WalletScrutiny's avatar
WalletScrutiny
_@WalletScrutiny.com
npub1j9kt...uswx
Know your wallet like you made it! Our goal is to improve the security of Bitcoin wallets by examining products for transparency and potential attacks.
WalletScrutiny's avatar
WalletScrutiny 2 years ago
Among the reproducible Android wallets, Zeus appears to be the first to have switched to Android App Bundles. We tested what we got from Google - the arm64-v8a version and found all bytes accounted for, giving it the verdict "reproducible" but with somewhat of a headache … Android App Bundle or AAB in short allows Google to provide each user a tailored version of the product. For example in the case of this wallet, the older format contained binaries for arm64-v8a, armeabi-v7a, x86 and x86_64 CPUs. The new format only for "your" CPU. image And that makes the app much smaller. In this case the zeus-universal.apk weighs 92MB while the zeus-arm64-v8a.apk only weighs 32MB. With games where assets for bigger screens can be excluded for lower end devices, this can make even more of a difference. But it also implies that Google gets the developer's signing key, theoretically enabling them to also tailor security aspects of your apps - on a case by case basis. Google is pushing for AAB to trim MBs off all these apps but this comes at a cost: * Security: Where before, only the developer could sign an update, now Google engineers can, too. * Transparency: Where before, only one binary was circulating per version, now many circulate. The full analysis of the latest Zeus wallet can be found here:
WalletScrutiny
ZEUS Wallet
Review of ZEUS Wallet (verdict: sourceavailable)
WalletScrutiny's avatar
WalletScrutiny 2 years ago
Do you know a thing or two about compiling stuff? Do you care about people not getting rug-pulled by their Bitcoin wallets? Please help us stay on top of all these wallets! We now list more than 6000 products and also those with a top verdict - reproducible - are thankfully getting more and more but that also means more and more on-going work as we test reproducibility not only once but ideally with every new release and for every build artifact (Bitcoin only edition and the shitcoins-included edition and x86_64 and armeabi, ...) The latest tests performed - and all found to be reproducible - were for these three: *
WalletScrutiny
Bitcoin Wallet
Review of Bitcoin Wallet (verdict: sourceavailable)
 *
WalletScrutiny
Mycelium Bitcoin Wallet
Review of Mycelium Bitcoin Wallet (verdict: sourceavailable)
 *
WalletScrutiny
Electrum Bitcoin Wallet
Review of Electrum Bitcoin Wallet (verdict: sourceavailable)
WalletScrutiny's avatar
WalletScrutiny 2 years ago
The re-design is finally live! Great thanks to * Spiral for sponsoring us * the Bitcoin Design Community for awesome improvements that we have refined over 16(?) calls and who knows how much research between the calls * @npub1vwuf...zl6z who implemented the very challenging changes over 350 commits! Check it out at
WalletScrutiny
Know your wallet like you built it.
Not everyone is a developer. Not everyone has to be.
 Please be gentil. We probably have missed many details. Bug reports and feature requests are as always welcome at
GitLab
Issues · WalletScrutiny / walletScrutiny · GitLab
The WS website and test scripts
WalletScrutiny's avatar
WalletScrutiny 2 years ago
PSA: If you use Atomic Wallet, **do not** open it with an internet connection. You **will lose your funds**. Restore your backup in a compatible wallet and move the funds to a different seed. image
WalletScrutiny's avatar
WalletScrutiny 2 years ago
Will Ledger recover from "Ledger Recover" backlash? Probably. Most customers will not notice. Most that do, will not understand what's going on. It will blow over but some will level up and learn what was long common knowledge for experts. #ledgerrecover Many users claim to prefer Ledger hardware wallets as they use a so called "secure element" or SE. This chip is advertised to resist sophisticated physical attacks but part of the defense of these chips is legal in nature - talking about flaws or details is forbidden. To use an SE, companies have to sign NDAs and are required to not share aspects of the chip. This also includes to not share the code they run on said chip. If you can't verify, you have to trust. Trust the claims of the provider. And these claims were unequivocally clear: image Yesterday Ledger announced a new product, enabled with a firmware update that does just what prior was advertised as being impossible: Send your keys to trusted parties with
Ledger
Ledger Recover by Coincover
Protect your seed phrase with Ledger Recover! With Ledger Recover, you'll never get locked out of your wallet.
 While many take aim at the potentially insecure storage of keys with such third parties and criticize the KYC required for it, the main issue here is that of trust. If this is possible and undetectable, have they maybe already built in legal confiscation features? If you believe in "Don't trust. Verify!" your only option is to use verifiable tools. We list those and follow up with them. Check how transparent your preferred Bitcoin wallet is at
WalletScrutiny
Know your wallet like you built it.
Not everyone is a developer. Not everyone has to be.
WalletScrutiny's avatar
WalletScrutiny 2 years ago
Kaspersky took apart a modified Trezor Model T. Key take aways: * The modification was not detectable upon visual inspection * The device performed like a normal device * It had "firmware 2.0.4" installed, which to a normal user would not raise suspicion * It used poor entropy - a set of only 20 possible seed phrases. This entropy is so small it probably is designed to let the user get new keys on demand but different victims would probably have different sets of keys as to not find other people's coins * It prevented effective passphrase protection by only considering the first letter of a passphrase - the user would feel protected by seeing different wallets for different passphrases but the hacker could trivially brute force all possible passphrases https://www.kaspersky.com/blog/fake-trezor-hardware-crypto-wallet/48155
WalletScrutiny's avatar
WalletScrutiny 2 years ago
Those links used to be all with the universal 🌐 globe symbol. Now the most common brands are easier to spot ... image
WalletScrutiny's avatar
WalletScrutiny 2 years ago
52 new verdicts were released today. * 25 products were custodial * 8 were closed source * 8 were wallets but not for #Bitcoin * 5 turned out to be no wallets at all * 2 were vapor ware * 1 did not support sending or receiving Bitcoin - only speculating on its value * 1 was not released yet * 1 was do-it-yourself * 1 will need more investigations
WalletScrutiny's avatar
WalletScrutiny 2 years ago
Our stated mission is to look into Bitcoin Wallets and with bearer tokens like the [Opendime](https://walletscrutiny.com/bearer/opendime/) we already ventured into products that clearly are not wallets but they are meant to keep your private keys safe, so users want to know: Do they really keep you safe from loss? Now we came across products that are marketed as "crypto vaults" but they are more akin to [password managers](https://en.wikipedia.org/wiki/Password_manager) like LastPass - a general store of important data. By being marketed to keep your important data safe, they clear are being used for Bitcoin, too. The crypto-themed one we are looking at right now has 100k installs on Google Play. Should we look into those or is that mission creep?
WalletScrutiny's avatar
WalletScrutiny 2 years ago
image From the start we wanted to look into desktop wallets but it's really hard. For example for Electrum there is 23 different ways of getting the binary and those are probably +20 different binaries. * We do not have the resources to check them all with every release. * We have no idea how to communicate our findings to the user.