until after the attacker already would have a lot of private keys!

If I were storing an amount of bitcoins worth worrying about, I might then want a way to disable the automatic update of this app.  Is that possible?

Also, might there be an announcement here for when you publish, maybe signed with your PGP key, which includes a signature for the release to be published to the Android Market?

I know this sounds paranoid, but crazier things have happened before, right?

[Jan]

BitcoinSpinner uses private app storage, which is wiped at uninstall. However, this also has the nice feature that other apps cannot get to it, which is paramount. Another nice thing is that BitcoinSpinner only needs network access privileges. This lets you know that it does not try to snag your address book or keys from other apps using SD card storage.

In the Linode security breach trust given to their proprietary infrastructure was violated and bitcoins were stolen.

I'm wondering if there is a similar vulnerability with a mobile platform.  I read in the Android how-to for publishing an app that only an app signed with your private release key will get pushed out as an update.   What if, however, your system used for building was compromised and an attacker were to get your private release keys to build a rogue update (that stole bitcoin private keys).  If that roge release were published to the marketplace nobody would likely notice a problem until after the attacker already would have a lot of private keys!

If I were storing an amount of bitcoins worth worrying about, I might then want a way to disable the automatic update of this app.  Is that possible?

Also, might there be an announcement here for when you publish, maybe signed with your PGP key, which includes a signature for the release to be published to the Android Market?

I know this sounds paranoid, but crazier things have happened before, right?

These are all valid concerns. Hacking bitcoin related services has turned out to be quite profitable.

Android apps are not automatically updated by default. This is an option that you can enable on your device, but I recommend that you don't.

Whenever I update BitcoinSpinner I announce it in this thread: https://bitcointalk.org/index.php?topic=53353.0
However publishing a signature on the APK with a different key doesn't give you much, as you (as far as I know) cannot retrieve a hash of the application from the Android Market. If you are really paranoid you should download the sources and roll your own. This also allows you to review any changes that have been added since last release.

(By the way, there is an update in the pipe which adds an address book and launching the send page from a Bitcoin URL)

[Jan]

This is an excellent development! I tried it yesterday, sent some coins from my Schildbach wallet to spinner, sent coins from spinner to my friend's spinner, everything worked perfectly.

It's clearly a work in progress though. There is no way to create a new Bitcoin address, no address book, no way to see sent and received transactions etc. But the core functionality is solid and the idea is excellent. It's very fast to use. Please keep developing it. I'd be happy to donate something to the developer if there is a donation address.
...

The latest BitcoinSpinner update is announced here, and includes the address book feature that you requested. Transaction history has been there for a while. Did I mention the in-app donation option? 

[phatsphere]

Did I mention the in-app donation option? 

I tested it a while ago, so you should have gotten some spare coins at least once 

[Nim]

Looks great. I like it. Two connected suggestions though. First, make it easy for the user to empty their wallet. I always appreciate when I go to make a payment on something and it gives me a box to type in the number and instead of making me remember the amount, it allows me to click something that autofills it. I would suggest something similar here. Allow the user to press the balance to autofill in the amount to send. Second, I think it would be interesting if at any time the balance becomes zero, you give the user the ability to create a new wallet and forget the old one. I don't see a way of doing that right now.

Excellent job.

edit: sorry, I see now that you have a dev thread as well. On which thread would you prefer people offer feedback?

[molecular]

I'm on android 2.1 here I guess (pretty old phone with low ram, don't think I can update)

What's keeping BitcoinSpinner from running? Android Market says "incompatible with your device"

[fimp]

Two small inconsistencies:

• When showing the BTC amount in the wallet, dot is used as the decimal sign. But when showing the amount in regular currencies, comma is used as decimal sign.
• When showing the BTC amount in the wallet, the currency is displayed after the amount. But when showing the amount in regular currencies, the currency is shown before the amount.

[Jan]

Two small inconsistencies:

• When showing the BTC amount in the wallet, dot is used as the decimal sign. But when showing the amount in regular currencies, comma is used as decimal sign.
• When showing the BTC amount in the wallet, the currency is displayed after the amount. But when showing the amount in regular currencies, the currency is shown before the amount.

Nice finds. For regular currencies BitcoinSpinner uses the decimal separator defined by the selected locale (US uses '.' DK uses ','). However for BTC '.' is always used. To clear confusion I have decided to use '.' everywhere in all locales.

Both items will be fixed in the next update.

[Jan]

I'm on android 2.1 here I guess (pretty old phone with low ram, don't think I can update)

What's keeping BitcoinSpinner from running? Android Market says "incompatible with your device"

I have only built/tested BitcoinSpinner on 2.2 devices. After a few modifications I can successfully build it against 2.1.
2.1 will be supported in the next update 

[Jan]

edit: sorry, I see now that you have a dev thread as well. On which thread would you prefer people offer feedback?

Please post technical stuff and bugs on the dev thread and the rest here.
Thanks, Jan

[molecular]

I'm on android 2.1 here I guess (pretty old phone with low ram, don't think I can update)

What's keeping BitcoinSpinner from running? Android Market says "incompatible with your device"

I have only built/tested BitcoinSpinner on 2.2 devices. After a few modifications I can successfully build it against 2.1.
2.1 will be supported in the next update 

wooooo! you're the best!

