Topic: Is your Android Wallet secure? Most of the 37 wallets should scare you! - page 2. (Read 934 times)

Yeah, I like the project with researching the security of wallets, but why are you looking specifically at Android Wallets? I mean, does the majority of users even store Bitcoins on Android..? I thought people preferred online versions and cold wallets instead. I would never install a wallet onto my smartphone, for instance. And since the article about the methodology of this project admits that verifiability does not really say about much, I wonder whether the team is thinking about improving the methodology by adding some other factors to consider. It could be really useful to know which wallets are more secure and which are less, but limiting the project to, basically, exit scam possibility for Android wallets seems too narrow.

I also have only used Electrum in Android, and for small amounts its adequate. Remember your phone could be stolen/lost at anytime, so its not just the OS weaknesses. Of course that has a pin, and if stolen you would have enough time to retrieve your seed words home and move anything out before they manage to guess it (unless they already saw you).

In any case being inherently riskier, mobile wallets should be relegated for very small, perhaps a day worth of use at most.

I don't particularly trust anything not open source to begin with. And Android is plagued from that, just like Windows. Linux can't help when surrounded by closed software, which is how its done in Android. Suppose that joke about windows going Linux as kernel becomes reality, its still a piece of malware ridden garbage because everything else is insecure.

And yes, Apple is very insecure for the very same reason as well. No code, no proof of you not sneaking on my back.

In my own opinion, every android or mobile wallet is really not that secure because no system is safe for hackers if your wallet is accessible online, even you used third party apps that makes your wallet more secure it will still not help, that is why most experts recommends using a hardware wallet like ledger and trezor because it will be very difficult for hackers to access in that kind of wallet that can you store offline.

The fact is, more and more people are using mobile wallets and everyone wonders how safe they are. I can only say that so far I have only used the Electrum Android version and that I have no objection to anything related to that wallet. I find it safe until the opposite is proven, and for bigger amounts, I will never use it anyway.

I know that this project is solely focused on the security of mobile wallets, but the security of the operating system itself should not be neglected. For example, if you use a very old version of Android that no longer supports updates/patches, any mobile wallet in such a potentially dangerous environment is just an extra risk, no matter how safe it is. It should also be highlighted that most people do not perceive the security of their smartphones as something important, as if there were no viruses/malware for Android/iOS.

So I saw this post and clicked on it.
Hmm, can't build bitpay wallet, can't build copay cant find bitcoin.com
As a NOOB I built copay took about an hour.

Bitcoin.com is a copay clone, took about 3.2 seconds of searching to find it:
https://github.com/Bitcoin-com/Wallet

No idea if the above is the correct one but it is there.

At least one other one also exists that they could not find. Don't remember which one it was, have not had coffee yet.


Since the authors say that they contribute to mycelium perhaps they should spend more time fixing that app then slamming others.
https://bitcointalksearch.org/topic/mycelium-transaction-signing-failed-5204973
https://bitcointalksearch.org/topic/mycelium-ios-wallet-wont-sync-5208593

Rassah has not logged on here in 6 months, the support link on their website is dead, so yeah, let's mark it as safe.

I use to use mycelium a lot, however with the issues that everyone seems to be having syncing, the lack of updates for ios, and various other issues, it's gone to shit so I stopped using it / recommending it. It's great that it's open source and secure, but if I can't connect to their servers and have to import my key into another wallet to spend then whats the point. And lets not forget the ads that come up that not everyone can turn off:
https://github.com/mycelium-com/wallet-android/issues/527


-Dave

I agree, I'm intrigued that is why I also clicked this topic. 


I'm using any wallets in the playstore as long as it has a good feedback on it, mostly about the developer, because if the developer himself is not active at all, that wallet would be a suicidal wallet for your cryptocurrency. For the verifiable wallets, I only have one and I only trust those who have an actual company so I can contact their customer service on their working hours, like coins.ph.

I also have a trezor, and I find it more reassuring than other wallets you could find online.

Good thing that you recognize this problem. Just because code is open source and verifiable doesn't mean anyone is actually going out of their way to do this.

One suggestion is to introduce a thread in the technical and wallet section for Bitcoin. There are actual wallet users there who are good with coding (I'm not one of them) who, if interested could try out your code. How many programmers do you have?

If you think we should add them, share the links to the Playstore listing, please.

Yes, they have android wallets. I'm using eidoo on my android phone and exodus on my iPhone but I know that it has a version for Android, too.



But it is definitely cool conversing with the lead dev of Android for Mycelium.

A low rating, if totally objective, should always be welcome as it is a good start for improvement or any necessary adjustment. An objective rating, however low it may be, is always a constructive one. But if it is done out of pure subjectivity, it should be annoying.

May I pick on the "reputed publishers" there? Do you know who they are? If the publisher hides in secrecy, that on its own is a huge red flag for me.

I totally agree on hardware wallets being the way to go but my list involves wallets with a combined download count of 20 million and a hardware wallet still costs over $100. You only invest $100 if your expected loss of not doing so is greater than $100. If you estimate your chance of the wallet losing funds at 5%, you won't use a hardware wallet for anything up to $2000. The exit scammer though may empty a million accounts at once, so here there is a lot of money to be made. Lets spot the black sheep and kick them out.


