Way to get an iPhone BTC app into the App Store

[casascius]

I thought of a way to get an iPhone BTC app into the web store...

Just make it entirely a web based version that is reached via a QR code that contains a URL with a parameterized private key.  (So in effect the app would be used for receiving payments from somebody who handed over a private key on a QR code).

Then submit something to the app store which reads the QR code, and performs strict validation on it, and then redirects to the web app.

Ordinarily, this would be exactly the same as making a web-based bitcoin app, and having people pass around QR codes as "money" that contain URLs to a hosted web app to allow the money to be spent, these could be scanned with any generic QR code scanner.  The problem is that the QR code could contain a URL to a phishing or clone site that could show a balance and allow it to be spent, but would only pretend coins were sent without sending any.  The purpose of the app in the App Store would be to prevent that - it would simply test the URL with a preconfigured regex and only redirect if it passed.

Since this app would be a combo QR code scanner / URL validator, and wouldn't have any bitcoin functionality of its own, it may not be rejected like a typical bitcoin app.  Perhaps if the actual regex were an "advanced" changeable option, it would be a generic tool that could be used for others, so it wouldn't be too bitcoiney.

[1715052963]

1715052963

[1715052963]

1715052963

[1715052963]

1715052963

[1715052963]

1715052963

[1715052963]

1715052963

[kangasbros]

With Easywallet.org you already can receive and send bitcoins with iPhone via QR codes, provided that you install the Barcodes scanner application: http://itunes.apple.com/us/app/barcodes-scanner/id417257150?mt=8

I don't see the point for combining native app + web app.

Edit: The last line didn't come out right, I meant that if we are relying on web based wallets, then we can already use the existing QR code scanners. Client-side private keys are possible with jasvascript local storage, I guess.

Also disclaimer, I'm the author of easywallet.org

[casascius]

With Easywallet.org you already can receive and send bitcoins with iPhone via QR codes, provided that you install the Barcodes scanner application: http://itunes.apple.com/us/app/barcodes-scanner/id417257150?mt=8

I don't see the point for combining native app + web app.

Edit: The last line didn't come out right, I meant that if we are relying on web based wallets, then we can already use the existing QR code scanners. Client-side private keys are possible with jasvascript local storage, I guess.

Also disclaimer, I'm the author of easywallet.org

Yes, that will work, until a scammer makes a clone of your website, and hands a merchant a QR code that redirects to his own website, that fakes a payment and makes it appear on-screen that a payment is being made, but in fact none is made and the bitcoins don't even exist.  The Barcodes scanner application you referenced offers no capability of performing strict validation on the codes (the part I originally bolded in the OP), which is an important control on fraud.  However, given that the app is open source, it could be modified by a developer to include such a feature.

[evoorhees]

Blockchain.info's wallet is now officially on the App Store, so people should just use that.

Many iphone/bitcoin users will not be tech-minded... so a weird "work around" would probably only serve to confuse. Bitcoin needs to be getting simpler, not more complicated, even though your solution achieves the goal of functionality.

[kangasbros]

Yes, that will work, until a scammer makes a clone of your website, and hands a merchant a QR code that redirects to his own website, that fakes a payment and makes it appear on-screen that a payment is being made, but in fact none is made and the bitcoins don't even exist.  The Barcodes scanner application you referenced offers no capability of performing strict validation on the codes (the part I originally bolded in the OP), which is an important control on fraud.  However, given that the app is open source, it could be modified by a developer to include such a feature.

Well, similar attack could be run for mtgox.com, bitmit.net or any web site which handles web sites... I don't see it as a big threat. I hope those malicuous clones won't be popping up.

And I think you are confusing things - the merchant who accepts those fake bitcoins doesn't need QR code scanner at all - he just receives the bitcoins (which would be fake if the attacker succeeds to make the merchant use the fake service). So modifying the QR code scanner won't help the merchant receiving the coins, since he doesn't even use the QR code scanning functionality.

But that kind of attack is why I always advertise my service as easywallet.org - I have that domain registered for a pretty long time and it is guaranteed to be mine. Maybe those attackers could try something like easywallet.info or like. But I hope that won't be a threat anytime soon.

[proudhon]

Blockchain.info's wallet is now officially on the App Store, so people should just use that.

Many iphone/bitcoin users will not be tech-minded... so a weird "work around" would probably only serve to confuse. Bitcoin needs to be getting simpler, not more complicated, even though your solution achieves the goal of functionality.

Not the US store, though.

[casascius]

Well, similar attack could be run for mtgox.com, bitmit.net or any web site which handles web sites... I don't see it as a big threat. I hope those malicuous clones won't be popping up.

And I think you are confusing things - the merchant who accepts those fake bitcoins doesn't need QR code scanner at all - he just receives the bitcoins (which would be fake if the attacker succeeds to make the merchant use the fake service). So modifying the QR code scanner won't help the merchant receiving the coins, since he doesn't even use the QR code scanning functionality.

With all due respect, I don't think you have read my post carefully.  Not that you need to - but before telling me I'm confusing things, perhaps do some due diligence and try carefully to understand what I am saying, which has nothing to do with what you're talking about.

[kangasbros]

With all due respect, I don't think you have read my post carefully.  Not that you need to - but before telling me I'm confusing things, perhaps do some due diligence and try carefully to understand what I am saying, which has nothing to do with what you're talking about.

Yeah, sorry, I misunderstood. You were describing different system entirely.

