Show Me The Bitcoin! - use plain images as Bitcoin keys, send BTC via email

[drazvan]

Hello everyone,

I've just published a small Android app called "Show Me The Bitcoin!" that allows you to use any image in your phone gallery as a Bitcoin private key and wallet. You can add funds to an image using your regular wallet, email it to someone else and claim/sweep funds received from a third party in the form of a simple image email attachment.


Possible uses are:
1. Covert transfer of funds (to an outside observer you are simply emailing that person a funny photo).

2. Hidden Bitcoin storage (add funds to a personal image in your gallery and remove the Bitcoin wallet app). If your device is searched, they will find no trace of Bitcoins, just a few personal photos in your Gallery. At a later time, you can reinstall the app and reclaim the funds.

3. Bitcoin shared wallet for family/friends (anyone with access to the image can claim the funds and also deposit funds on that image for use by other members).

4. Reward website users by hiding Bitcoins in images on your blog / website (scavenger-hunt style).


Here are a few screenshots:






A demo video is at http://www.youtube.com/watch?v=rTmnLlyUjHQ.

Give it a try at https://play.google.com/store/apps/details?id=com.cayennegraphics.showmethebitcoin , it's free! It will nag you after you've sent $50 (0.1 BTC) or more through it for a donation, you can donate as much (or as little) as you want or not donate at all, your call. Or you could send directly to 1Razvan4KEK2q5DNxemvsHwGncF1T3NqR .

For the technically inclined, the way it works is by doing a SHA-256 hash of the image and using that as a Bitcoin private key - it derives an address from it, then allows you to send funds to that address or sweep them to your wallet. Nothing fancy, just pure old fun .

Finally, if you've read this far, I have a tip for you: I've hidden 3 small amounts (0.05 BTC) into 3 logo images present on Bitcoin-related sites (or vendors related to Bitcoin). So you just need to navigate to the site, save the logo image and then load it into Show Me The Bitcoin! to sweep the funds (or add more if you're into that sort of fun ). I will post tips and possibly more bounties here over the next days, feel free to join in.

Cheers,
Razvan

[1715493111]

1715493111

[1715493111]

1715493111

[1715493111]

1715493111

[1715493111]

1715493111

[1715493111]

1715493111

[KaChingCoinDev]

Cool! But then you have to keep the image secret, right?

[drazvan]

Yes, anyone that has access to the image has access to the funds. The trick is that the image is not modified in any way, it's just an image, so an attacker that finds your phone would not know where to start (or even know that you've used this at all), unless they start hashing any and all images found on stolen phones to look for funds .

[KaChingCoinDev]

Ah yes, that makes sense. Do you have any plan on A. Making this for altcoins, or B. making this Open Source?

[KaChingCoinDev]

Oh, 1 more thing.

I have two android phones, neither are letting me download saying it is incompatable

[drazvan]

I haven't thought about making this for altcoins, it shouldn't be too hard, as long as there's interest and the altcoin private keys are 256-bit values (or smaller, I can truncate the output of the SHA256 hash), they should be fine. And yes, it will eventually be open-sourced, just need to clean up the code a bit (it was essentially hacked together over the Easter holidays, it works fine but it reuses parts of my OtherCoin and VisualBTC projects).

[drazvan]

Oh, 1 more thing.

I have two android phones, neither are letting me download saying it is incompatable

What version of Android are you running? It should install all the way down to 4.0.3. I have only tried it on 4.3 and 4.4 myself, but it's declared to support everything above 4.0.3.

[Abdussamad]

So the private key is not encrypted in any way? It's just the sha256 hash of the image. What could possibly go wrong!

Also number 1 is people emailing the private key to others?!

[drazvan]

The hash of the image is the key, so no, it's not encrypted. The recipient is not meant to leave the funds there indefinitely, I expect them to sweep them to their own wallets on receipt. And unless an attacker has access to your email and starts hashing all image attachments and checking the blockchain for a match, they would not even know you're sending (or receiving) money.

Also, if you're using this to store your own funds, it's similar to a brainwallet - that is not encrypted with anything either . But instead of remembering it, you just save/secure an image that hashes to the key. It's not as secure as a true 256-bit random key and it's not meant to be - it's just way easier to covertly store and transfer.

[drazvan]

Of course, this doesn't mean I can't add a password or a PIN into the mix - but I wanted to minimize the amount of extra information needed to claim the funds. If I have a channel to securely send you an extra PIN or password, I might as well send you the whole key.

And for storing personal funds, I wanted to be able to take a picture of my family for instance, then secretly add some funds to it, then tell my daughter when she's older to look for that family photo and find a little "surprise present" in it if she knows where to look .

