Has anybody noticed that we now have "screen recordings" in our reproducibility tests? As another project is sharing "video proof" of reproducibility, we were asked to also do so but it felt kind of pointless to produce GBs of data for every reproducibility test. We did however start playing around with console recordings that are somewhat more optimized as they record the ASCII on the screen and not every pixel. Resulting files are much more manageable but for example, running the compile script for the Electrum for Android app resulted in 72MB of output. As we test a lot, this is a lot to add in a single day. Does anybody care about screen recordings? Can we throw them at some nostr relay instead of our git repo, with some expiry date in three months, so that interested users can grab it while it's hot? Any other ideas? Currently the tiniest ascii cast is the one for the Schildbach "Bitcoin Wallet":

WalletScrutiny

Bitcoin Wallet

Review of Bitcoin Wallet (verdict: sourceavailable)

It can be really frustrating to hunt after fake apps when not even the provider of the original seams to care ... Here is our attempt at reporting a fraud at

Online Trading with Our Award-winning Platform | Capital.com

Join 845,000+ global traders on OMA’S Best Overall Trading Platform 2024. Trade 5,500+ CFD markets and get 24/7 English support. 81.31% of invest...

View quoted note →

Does anybody know how

WalletScrutiny

Bitcoin trading - Capital.com

Review of Bitcoin trading - Capital.com (verdict: nosendreceive)

relates to

WalletScrutiny

Trading app by Capital.com

Review of Trading app by Capital.com (verdict: nosendreceive)

The former has 500k users but looks like a fake app given the "typo" in the app ID and given that capitalCom links to the latter, only.

Sadly Mycelium hasn't published any source code updates since June, yet their latest release on Google Play was days ago. As of now, Mycelium for Android has to be considered closed source. We poked Alexander Pavlenko - the author of the last commit and probably maintainer - on Telegram yesterday but did not get a reply yet.

WalletScrutiny

Mycelium Bitcoin Wallet

Review of Mycelium Bitcoin Wallet (verdict: sourceavailable)

https://twitter.com/WalletScrutiny/status/1727388864216531429

Good news eveyone! Spiral renewed the grant. We have high goals for this year with more community engagement and expansion to Desktop products.

X (formerly Twitter)

Spiral (@spiralbtc) on X

Grant renewal. @WalletScrutiny is one of the most important projects in bitcoin. Full stop. They are currently adding desktop wallet coverage, impr...

We'll do another Twitter space tomorrow with Mo and Leo. Should we do a Nest next? https://twitter.com/i/spaces/1PlKQDWmwNyxE?s=20

Join our Space! We will talk about Bitcoin Wallet security! https://twitter.com/i/spaces/1ypJdkRQVZdGW?s=20

Among the reproducible Android wallets, Zeus appears to be the first to have switched to Android App Bundles. We tested what we got from Google - the arm64-v8a version and found all bytes accounted for, giving it the verdict "reproducible" but with somewhat of a headache … Android App Bundle or AAB in short allows Google to provide each user a tailored version of the product. For example in the case of this wallet, the older format contained binaries for arm64-v8a, armeabi-v7a, x86 and x86_64 CPUs. The new format only for "your" CPU. And that makes the app much smaller. In this case the zeus-universal.apk weighs 92MB while the zeus-arm64-v8a.apk only weighs 32MB. With games where assets for bigger screens can be excluded for lower end devices, this can make even more of a difference. But it also implies that Google gets the developer's signing key, theoretically enabling them to also tailor security aspects of your apps - on a case by case basis. Google is pushing for AAB to trim MBs off all these apps but this comes at a cost: * Security: Where before, only the developer could sign an update, now Google engineers can, too. * Transparency: Where before, only one binary was circulating per version, now many circulate. The full analysis of the latest Zeus wallet can be found here:

WalletScrutiny

ZEUS Wallet

Review of ZEUS Wallet (verdict: sourceavailable)

Do you know a thing or two about compiling stuff? Do you care about people not getting rug-pulled by their Bitcoin wallets? Please help us stay on top of all these wallets! We now list more than 6000 products and also those with a top verdict - reproducible - are thankfully getting more and more but that also means more and more on-going work as we test reproducibility not only once but ideally with every new release and for every build artifact (Bitcoin only edition and the shitcoins-included edition and x86_64 and armeabi, ...) The latest tests performed - and all found to be reproducible - were for these three: *

WalletScrutiny

Bitcoin Wallet

Review of Bitcoin Wallet (verdict: sourceavailable)

*

WalletScrutiny

Mycelium Bitcoin Wallet

Review of Mycelium Bitcoin Wallet (verdict: sourceavailable)

*

WalletScrutiny

Electrum Bitcoin Wallet

Review of Electrum Bitcoin Wallet (verdict: sourceavailable)

The re-design is finally live! Great thanks to * Spiral for sponsoring us * the Bitcoin Design Community for awesome improvements that we have refined over 16(?) calls and who knows how much research between the calls * @vswee who implemented the very challenging changes over 350 commits! Check it out at

WalletScrutiny

Know your wallet like you built it.

Not everyone is a developer. Not everyone has to be.

Please be gentil. We probably have missed many details. Bug reports and feature requests are as always welcome at

GitLab

Work items · WalletScrutiny / walletScrutiny · GitLab

The WS website and test scripts

PSA: If you use Atomic Wallet, **do not** open it with an internet connection. You **will lose your funds**. Restore your backup in a compatible wallet and move the funds to a different seed.

So we were just released from our web hoster's DMCA jail. We had to temporarily remove Foxbit's listing but we brought back

WalletScrutiny

MB Mercado Bitcoin: criptos

Review of MB | Mercado Bitcoin: criptos (verdict: custodial)

which was the reason for a similar down-time last year.

What should we do about a bad actor making it to the top of our list? We don't test for being honest. We only test for source code transparency.

Habla

Being transparent doesn't mean to be good - Leo Wandersleb

With WalletScrutiny we look for transparency as a necessary condition for meaningful audits. We currently lack the means to produce or communicate ...

Will Ledger recover from "Ledger Recover" backlash? Probably. Most customers will not notice. Most that do, will not understand what's going on. It will blow over but some will level up and learn what was long common knowledge for experts. #ledgerrecover Many users claim to prefer Ledger hardware wallets as they use a so called "secure element" or SE. This chip is advertised to resist sophisticated physical attacks but part of the defense of these chips is legal in nature - talking about flaws or details is forbidden. To use an SE, companies have to sign NDAs and are required to not share aspects of the chip. This also includes to not share the code they run on said chip. If you can't verify, you have to trust. Trust the claims of the provider. And these claims were unequivocally clear: Yesterday Ledger announced a new product, enabled with a firmware update that does just what prior was advertised as being impossible: Send your keys to trusted parties with

Ledger

Ledger Recover by Coincover

Protect your seed phrase with Ledger Recover! With Ledger Recover, you'll never get locked out of your wallet.

While many take aim at the potentially insecure storage of keys with such third parties and criticize the KYC required for it, the main issue here is that of trust. If this is possible and undetectable, have they maybe already built in legal confiscation features? If you believe in "Don't trust. Verify!" your only option is to use verifiable tools. We list those and follow up with them. Check how transparent your preferred Bitcoin wallet is at

WalletScrutiny

Know your wallet like you built it.

Not everyone is a developer. Not everyone has to be.

Kaspersky took apart a modified Trezor Model T. Key take aways: * The modification was not detectable upon visual inspection * The device performed like a normal device * It had "firmware 2.0.4" installed, which to a normal user would not raise suspicion * It used poor entropy - a set of only 20 possible seed phrases. This entropy is so small it probably is designed to let the user get new keys on demand but different victims would probably have different sets of keys as to not find other people's coins * It prevented effective passphrase protection by only considering the first letter of a passphrase - the user would feel protected by seeing different wallets for different passphrases but the hacker could trivially brute force all possible passphrases https://www.kaspersky.com/blog/fake-trezor-hardware-crypto-wallet/48155

Case study: fake hardware cryptowallet Full review of a fake cryptowallet incident. It looks and feels like a Trezor wallet, but puts all your crypto-investments into the hands of criminals.

Kaspersky official blog

Review and analysis of fake Trezor cryptowallet

Fake hardware cryptowallet, and how bitcoins were stolen from it.

You really can't be paranoid enough. Unless there is no single points of failure, losing all your coins is always an option.

Those links used to be all with the universal 🌐 globe symbol. Now the most common brands are easier to spot ...

52 new verdicts were released today. * 25 products were custodial * 8 were closed source * 8 were wallets but not for #Bitcoin * 5 turned out to be no wallets at all * 2 were vapor ware * 1 did not support sending or receiving Bitcoin - only speculating on its value * 1 was not released yet * 1 was do-it-yourself * 1 will need more investigations

Cypherock X1 joins the group of reproducible Bitcoin wallets.

WalletScrutiny

Cypherock X1

Review of Cypherock X1 (verdict: sourceavailable)