Spark Lightning Walletlatest release: 0.3.1 ( 8th November 2021 ) last analysed 2nd December 2021 Not reproducible from source provided
Do your own research!
Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.
The Analysis ¶
Spark is beta-quality software under active development, please use with care.
From its GitHub page:
Spark is a minimalistic wallet GUI for c-lightning, accessible over the web or through mobile and desktop apps (for Android, Linux, macOS and Windows). It is currently oriented for technically advanced users and is not an all-in-one package, but rather a “remote control” interface for a c-lightning node that has to be managed separately.
Sparks supports sending and receiving payments, viewing history, and managing channels.
Spark is a purely off-chain wallet, with no on-chain payments. This allows Spark to fully realize the awesome UX enabled by lightning, without worrying about the complications and friction of on-chain. This might change someday.
Spark has a responsive UI suitable for mobile, tablet and desktop devices, but is best optimized for use on mobile.
As described above, the mobile app acts like a “remote-control interface for a c-lightning node”. If a user is running his own lightning node, then the user is fully in control of his funds. This app, as its remote control also could to bad things if with a backdoor or a serious flaw. Therefore we consider it as a self-custodial wallet, requiring binary transparency.
GitHub is their website and there is also their source code. On the main page in the paragraph Code signing & reproducible builds they state:
The NPM package, Linux
zipbuilds and the Windows installer are deterministically reproducible.
linking to a document that itself claims that also the “Android
apk” was also
reproducible. Let’s see how that goes …
$ mkdir ~/tmp $ cd ~/tmp/ $ git clone https://github.com/shesek/spark-wallet && cd spark-wallet $ git checkout v0.3.1 HEAD is now at 4ffb929 v0.3.1 ... Step 14/35 : RUN apt-add-repository 'deb http://security.debian.org/debian-security stretch/updates main' && apt-get update && apt-get install -y --no-install-recommends openjdk-8-jdk-headless=8u302-b08-1~deb9u1 && apt-add-repository --remove 'deb http://security.debian.org/debian-security stretch/updates main' && apt-get update ---> Running in a098df6b197f Hit:1 http://security.debian.org/debian-security bullseye-security InRelease Hit:2 http://deb.debian.org/debian bullseye InRelease Hit:3 http://deb.debian.org/debian bullseye-updates InRelease Get:4 http://security.debian.org/debian-security stretch/updates InRelease [53.0 kB] Hit:5 https://dl.winehq.org/wine-builds/debian bullseye InRelease Get:6 http://security.debian.org/debian-security stretch/updates/main amd64 Packages [748 kB] Get:7 http://security.debian.org/debian-security stretch/updates/main i386 Packages [748 kB] Fetched 1549 kB in 1s (1847 kB/s) Reading package lists... Reading package lists... Building dependency tree... Reading state information... E: Version '8u302-b08-1~deb9u1' for 'openjdk-8-jdk-headless' was not found The command '/bin/sh -c apt-add-repository 'deb http://security.debian.org/debian-security stretch/updates main' && apt-get update && apt-get install -y --no-install-recommends openjdk-8-jdk-headless=8u302-b08-1~deb9u1 && apt-add-repository --remove 'deb http://security.debian.org/debian-security stretch/updates main' && apt-get update' returned a non-zero code: 100
Ok. That was not successful. Dependencies can go away and reproduction might succeed with a newer version of this now unavailable dependency. We will wait for the provider to figure out if the reproducible build still works after a short fix and consider the app in the meantime as not verifiable.
We could not verify that the provided code matches the binary!
As part of our Methodology, we ask:Is the published binary matching the published source code? If not, we tag it Unreproducible!
Published code doesn’t help much if it is not what the published binary was built from. That is why we try to reproduce the binary. We
- obtain the binary from the provider
- compile the published source code using the published build instructions into a binary
- compare the two binaries
- we might spend some time working around issues that are easy to work around
If this fails, we might search if other revisions match or if we can deduct the source of the mismatch but generally consider it on the provider to provide the correct source code and build instructions to reproduce the build, so we usually open a ticket in their code repository.
In any case, the result is a discrepancy between the binary we can create and the binary we can find for download and any discrepancy might leak your backup to the server on purpose or by accident.
As we cannot verify that the source provided is the source the binary was compiled from, this category is only slightly better than closed source but for now we have hope projects come around and fix verifiability issues.
Share onTwitter Facebook LinkedIn
Or embed a widget in your website
<iframe src="https://walletscrutiny.com/widget/#appId=android/com.spark.wallet&theme=auto&style=short" name="_ts" style="min-width:180px;border:0;border-radius:10px;max-width:280px;min-height:30px;"> </iframe>
<iframe src="https://walletscrutiny.com/widget/#appId=android/com.spark.wallet&theme=auto&style=long" style="max-width:100%;width:342px;border:0;border-radius:10px;min-height:290px;"> </iframe>