Topic: [ANN] BitcoinSpinner - page 3. (Read 45071 times)

Niko is right. The ability to export your private key has been there from the first release. For one of my spending wallet I have exported the private key and imported it in a blockchain.info wallet. This way I can access the same funds from my BitcoinSpinner Android phone and blockchain.info iPhone app.

Besides "backup wallet" option, there is the "export private key" under "advanced" settings. I have not tested the functionality myself, but if this is the actual private key, we should be able to import it into any client.

I've been using BitcoinSpinner for a while now and like it quite a bit. I think I've read through most of this thread, so I apologize if I missed the answer to this: What happens if the backend server goes away? Can I still retrieve my coins somehow?

If the answer is no, then the one feature I'd like to request is the ability to change the backend server that the app connects to (and if a special backend server is needed, can that software be open sourced?). In the event that you and/or your server go away, I would hate to loose access to whatever coins I have stored in my wallet. Would something like that even be possible?

Ah, thanks.
So I can uninstall the app, now.

The testnet server was used during initial development. It hasn't been running for a long time to reduce cost.

Why the testnet version isn't working?
"server not responding"

I have one. Email them to me and I'll print them for you.

Thanx for the explanation. Now I only need some non public printer without hard drive to print some qr codes.

Thank you for your suggestions.
You are absolutely right regarding the current PIN security. It is there to avoid someone from grabbing your phone and move your coins while you look the other way.

I have been thinking along the same lines regarding encrypting keys, and didn't do it for the following reasons:
 - Entering (secure) PIN/passwords on a smartphone is a real pain as it has to be long/complex
 - Doing "key-stretching" on a shorter/less complex PIN (for instance hash the PIN many many times) takes long time if you want it to be secure. Using a fixed time (say 10 seconds) is not equally secure on every device as they have different CPU power and all have to compete with for instance a fast desktop computer, or maybe even an Avalon

Instead I do something else. I have two paper backups: one for my savings, and one for my daily use.

Normally I only have the wallet for daily use on my phone. Whenever I need to recharge it I:
1) Restore the savings wallet on my phone (Click the options button->Settings-> Restore wallet and scan the QR-code for your savings wallet backup)
2) Send funds to my spending wallet (I have the address in the address book, so it is really easy)
3) Restore the spending wallet (Click the options button->Settings-> Restore wallet and scan the QR-code for your spending wallet backup)
The entire process takes less than a minute

The important thing is that after step 3 the private key for the savings wallet gas been deleted from my device.

You can make this even more secure if you (as you suggest) use a dedicated device with nothing else installed.

Ahhh! is this the right thread? Maybe lock and use only this?

TLDR: I want a dedicated secure Bitcoin Wallet with open source that I compiled myself.



The rest is kind of brain storming. I warned you:
As Bitcoins become more valuable, I spend more time on how to get them secured. BS looks like an amount of code I can review. bccapi maybe not but I assume, others do that. Generally it would be cool to have some project that collects signatures from people that did actually review code as I'm pretty sure it would be rather easy to abuse the users trust.

Anyway, I just bought the cheapest tablet I could get to run it as a dedicated bitcoin wallet with is either Schildbach or Spinner. Plan was to not install anything remotely related to bitcoin except for a wallet I compiled myself.

Schildbach and BS have the private key plain text on the device which is kind of unsafe.

I know that protecting against some unspecific attacks of "free chargers" copying all files from my device are maybe not really the main threat but still I guess this should be taken care of.

I just got started digging into the code and wonder if there would be an "easy" way to lock it down some more. My idea was to stick with the n digit password but to actually use it (For non-devs: Now it is only an interface-gimmick preventing friends from silently toying around with your money but don't protect you from malicious USB chargers or a phone-thief moving your money within minutes). You could for example determine the speed of the device and hash x times the 6-digit password to generate a decryption key with x roughly taking 10s on the device. For this to be still fun, you should only use the priv key when sending bitcoins (like bitcoin-qt but delayed 10s for hashing). An attacker that somehow just got the encrypted priv key and the plain text "SHA256 applied 12,184,276 times" would take significantly longer to actually get hold of the bitcoins than now. Also allowing longer passwords would then make sense. (some "the average Joe's bot net is 15,000,000 times faster than your phone and would brute force your password in 17.3h. Never put more money into your wallet than bot nets cost to run for that amount of time" might be miss-leading as other attacks might be cheaper.)

Sure, such hashing would also allow to safely use shorter passwords in bitcoin-qt but there a longer password is not such a pain to enter … maybe?

---

Pro-Tip for Android rooters: On a rooted Android with "USB debugging on", Spinner's and Schildbach's wallets are open books to any PC you charge your phone at.

great, thx. I can confirm that my 10+ btc show up as they should :-)

With the earlier backend implementation I could get precise statistics as it only tracked the transaction inputs/outputs of known BitcoinSpinner wallets. The new implementation, which has been in production for some months now, does not track BitcoinSpinner wallets in particular. It tracks all bitcoin addresses in existence, and does not 'remember' which ones have been queried for unspent outputs, transaction history etc. This allows it to be stateless in the sense that the only information it has is what is readily available in the Bitcoin network, which will allow me to have multiple totally redundant copies.

What I do know is how many active device installs there are according to Google Play. The current number is 2009 which is the number of devices where it was installed and not uninstalled. This number does not cover people who installed it from other sources.

Jan, do you make available some compounded statistics?
It would be nice to see the total number of wallets over time, or number of transactions per day.

Fixed.

Server running low on storage, working on a fix.

i've just sent some coins from one spinner to another one. tells me since hours that "couins on their way to you: ..." but that's it. does this also happen to others or is it just my setup/account here?

Would like to see that, too. Maybe it is possible to swipe the coins from the scanned key.

BitcoinSpinner v0.8.1b is out:
 - Fixed typo in German translation
 - Fixed a fee validation bug that occurs when sending a transaction with many small inputs. The effect has been observed to prevent you from sending your last funds when you have many small inputs. Thanks to Object 2212 for helping me test and debug it.

It might take an hour before you can update it from the Android Market.

Enjoy, and Happy New Year!

Thanks Jan for your great work on my absolute favorite Android Bitcoin Wallet.