Author

Topic: Can someone verify the trustworthiness of this Android App? (Read 1441 times)

legendary
Activity: 1792
Merit: 1008
/dev/null
Don't Android apps that talk to the network need permissions to do so?

This app isn't listed as needing permissions to access anything other than the camera.

I'm developing a tool for iPhone to help create encrypted paper wallets and plan to put it in the app store.  The idea is that you can put your passphrase into the tool, the tool will assist you in ordering paper wallets from someone else that require your passphrase, but without actually divulging the passphrase.  The tool will also verify (via scanning QR codes) that the paper wallets you receive are legitimate and that they're really encrypted with your passphrase.

I wish there were a more robust way for users to know it's not leaking their passphrase.  I will be releasing the source, and at least the binary will be signed, but the average iPhone user isn't going to be able to compile or install it without payware.

I suppose, at least, that someone interested in compiling this tool themselves could just do that with my desktop utility.
there are several ways to bypass this which arent fixed to date!
http://www.defcon.org/images/defcon-18/dc-18-presentations/Lineberry/DEFCON-18-Lineberry-Not-The-Permissions-You-Are-Looking-For.pdf
there's another security issue where u can use the internal browser to create a tunnel outside (couldnt find the link, altough didnt search long) and therefore the app dosnt need any permissions.
therefore u cant know if its secure unless u test it in a sandbox or got the sourcecode.
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
Don't Android apps that talk to the network need permissions to do so?

This app isn't listed as needing permissions to access anything other than the camera.

I'm developing a tool for iPhone to help create encrypted paper wallets and plan to put it in the app store.  The idea is that you can put your passphrase into the tool, the tool will assist you in ordering paper wallets from someone else that require your passphrase, but without actually divulging the passphrase.  The tool will also verify (via scanning QR codes) that the paper wallets you receive are legitimate and that they're really encrypted with your passphrase.

I wish there were a more robust way for users to know it's not leaking their passphrase.  I will be releasing the source, and at least the binary will be signed, but the average iPhone user isn't going to be able to compile or install it without payware.

I suppose, at least, that someone interested in compiling this tool themselves could just do that with my desktop utility.
legendary
Activity: 924
Merit: 1004
Firstbits: 1pirata
It is not a wallet per se, but it's super useful to create brainwallets on the go.

Is there any way to prove that the app does not connect to the internet and send the keys?

"Bitcoin Address Tool" - On Android Market:

https://play.google.com/store/apps/details?id=com.CIMS.BitcoinAddress

Thanks!

The app is legit and I use it every time I have a chance, here is the original thread https://bitcointalksearch.org/topic/announce-casascius-compatible-address-tool-for-android-86128
vip
Activity: 756
Merit: 503
I've found this app to sniff traffic but my phone isn't rooted yet... https://play.google.com/store/apps/details?id=lv.n3o.shark&hl=en
full member
Activity: 210
Merit: 100
It is not a wallet per se, but it's super useful to create brainwallets on the go.

Is there any way to prove that the app does not connect to the internet and send the keys?

"Bitcoin Address Tool" - On Android Market:

https://play.google.com/store/apps/details?id=com.CIMS.BitcoinAddress

Thanks!
Jump to: