[ANN] BitcoinSpinner - page 9. | Bitcointalksearch.org

BitLucky

full member

Activity: 168

Merit: 100

Quote from: westkybitcoins on May 27, 2012, 02:10:04 PM

Quote from: BitLucky on May 27, 2012, 12:43:17 PM

Hi, I have an unconfirmed tx in bitcoin spinner... it hasn't sent my bitcoins to the address and isn't appearing in the block chain :S

You can check all pending/unconfirmed bitcoin transactions at bitcoincharts.com. Search for your address there and make sure the transaction was sent. If it's neither there nor in the blockchain, then there may be a problem.

I can't find it anywhere.

I have uninstalled bitcoin spinner and restored my wallet using the QR code backup and now the client says balance "unknown" and coins on their way to you "unknown" Sad

westkybitcoins

legendary

Activity: 980

Merit: 1004

Firstbits: Compromised. Thanks, Android!

Quote from: BitLucky on May 27, 2012, 12:43:17 PM

Hi, I have an unconfirmed tx in bitcoin spinner... it hasn't sent my bitcoins to the address and isn't appearing in the block chain :S

You can check all pending/unconfirmed bitcoin transactions at bitcoincharts.com. Search for your address there and make sure the transaction was sent. If it's neither there nor in the blockchain, then there may be a problem.

BitLucky

full member

Activity: 168

Merit: 100

Hi, I have an unconfirmed tx in bitcoin spinner... it hasn't sent my bitcoins to the address and isn't appearing in the block chain :S

Jan

legendary

Activity: 1043

Merit: 1002

Quote from: cypherdoc on May 26, 2012, 10:47:45 AM

Jan,

but couldn't a hacker, once he has cntrol of your server, upload your private key when you make a connection?

No, and that is the beauty of it.
The server is totally independent of the Android app. To make a release of the app two independent individuals need to take action. Miracle (a company in Denmark) needs to sign the binary with a key that I have no access to. Then i have to upload the signed app to the android market, which only I can do (right now we are actially on two different continents). Furthermore, the app is not updated automatically on your device, you as a user decide whether you want to update, and your device will refuse to update if the signature is not done with the Miracle key.

When sending coins the app asks the server to stitch together an unsigned transaction. Once the app gets the transaction it validates the amount sent and the address of the receiver. Then it signs and returns the transaction, and the server propages it to the network.

cypherdoc

legendary

Activity: 1764

Merit: 1002

Quote from: Jan on May 26, 2012, 09:09:46 AM

Quote from: cande on May 22, 2012, 04:40:21 AM

Hi there,

I'm on android 4.0.x with NFC, would this be useful as an payment security device for Bitcoin Spinner?

https://store.yubico.com/store/catalog/product_info.php?products_id=72

This is an interesting piece of hardware for authentication purposes, however this is all it does. (You cannot offload your Bitcoin private key onto it). You can use it for generating one time passwords if you for instance want to authenticate yourself with some service instead of (or in combination with) using a password. This would be a great thing for Bitcoin banks such as Paytunia or MtGox. (MtGox already uses a yubi device).

BitcoinSpinner is different. The server side does not have your private keys, and does not control any Bitcoins. It just serves as a custodian of the block chain. Your private keys ONLY leave your Android device if you choose to make a QR-code backup/export.

If the server side of BitcoinSpinner was hacked, full breach, and left as a burning wreckage (you know, Bitcoinica style), then what would happen:

The hacker would find the block chain, a bunch of Bitcoin public keys + bookkeeping information in a database, and a server log (which does not contain your IP address). This is all useless stuff.
I would be pissed, as I would have to spend time on getting the service up and running again. This would probably take a few days, as I would have to make sure how he got in etc.
You as the user would safely walk away from the wreckage with all you BTC even if you did not export your private key before the hack. BitcoinSpinner allows you to launch the app with no server connection and do the export offline. Once you have exported you could import your private key into one of the other excellent Bitcoin services around.

Jan,

but couldn't a hacker, once he has control of your server, upload your private key when you make a connection?

Technomage

legendary

Activity: 2184

Merit: 1056

Affordable Physical Bitcoins - Denarium.com

The security of the server side isn't the problem here. Many (including me) would like more ways to secure the user side. Yubikey could be used to help with that. Server side security doesn't help if your phone is stolen, it's basically a race against time. If the thief knows about Bitcoin the game is already over. With a second authentication one could be fairly confident that the thief can't send those coins away.

I do agree that this takes away the convenience more than it's actually worth if you just carry small change in your mobile Bitcoin wallet. At least the option of extra security on the user side would help if I want to carry more than what I need for small transfers.

For me the most convenient way would be that it allows a total sent BTC amount during a 24 hour period without authentication. Then if I want to send more than that it would ask for authentication. This is probably a lot of work on the software side but it would be convenient when needed and secure when needed.

