Author

Topic: Electrum gpg signature verification on android (Read 187 times)

copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
I was asked to respond to another thread about checking the PGP signature on Android, but a lot has been said here so far, so I'll just add my opinion.

Unfortunately, I don't think there is a secure way of verifying PGP signatures on an Android.

I checked the OpenPGP site for Android apps, and only found email encryption clients.  

A quick glance at the GnuPG downloads page does list an Android package that was developed by the Guardian Project.  If you follow that link you'll be directed to a page indicating the project is no longer supported, and directing you to the OpenKeychain project.

At first glance the OpneKeychain project looks promising; lots of downloads and decent reviews, but the only way I've found to get the software is from google's app store or an alternate app store.  It is open-source, so I can download the source code from from github, and build my own .apk after verifying it as safe (assuming I know how to do that.)  But I have not found a developer provided, gpg signed .apk binary.  Strange.

Then while reading OpneKeychain FAQs something caught my eye; they recommend sharing your secret keys between devices by transferring them via cloud services.  Okay, it's an encrypted backup, but come on, what's wrong with a USB cable?  Maybe it's just me, I do have trust issues.  Including issues trusting app stores for reasons already discussed, and so it should be obvious I'm not alone.  The reason we're all here is to keep ourselves as safe and secure as possible.  More links added to the chain of trust only contribute to additional risk.  So I think I'll stick to side-loading the Electrum .apk after verifying it on a PC with a trusted PGP client.  

But don't get me wrong, I'm not always a security Nazi.  I've been known to use the google app store to load electrum, but only after verifying the .apk file found the release directory, following the link from the Electrum's downloads page to the google play store.  There are obvious risks to this method, but everybody needs to assess their own risks accordingly.  I've often said about (hot) mobile wallets that they should never contain more money than your fiat/cash wallet.  

I understand that many people don't have PCs these days, and can only access their bitcoin on a phone; to those people I suggest you invest in a hardware wallet that works with your phone.  Consider it a very affordable insurance policy.
legendary
Activity: 2268
Merit: 18771
But unfortunately due to laziness on the part of the App Store owners (they have a "why bother" attitude), this will probably never be implemented.
Precisely. It's not worth their time. >99% of users do not even know what verifying is, let alone have the desire to do it, and the ones who are interested in doing it can do it trivially be other means. Further, a good proportion of people who are verifying software probably wouldn't want to download it from the app store anyway, along with whatever trackers or other trash they bundle in to your download.

Given that Google can't even spend 30 seconds to remove obvious and provably scams from their app store or their search results, no way they care enough about protecting their users' security to implement something like this. I also wouldn't trust any signature that Google shows me - given how trivial it is to get them accept actual malware on to their platforms, I'm sure it would be equally trivial to get them to accept the wrong PGP key as belonging to one of the devs. So anyone who doesn't really understand what they are doing and just verifies the signature Google shows them against the key Google provides would achieve very little.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
The Google Play Store (and the Apple Store, and every other App Store in existence) often hosts malware, fake apps, malicious apps, clones, etc. There is very little due diligence done by the owners of these app stores. We regularly see people losing all their coins because they've downloaded a fake wallet from some app store which is disguised to look like the genuine article. So I would recommend the exact opposite of what you have said: Never download an app directly from an app store. Go to Electrum.org, download and verify the .apk file, and install directly from it.


I wish it was easier for users to verify mobile apps from their App Stores.

They could've done something such as display the signature of the binary that is being downloaded to the user and ask them "Is this OK?" (Yes/No), and only then proceed to download and install the app.

Inconvenience cannot be cited as a factor here because the phone makers can just put a setting inside that toggles this option.

Then, the websites of the apps would be able to publicly post their own hash of their binary and tell users to make sure they match.

But unfortunately due to laziness on the part of the App Store owners (they have a "why bother" attitude), this will probably never be implemented.
legendary
Activity: 2268
Merit: 18771
According to some people and guides on Electrum you don't have to worry about the GPG signature for Android mobile
The platform you download a wallet on is irrelevant to the requirement to verify the files.

So make sure you download Electrum directly from Google PlayStore.
The Google Play Store (and the Apple Store, and every other App Store in existence) often hosts malware, fake apps, malicious apps, clones, etc. There is very little due diligence done by the owners of these app stores. We regularly see people losing all their coins because they've downloaded a fake wallet from some app store which is disguised to look like the genuine article. So I would recommend the exact opposite of what you have said: Never download an app directly from an app store. Go to Electrum.org, download and verify the .apk file, and install directly from it.
legendary
Activity: 3472
Merit: 10611
According to some people and guides on Electrum you don't have to worry about the GPG signature for Android mobile
Because all Electrum downloads for Android are already verified by the Google play store.

So make sure you download Electrum directly from Google PlayStore.
Trusting a centralized company when it comes to your bitcoins has never been a good idea. Specially a company known for constantly gathering privacy violating users data. You would have no way of knowing whether they have injected anything into the software.
legendary
Activity: 3472
Merit: 3217
Playbet.io - Crypto Casino and Sportsbook
According to some people and guides on Electrum you don't have to worry about the GPG signature for Android mobile
Because all Electrum downloads for Android are already verified by the Google play store.

So make sure you download Electrum directly from Google PlayStore.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
If you're looking for software to manage GPG on Android, i only could recommend OpenKeychain[1]. Another option for Android is either no longer maintenance (such as GnuPG[2]), not popular enough (such as KeyManager[3]) or only meant for email encryption[4]. But as @pooya87 said, you'll need to download and install APK manually from Electrum official website rather than install from play store to perform verification.

[1] https://www.openkeychain.org/
[2] https://guardianproject.info/archive/gnupg/
[3] https://github.com/Yash-Garg/KeyManager
[4] https://pep.software/android/
legendary
Activity: 3472
Merit: 10611
There are a few Android apps on Google Play, suh as "GPG Mobile"
Do you mean this? Because that is like an online store from a company called "GPG Mobile Romania" not a GPG signature verification tool.

"OpenKeychain", which allow you to import, encrypt, sign etc.
I don't think this has the file signature verification. It looks more like a message app using PGP to encrypt communication.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
There are a few Android apps on Google Play, suh as "GPG Mobile" and "OpenKeychain", which allow you to import, encrypt, sign etc. PGP signatures. For iOS (unrelated but for informational purposes), I have used an app called "Instant PGP" for verifying messages [Of course, you must import a public key to use any of these in the first place].
legendary
Activity: 3472
Merit: 10611
I don't think they've made such a thing for Android (to manually perform the GPG verification inside your phone) specially since people always download and install their apps from an appstore.

What you could do is to download the .apk file and its corresponding signature from https://electrum.org/ and verify that signature on your PC then transfer the .apk file to your Android phone and install it manually.
copper member
Activity: 7
Merit: 5
Hello everybody! how to check gpg signature on android ? help
Jump to: