Wallet Logo

Bitcoin Wallet - Airbitz

latest release: 2.4.12 last analysed  10th November 2019 Not reproducible from source provided  
3.4 ★★★★★
1150 ratings
100thousand
1st April 2014

Jump to verdict 

Do your own research!

Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.

If you find something we should include, you can create an issue or edit this analysis yourself and create a merge request for your changes.

The Analysis 

Bitcoin Wallet - Airbitz claims to be non-custodial and open source but being the predecessor of Edge, it gets a bit confusing here as it points to the same website for its open source:

• Open-source code. Available at https://github.com/Airbitz

At github.com/Airbitz though, as mentioned in the article on Edge there is no code and we get forwarded to github.com/EdgeApp where there are currently 130 repositories and 81 repositories created by EdgeApp. There at first sight, the most likely source code for Airbitz Android app is airbitz-android-gui.

airbitz version on playstore

The Playstore mentiones Airbitz currently and since one year to be at version 2.4.12 yet on GitHub the latest tag is 2.2.0 from three years ago. The currently latest commit on master appears promising, as it has the commit comment “2.4.12”, the version we would hope to see matching the Playstore apk.

So … what do the build instructions tell us?

The Airbitz android application comes in 3 flavors. Production, Testnet and Develop. To build it issue one of the following commands:

Develop version (Seperate App ID which does not conflict with production version. Also uses the develop branch of airbitz-core-java)

./gradlew installDevelopDebug

Testnet version

./gradlew installNettestDebug

Production version

./gradlew installProdDebug

For a reproducible build I would have hoped to find some buildProdRelease and not only ...Debug.

So … lets try this:

airbitz-android-gui/Airbitz$ ./gradlew installProdDebug
Parallel execution is an incubating feature.
Incremental java compilation is an incubating feature.

FAILURE: Build failed with an exception.

* What went wrong:
A problem occurred configuring project ':airbitz'.
> Could not resolve all dependencies for configuration ':airbitz:_nettestDebugApk'.
   > A problem occurred configuring project ':libs:airbitz-directory'.
      > No toolchains found in the NDK toolchains folder for ABI with prefix: mips64el-linux-android

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output.

BUILD FAILED

Total time: 1.415 secs

Given there is no promise of reproducibility and no instructions on how to build the release version or implicit promise about plugins and APIs not resulting in big differences, we give up here for now and conclude the now obsolete but still available for install wallet Airbitz is not verifiable in its current form.

(lw)

Verdict Explained

We could not verify that the provided code matches the binary!

As part of our Methodology, we ask:

Is the published binary matching the published source code? If not, we tag it Unreproducible!  

Published code doesn’t help much if it is not what the published app was built from. That is why we try to reproduce the binary. We

  1. obtain the binary from the provider
  2. compile the published source code using the published build instructions into a binary
  3. compare the two binaries
  4. we might spend some time working around issues that are easy to work around

If this fails, we might search if other revisions match or if we can deduct the source of the mismatch but generally consider it on the provider to provide the correct source code and build instructions to reproduce the build, so we usually open a ticket in their code repository.

In any case, the result is a discrepancy between the app we can create and the app we can find on the app store and any discrepancy might leak your backup to the server on purpose or by accident.

As we cannot verify that the source provided is the source the app was compiled from, this category is only slightly better than closed source but for now we have hope projects come around and fix verifiability issues.

The app cannot be independently verified. If the provider puts your funds at risk on purpose or by accident, you will probably not know about the issue before people start losing money. If the provider is more criminally inclined he might have collected all the backups of all the wallets, ready to be emptied at the press of a button. The app might have a formidable track record but out of distress or change in management turns out to be evil from some point on, with nobody outside ever knowing before it is too late.