[KaChingCoinDev]

Oh, one is 2.3.6, the other is 4.1.2. I got it working on 4.1.2, but when I go to deposit funds, it crashes.

[drazvan]

Oh, one is 2.3.6, the other is 4.1.2. I got it working on 4.1.2, but when I go to deposit funds, it crashes.

Do you have the Android Bitcoin Wallet installed? This one: https://play.google.com/store/apps/details?id=de.schildbach.wallet .

I should probably add some code to check if the Bitcoin Wallet is installed and if it's not, take the user to the download page.

[KaChingCoinDev]

Ah, I don't. That is a good idea

[Abdussamad]

The hash of the image is the key, so no, it's not encrypted. The recipient is not meant to leave the funds there indefinitely, I expect them to sweep them to their own wallets on receipt. And unless an attacker has access to your email and starts hashing all image attachments and checking the blockchain for a match, they would not even know you're sending (or receiving) money.

Attacker?? You expect people to send their private keys off to someone expecting money. Instead the recipient of their email is just going to clean them out.

Also, if you're using this to store your own funds, it's similar to a brainwallet - that is not encrypted with anything either .

Brain wallets are another bad idea. You are comparing your app to a known bad idea?

[KaChingCoinDev]

The hash of the image is the key, so no, it's not encrypted. The recipient is not meant to leave the funds there indefinitely, I expect them to sweep them to their own wallets on receipt. And unless an attacker has access to your email and starts hashing all image attachments and checking the blockchain for a match, they would not even know you're sending (or receiving) money.

Attacker?? You expect people to send their private keys off to someone expecting money. Instead the recipient of their email is just going to clean them out.

Also, if you're using this to store your own funds, it's similar to a brainwallet - that is not encrypted with anything either .

Brain wallets are another bad idea. You are comparing your app to a known bad idea?

Give the guy a break. He tried to make something practical, and IMO he did. It is free, not like he's charging a BTC for it.

[davidgdg]

The hash of the image is the key, so no, it's not encrypted. The recipient is not meant to leave the funds there indefinitely, I expect them to sweep them to their own wallets on receipt. And unless an attacker has access to your email and starts hashing all image attachments and checking the blockchain for a match, they would not even know you're sending (or receiving) money.

Attacker?? You expect people to send their private keys off to someone expecting money. Instead the recipient of their email is just going to clean them out.

Also, if you're using this to store your own funds, it's similar to a brainwallet - that is not encrypted with anything either .

Brain wallets are another bad idea. You are comparing your app to a known bad idea?

Why are they a bad idea? A properly done brain wallet is simple to remember and impossible to crack.

[drazvan]

Attacker?? You expect people to send their private keys off to someone expecting money. Instead the recipient of their email is just going to clean them out.

No, you are not sending them your private key! You are creating a private key for the purpose of that transaction, deriving a Bitcoin address from it, then sending only the funds you want to transfer to that newly created address. This is similar to the current payment process, where the recipient of the funds creates a new address to receive the funds - but it's the trusted sender that creates it, not the recipient. The recipient can not clean you out, they only have access to the funds you have attached to the image, nothing else.

Better now?

[drazvan]

Looks like someone claimed 2 of the 3 bounties I've posted (funds attached to images on the net). The first one was attached to the top-left image on Reddit (/r/Bitcoin), the second one was attached to our logo on www.veri.fi . Good work people! There's just one left!

[Abdussamad]

Attacker?? You expect people to send their private keys off to someone expecting money. Instead the recipient of their email is just going to clean them out.

No, you are not sending them your private key! You are creating a private key for the purpose of that transaction, deriving a Bitcoin address from it, then sending only the funds you want to transfer to that newly created address. This is similar to the current payment process, where the recipient of the funds creates a new address to receive the funds - but it's the trusted sender that creates it, not the recipient. The recipient can not clean you out, they only have access to the funds you have attached to the image, nothing else.

Better now?

Ok this is just a whole lot of horse crap. I can only conclude that the OP is a scammer and he's got a lot of shill accounts supporting him in this. I am done with this thread.

[drazvan]

Ok this is just a whole lot of horse crap. I can only conclude that the OP is a scammer and he's got a lot of shill accounts supporting him in this. I am done with this thread.

Could you be bothered to look at my post history to see what other projects I am involved in? Here, in case you can't find it: https://bitcointalk.org/index.php?action=profile;u=82497;sa=showPosts . Also, that's me https://www.linkedin.com/profile/view?id=4926501 . That's also me http://www.theregister.co.uk/2004/06/03/pocket_rendezvous/ . And this http://www.othercoin.com/OtherCoin.pdf . Busy scammer, huh?

But hey, "scammer" is a nice hint word for the location of the last of the three bounties I've posted. Let's see if anyone claims it.