[Grami]

I thought of a way to get an iPhone BTC app into the web store....

There is another way. Build app that operates with with spherical money provider. It can use bank or paypal or bitcoin provider. Money provider just should make protocol implementation. I guess such app will not be rejected.

[Matthew N. Wright]

Isn't Bit-Pak already available in the US iTunes?

[Gabi]

Seriously guys:



But well, it's true that we have to allow new people to use bitcoin, and it's not our fault if they use fail phones

[kangasbros]

Isn't Bit-Pak already available in the US iTunes?

Promoting Bit-Pak is about the best way to make sure that people will hate bitcoin. Some guy I met at the bar had installed it, and had waited about 2 weeks for the block chain to download. While the app consumes your battery etc.

Then I told him about easywallet.org, and he had it up and running & bookmarked on his iPhone in about 3 minutes. Then I sent some bitcoins to him and he had them instantly in his iPhone.

Introducing bitcoin to a new guy with easywallet.org : 2-5 minutes
Same with BitPak: 2 weeks, and the guy will probably forgot it or remove it from his iPhone from consuming resources.

It is just the fact that the full clients suck for mobile usage. Hope that somebody implements Electrum-style client and gets it approved.

(Myself I approve what the blockchain.info guys are doing, but the mobile app model just sucks IMHO. I don't want to manage invidual addresses etc. I just want a very simple way to receive and send bitcoins, with good anonymity and privacy.)

[piuk]

the mobile app model just sucks IMHO. I don't want to manage invidual addresses etc. I just want a very simple way to receive and send bitcoins, with good anonymity and privacy.)

I'd rather own my keys, you shouldn't need to sacrifice bitcoin's greatest strength for a bit of convenience.

[BitPay Business Solutions]

I'd rather own my keys, you shouldn't need to sacrifice bitcoin's greatest strength for a bit of convenience.

piuk has shown how this can be convenient and secure at the same time.  Everyone else should follow this model. 

[casascius]

the mobile app model just sucks IMHO. I don't want to manage invidual addresses etc. I just want a very simple way to receive and send bitcoins, with good anonymity and privacy.)

I'd rather own my keys, you shouldn't need to sacrifice bitcoin's greatest strength for a bit of convenience.

I am a big advocate of paper wallets, but for pocket cash, I would have no problem with the mobile web app model.  Like if I were going to Meze Grill and wanted to pay for that damn good steak gyro they've got (that I went back for another a couple days after the first), I wouldn't be worried about a site operator swiping 20 bucks off me.  Just as likely I might lose my phone and the keys with it - at least on a hosted service I would get them back.

[kangasbros]

I'd rather own my keys, you shouldn't need to sacrifice bitcoin's greatest strength for a bit of convenience.

piuk has shown how this can be convenient and secure at the same time.  Everyone else should follow this model. 

While I agree that owning your own keys is the best solution, the blockchain.info app solution is not optimal. Installation is hard and UI is crappy, of course this is subjective.

And of course the more wallet apps there is, the better. Everyone can decide themselves which model is the best for their specific usage.

[notme]

Seriously guys:



But well, it's true that we have to allow new people to use bitcoin, and it's not our fault if they use fail phones

Wish I could, but I'm locked in Apple hell after I had an iPhone purchased for me for a project I was working on.  Man, will it be nice when I can get an android.  My girlfriend has one and it is much better for someone technically inclined like myself.

Anyway, we're really off-topic since the fact is people have iPhones and we don't want to throw out that market.

[casascius]

Can anyone confirm if I understand this correctly?  The SDK for iPhone is available for free in the Mac App Store to anyone with a Mac computer running Lion, and the SDK includes an emulator for iPhone for app testing.  One can compile the app, but must be part of the $99/year developer program in order to load an application on physical iPhones, even your own phone connected via USB?

[kangasbros]

Can anyone confirm if I understand this correctly?  The SDK for iPhone is available for free in the Mac App Store to anyone with a Mac computer running Lion, and the SDK includes an emulator for iPhone for app testing.  One can compile the app, but must be part of the $99/year developer program in order to load an application on physical iPhones, even your own phone connected via USB?

I don't think you need to own the licence to run your self-compiled apps. I'm not 100% sure though, since I've had always the licence.

Also you can distribute the app also as a beta to something like 100 users. They don't even need to compile it or anything, and I guess installing for them is pretty trivial.

However, without a very easy installation there won't be much adoption. Technically adept people usually don't understand how easy it must be, so that people will "get it". If you need to do anything that requires some thinking, most people won't bother.

[casascius]

I wonder if it might be worth a serious canvassing effort to Apple to get them to not block Bitcoin apps.  And where to write to.  (I'd participate, and would send my opinion in written form via FedEx, which tends to get noticed a lot more than e-mail).

My read on the situation is that Apple blocks all forms of "virtual currency" because they want to make sure they get a cut of in-app purchases, something developers could easily get around if in-app purchases were made with scrip.  But I am not sure they really intend to target projects like Bitcoin.  They don't block the PayPal app, nor presumably do they require a 30% cut of every PayPal transaction sent with an iPhone, and the emergence of MintChip legitimizes the evolution of currency as a concept.

I think it's plausible that they could be persuaded that an application that sends Bitcoins is no different than one that sends your PayPal balance, and is substantially different from an app that uses scrip to evade Apple's cut of an in-app purchase and so they should make an explicit exception for it in the rules.