Thanks for the feedback! Scary landing page was certainly intended. Boring techy stuff was more the result of us wanting to justify our conclusions. To not show what we tried would look like we didn't try and we don't want to call out wallets on a whim. Maybe we can move the "analysis protocols" into separate documents for the more technically inclined audience?


So far nobody has discovered the donate button but I was thinking of adding one per wallet and make it kind of a popularity contest that also pays for the project.


Currently it's even worse: Only three are publicly verifiable which is not the same as actually being verified which would be an expensive and ongoing process.

As nobody cares, it probably doesn't mean much yet, as I refuse to believe that the other 34 are scammers but if people wake up to the idea that verifiability matters, we will see which wallets will actually come forward and make their apps verifiable and which don't.

I don't understand sentence 2 and 3. Many wallets are open source but not verifiable. Those I hope to win over. The closed source wallets I consider outright evil.

You mean like a pop-up on the landing page?
Do you care?
O Yes
O No
?


You mean this wallet?


I am considering to mark Android wallets that support hardware wallets for a start but hardware wallets on their own are a very different kind of tool than Android apps.


Honored by your trust but as stated on the detailed analysis of that wallet, contributors to walletscrutiny are also contributors to Mycelium. In fact I introduced verifiability to Mycelium a year or so ago and it's an integral part of our release protocol to have each build be verified by at least a second engineer. No malware on the release manager's machine should be able to sneak in backdoors.

It's so relieving to see my favourite wallet Mycelium in the verifiable section. I think this post will spur cryptocurrency wallets to be more secured in safeguarding the assets of their users. A big thumbs up to all the developers of this project. I would be glsd if you can cinsider looking at HubrisOne wallet, I think that wallet might scam users someday to come.

OMG! this post really scared the shit out of me looking at the numerous number of wallets that are not verifiable. Not even a whole blockchain wallet. Thanks a lot for this info guys, i will keep an eye on your website for further developments. I noticed you did not review Trust wallet though it is one of the widely used cryptocurrency wallet. Also can you consider the review of these hardware wallets in the near future?

The thing is if the companies behind it were to hear from the actual voices of their users, maybe they would. I doubt it would happen any time soon because I think they don't want someone making their programs open source, especially with the public. Is this the only reason why you started this project?

I do think that it would help your project if you conducted a mini-survey before visiting your site to see if users "care."

I have gone through the site to check the android wallets but found only 3 wallets to be verified. Can you tell me what does it mean by Non - Verifiable ?




 

You have a point. Perhaps a community rating might be a better solution ^{[I do know that there's already a column for google play ratings but some of them tend to artificially inflate those ratings]}.

• Restrict a single IP to vote/rate only once for each ^{[I know it wouldn't completely eliminate users from abusing it but it's a step in the right direction]}.
• Implement a system to allow only veteran forum users to vote/rate by verifying/publishing their reviews/ratings based on their provided "signed messages" ^{[from the addresses that are present on their profiles here]}.

---

You already did the right thing and it's quite clear that you're different from other so-called spammers

I'm waiting for Electrum to be verified though we knew the fact that it's trusted but this intrigued me anyway since Electrum is the most use wallet here.

Just don't use any extension. It bypass all information from what we search to everything we have on our desktop.

First of all, I still don't understand how can people just keep money on a phone which then then they keep unlocked in the back pocket.
Then, as shown by OP website, what you download is not exactly what you expect, even in the case of reputed publishers (like Electrum, Samourai, ..)
What I want to tell is that crypto wallets on Android should really use hardware wallets if we talk about a bit bigger funds.

Now about the website. The initiative is great, but the implementation needs a bit more care for the newbies. In the way it's shown now it's big, it's scary for the newbies and most would not know how to read between the lines the info they need. Maybe those big diff pages should be shown only "by request" by the ones who what to see more than the conclusions (and even those would have a "show more" and a "show all" option?)

Absolutely, don't install any softwares INCLUDING apps, files or anything that can come up to your phone. Also have a very secured account not only wallet or crypto account but also your social media accounts. Because they can seek information on your accounts that can make them access you accounts.

Much better if you will not leave your account logged in into another gadget because it's hard to trust people easily. And don't post or input some private information in your social media accounts. All of those infos can be a key to your wallet so be careful.

Thank you! I'm polishing it and hope to standardize it more, as it should get automated anyway, so what you see so far is the experimentation phase.


Being a wallet dev myself (lead dev Mycelium for Android) being subjective is not cool. I would love to but there is people hating me with a passion because I rated their wallet one star 3 years ago. If I say something about other wallets, it better be solid


Ah, now I remember how this forum works. OMG. Haven't posted in years. Should I group my posts now or is the harm already done and I will get banned from the forum anyway?

Edit: deleted two posts. Bumping was not my intention.

I'm not going to pretend that I did understand every bit of the "coding part explanations" but I appreciate what you did there...

Suggestion:

• You might want to consider adding another column for rating them based on how secure they are ^{[regardless of it being subjective]}.

---