I'm going to take a look at this. I haven't done much trading but maybe that was because I didn't know of a convenient platform. Thanks for the tip!
One question before I download: can I see source code for this app or is it binary only? If there's no source available I probably won't install because it's hard to trust a closed-source app with money.
It is a closed source app but since this app uses API Keys and not Logins, you fully control what level of access the app can ever have. For the mobile security, Android uses detailed permissions specification and the app requires no special permissions besides standard ones that give it access only to its own data and those permissions are shown during the install by Play store.
Regardless of open or closed source, whenever using an API based trading software, one can remove the risks by setting the right permissions on the API key. For Cointra you don't need any withdrawal, deposit, transfer rights on the API keys so make sure you don't add them. You can even start with read-only API keys making it 100% risk free to start.
That being said, we are very much open to your suggestions, and if you believe that open sourcing the app would be a critical factor for you and like minded users, we would consider open sourcing it. So far we have seen that majority of the users don't compile their own mobile apps even if they are open source (based on Play Store install counts of the open source apps, like the Bitcoin Wallet). Much different than desktop apps where majority compile from source (themselves or by their OS distribution).
I appreciate the detailed response. Because I haven't yet done any trading on these sites, I'll have to look into the API key permissions that you're discussing, but on an initial readthrough this seems reasonable.
I also run the cyanogenmod rom on my android devices so one nice option I have is revoking permissions even after an app is installed.
I personally think it's pretty crucial to see the source code even if I don't end up compiling it myself. For example, I run the schildbach Bitcoin Wallet program and I just installed it from the playstore. However, that was after downloading and reviewing the code. Note: this was also crucial later when I had to recover a lost wallet file (I could check the source to see how/where it was stored on my device).
I'm going to check out what you said about the API keys but I know that my own personal stance is that if it's not open source, I'm extremely cautious and skeptical.
Feel free to ask any questions you may have and I will be glad to explain. Please allow me to explain API keys a little more here also to help other readers who aren't familiar with them.
All major exchanges allow users to generate API keys and secrets, they are separate from your username and password and you can set individual permissions for each API key. For example you can create one key pair and give it only Account Info rights, which would allow any software to
only view your account information. The API keys can not be used to log in to the exchange website, instead they are to be used by specialized software to read the data you allow. API keys can be cancelled at any time, so in case you lose your phone you can cancel the API keys after logging in to your Exchange account (in Cointra we keep all API keys encrypted, with added encryption using a PIN if you enable it, so even if phone is lost it would not be trivial for someone to get your keys if you're using a pin).
I understand the need of an open source wallet since the software itself keeps your money! But in case of Cointra nothing except API Keys (not even your email) is stored by the app on the phone, everything is kept on your exchange and it uses the API keys you configure to allow you to view/trade your funds on your configured exchange. If the app corrupts, or phone is lost, all you have to do is delete/disable old API keys by logging on to your Exchange and create new API keys when needed.