I don't actually know how this could be accomplished technically. It would require encrypting the private key for sure so the thief can't access the key once the phone is stolen.

Jan

legendary

Activity: 1043

Merit: 1002

Quote from: cande on May 22, 2012, 04:40:21 AM

Hi there,

I'm on android 4.0.x with NFC, would this be useful as an payment security device for Bitcoin Spinner?

https://store.yubico.com/store/catalog/product_info.php?products_id=72

This is an interesting piece of hardware for authentication purposes, however this is all it does. (You cannot offload your Bitcoin private key onto it). You can use it for generating one time passwords if you for instance want to authenticate yourself with some service instead of (or in combination with) using a password. This would be a great thing for Bitcoin banks such as Paytunia or MtGox. (MtGox already uses a yubi device).

BitcoinSpinner is different. The server side does not have your private keys, and does not control any Bitcoins. It just serves as a custodian of the block chain. Your private keys ONLY leave your Android device if you choose to make a QR-code backup/export.

If the server side of BitcoinSpinner was hacked, full breach, and left as a burning wreckage (you know, Bitcoinica style), then what would happen:

The hacker would find the block chain, a bunch of Bitcoin public keys + bookkeeping information in a database, and a server log (which does not contain your IP address). This is all useless stuff.
I would be pissed, as I would have to spend time on getting the service up and running again. This would probably take a few days, as I would have to make sure how he got in etc.
You as the user would safely walk away from the wreckage with all you BTC even if you did not export your private key before the hack. BitcoinSpinner allows you to launch the app with no server connection and do the export offline. Once you have exported you could import your private key into one of the other excellent Bitcoin services around.

molecular

donator

Activity: 2772

Merit: 1019

Quote from: cande on May 22, 2012, 04:40:21 AM

Hi there,

I'm on android 4.0.x with NFC, would this be useful as an payment security device for Bitcoin Spinner?

https://store.yubico.com/store/catalog/product_info.php?products_id=72

intersting! thanks for pointer.

cande

member

Activity: 107

Merit: 10

https://bt.cx

Hi there,

I'm on android 4.0.x with NFC, would this be useful as an payment security device for Bitcoin Spinner?

https://store.yubico.com/store/catalog/product_info.php?products_id=72

molecular

donator

Activity: 2772

Merit: 1019

Quote from: Jan on March 26, 2012, 04:58:05 AM

Quote from: molecular on March 24, 2012, 04:31:15 PM

I'm on android 2.1 here I guess (pretty old phone with low ram, don't think I can update)

What's keeping BitcoinSpinner from running? Android Market says "incompatible with your device"

I have only built/tested BitcoinSpinner on 2.2 devices. After a few modifications I can successfully build it against 2.1.
2.1 will be supported in the next update

wooooo! you're the best!

Jan

legendary

Activity: 1043

Merit: 1002

Quote from: Nim on March 08, 2012, 12:29:44 AM

edit: sorry, I see now that you have a dev thread as well. On which thread would you prefer people offer feedback?

Please post technical stuff and bugs on the dev thread and the rest here.
Thanks, Jan

Jan

legendary

Activity: 1043

Merit: 1002

Quote from: molecular on March 24, 2012, 04:31:15 PM

I'm on android 2.1 here I guess (pretty old phone with low ram, don't think I can update)

What's keeping BitcoinSpinner from running? Android Market says "incompatible with your device"

I have only built/tested BitcoinSpinner on 2.2 devices. After a few modifications I can successfully build it against 2.1.
2.1 will be supported in the next update

Jan

legendary

Activity: 1043

Merit: 1002

Quote from: fimp on March 24, 2012, 04:50:38 PM

Two small inconsistencies:

When showing the BTC amount in the wallet, dot is used as the decimal sign. But when showing the amount in regular currencies, comma is used as decimal sign.
When showing the BTC amount in the wallet, the currency is displayed after the amount. But when showing the amount in regular currencies, the currency is shown before the amount.

Nice finds. For regular currencies BitcoinSpinner uses the decimal separator defined by the selected locale (US uses '.' DK uses ','). However for BTC '.' is always used. To clear confusion I have decided to use '.' everywhere in all locales.

Both items will be fixed in the next update.

fimp

sr. member

Activity: 304

Merit: 250

Two small inconsistencies:

When showing the BTC amount in the wallet, dot is used as the decimal sign. But when showing the amount in regular currencies, comma is used as decimal sign.
When showing the BTC amount in the wallet, the currency is displayed after the amount. But when showing the amount in regular currencies, the currency is shown before the amount.

molecular

donator

Activity: 2772

Merit: 1019

I'm on android 2.1 here I guess (pretty old phone with low ram, don't think I can update)

What's keeping BitcoinSpinner from running? Android Market says "incompatible with your device"

Nim

member

Activity: 67

Merit: 10

Looks great. I like it. Two connected suggestions though. First, make it easy for the user to empty their wallet. I always appreciate when I go to make a payment on something and it gives me a box to type in the number and instead of making me remember the amount, it allows me to click something that autofills it. I would suggest something similar here. Allow the user to press the balance to autofill in the amount to send. Second, I think it would be interesting if at any time the balance becomes zero, you give the user the ability to create a new wallet and forget the old one. I don't see a way of doing that right now.

Excellent job.

edit: sorry, I see now that you have a dev thread as well. On which thread would you prefer people offer feedback?

phatsphere

hero member

Activity: 763

Merit: 500

Quote from: Jan on March 07, 2012, 03:30:57 AM

Did I mention the in-app donation option? Wink

I tested it a while ago, so you should have gotten some spare coins at least once Kiss

Jan

legendary

Activity: 1043

Merit: 1002

Quote from: Technomage on December 06, 2011, 10:43:45 AM

This is an excellent development! I tried it yesterday, sent some coins from my Schildbach wallet to spinner, sent coins from spinner to my friend's spinner, everything worked perfectly.

It's clearly a work in progress though. There is no way to create a new Bitcoin address, no address book, no way to see sent and received transactions etc. But the core functionality is solid and the idea is excellent. It's very fast to use. Please keep developing it. I'd be happy to donate something to the developer if there is a donation address. Wink

...

The latest BitcoinSpinner update is announced here, and includes the address book feature that you requested. Transaction history has been there for a while. Did I mention the in-app donation option? Wink

Jan

legendary

Activity: 1043

Merit: 1002

Quote from: Stephen Gornick on March 06, 2012, 12:10:05 AM

Quote from: Jan on January 10, 2012, 01:57:42 PM

BitcoinSpinner uses private app storage, which is wiped at uninstall. However, this also has the nice feature that other apps cannot get to it, which is paramount. Another nice thing is that BitcoinSpinner only needs network access privileges. This lets you know that it does not try to snag your address book or keys from other apps using SD card storage.

In the Linode security breach trust given to their proprietary infrastructure was violated and bitcoins were stolen.

I'm wondering if there is a similar vulnerability with a mobile platform. I read in the Android how-to for publishing an app that only an app signed with your private release key will get pushed out as an update. What if, however, your system used for building was compromised and an attacker were to get your private release keys to build a rogue update (that stole bitcoin private keys). If that roge release were published to the marketplace nobody would likely notice a problem until after the attacker already would have a lot of private keys!

If I were storing an amount of bitcoins worth worrying about, I might then want a way to disable the automatic update of this app. Is that possible?

Also, might there be an announcement here for when you publish, maybe signed with your PGP key, which includes a signature for the release to be published to the Android Market?

I know this sounds paranoid, but crazier things have happened before, right?

These are all valid concerns. Hacking bitcoin related services has turned out to be quite profitable.

Android apps are not automatically updated by default. This is an option that you can enable on your device, but I recommend that you don't.

Whenever I update BitcoinSpinner I announce it in this thread: https://bitcointalksearch.org/topic/bitcoinspinner-53353
However publishing a signature on the APK with a different key doesn't give you much, as you (as far as I know) cannot retrieve a hash of the application from the Android Market. If you are really paranoid you should download the sources and roll your own. This also allows you to review any changes that have been added since last release.

(By the way, there is an update in the pipe which adds an address book and launching the send page from a Bitcoin URL)

Stephen Gornick

legendary

Activity: 2506

Merit: 1010

Quote from: Jan on January 10, 2012, 01:57:42 PM

BitcoinSpinner uses private app storage, which is wiped at uninstall. However, this also has the nice feature that other apps cannot get to it, which is paramount. Another nice thing is that BitcoinSpinner only needs network access privileges. This lets you know that it does not try to snag your address book or keys from other apps using SD card storage.

In the Linode security breach trust given to their proprietary infrastructure was violated and bitcoins were stolen.

I'm wondering if there is a similar vulnerability with a mobile platform. I read in the Android how-to for publishing an app that only an app signed with your private release key will get pushed out as an update. What if, however, your system used for building was compromised and an attacker were to get your private release keys to build a rogue update (that stole bitcoin private keys). If that roge release were published to the marketplace nobody would likely notice a problem until after the attacker already would have a lot of private keys!

If I were storing an amount of bitcoins worth worrying about, I might then want a way to disable the automatic update of this app. Is that possible?

Also, might there be an announcement here for when you publish, maybe signed with your PGP key, which includes a signature for the release to be published to the Android Market?

I know this sounds paranoid, but crazier things have happened before, right?

Topic: [ANN] BitcoinSpinner - page 9. (Read 45071 times)