[cande]

Hi there,

I'm on android 4.0.x with NFC, would this be useful as an payment security device for Bitcoin Spinner?

https://store.yubico.com/store/catalog/product_info.php?products_id=72

[molecular]

Hi there,

I'm on android 4.0.x with NFC, would this be useful as an payment security device for Bitcoin Spinner?

https://store.yubico.com/store/catalog/product_info.php?products_id=72

intersting! thanks for pointer.

[Jan]

Hi there,

I'm on android 4.0.x with NFC, would this be useful as an payment security device for Bitcoin Spinner?

https://store.yubico.com/store/catalog/product_info.php?products_id=72

This is an interesting piece of hardware for authentication purposes, however this is all it does. (You cannot offload your Bitcoin private key onto it). You can use it for generating one time passwords if you for instance want to authenticate yourself with some service instead of (or in combination with) using a password. This would be a great thing for Bitcoin banks such as Paytunia or MtGox.  (MtGox already uses a yubi device).

BitcoinSpinner is different. The server side does not have your private keys, and does not control any Bitcoins. It just serves as a custodian of the block chain. Your private keys ONLY leave your Android device if you choose to make a QR-code backup/export.

If the server side of BitcoinSpinner was hacked, full breach, and left as a burning wreckage (you know, Bitcoinica style), then what would happen:

• The hacker would find the block chain, a bunch of Bitcoin public keys + bookkeeping information in a database, and a server log (which does not contain your IP address). This is all useless stuff.
• I would be pissed, as I would have to spend time on getting the service up and running again. This would probably take a few days, as I would have to make sure how he got in etc.
• You as the user would safely walk away from the wreckage with all you BTC even if you did not export your private key before the hack. BitcoinSpinner allows you to launch the app with no server connection and do the export offline. Once you have exported you could import your private key into one of the other excellent Bitcoin services around.

[Technomage]

The security of the server side isn't the problem here. Many (including me) would like more ways to secure the user side. Yubikey could be used to help with that. Server side security doesn't help if your phone is stolen, it's basically a race against time. If the thief knows about Bitcoin the game is already over. With a second authentication one could be fairly confident that the thief can't send those coins away.

I do agree that this takes away the convenience more than it's actually worth if you just carry small change in your mobile Bitcoin wallet. At least the option of extra security on the user side would help if I want to carry more than what I need for small transfers.

For me the most convenient way would be that it allows a total sent BTC amount during a 24 hour period without authentication. Then if I want to send more than that it would ask for authentication. This is probably a lot of work on the software side but it would be convenient when needed and secure when needed.

I don't actually know how this could be accomplished technically. It would require encrypting the private key for sure so the thief can't access the key once the phone is stolen.

[cypherdoc]

Hi there,

I'm on android 4.0.x with NFC, would this be useful as an payment security device for Bitcoin Spinner?

https://store.yubico.com/store/catalog/product_info.php?products_id=72

This is an interesting piece of hardware for authentication purposes, however this is all it does. (You cannot offload your Bitcoin private key onto it). You can use it for generating one time passwords if you for instance want to authenticate yourself with some service instead of (or in combination with) using a password. This would be a great thing for Bitcoin banks such as Paytunia or MtGox.  (MtGox already uses a yubi device).

BitcoinSpinner is different. The server side does not have your private keys, and does not control any Bitcoins. It just serves as a custodian of the block chain. Your private keys ONLY leave your Android device if you choose to make a QR-code backup/export.

If the server side of BitcoinSpinner was hacked, full breach, and left as a burning wreckage (you know, Bitcoinica style), then what would happen:

• The hacker would find the block chain, a bunch of Bitcoin public keys + bookkeeping information in a database, and a server log (which does not contain your IP address). This is all useless stuff.
• I would be pissed, as I would have to spend time on getting the service up and running again. This would probably take a few days, as I would have to make sure how he got in etc.
• You as the user would safely walk away from the wreckage with all you BTC even if you did not export your private key before the hack. BitcoinSpinner allows you to launch the app with no server connection and do the export offline. Once you have exported you could import your private key into one of the other excellent Bitcoin services around.

Jan,

but couldn't a hacker, once he has control of your server, upload your private key when you make a connection?

[Jan]

Jan,

but couldn't a hacker, once he has cntrol of your server, upload your private key when you make a connection?

No, and that is the beauty of it.
The server is totally independent of the Android app. To make a release of the app two independent individuals need to take action. Miracle (a company in Denmark) needs to sign the binary with a key that I have no access to. Then i have to upload the signed app to the android market, which only I can do (right now we are actially on two different continents). Furthermore, the app is not updated automatically on your device, you as a user decide whether you want to update, and your device will refuse to update if the signature is not done with the Miracle key.

When sending coins the app asks the server to stitch together an unsigned transaction. Once the app gets the transaction it validates the amount sent and the address of the receiver. Then it signs and returns the transaction, and the server propages it to the network.