Wallet Logo

Spark Lightning Wallet

Latest release: 0.3.1 ( 8th November 2021 ) 🔍 Last analysed 2nd December 2021 . Not reproducible from source provided
1 thousand
10th December 2018

Jump to verdict 

Do your own research!

Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.

If you find something we should include, you can create an issue or edit this analysis yourself and create a merge request for your changes.

The Analysis 

⚠️ The provider himself warns:
Spark is beta-quality software under active development, please use with care.

App Description

From its GitHub page:

Spark is a minimalistic wallet GUI for c-lightning, accessible over the web or through mobile and desktop apps (for Android, Linux, macOS and Windows). It is currently oriented for technically advanced users and is not an all-in-one package, but rather a “remote control” interface for a c-lightning node that has to be managed separately.

Sparks supports sending and receiving payments, viewing history, and managing channels.

Spark is a purely off-chain wallet, with no on-chain payments. This allows Spark to fully realize the awesome UX enabled by lightning, without worrying about the complications and friction of on-chain. This might change someday.

Spark has a responsive UI suitable for mobile, tablet and desktop devices, but is best optimized for use on mobile.

The App

As described above, the mobile app acts like a “remote-control interface for a c-lightning node”. If a user is running his own lightning node, then the user is fully in control of his funds. This app, as its remote control also could to bad things if with a backdoor or a serious flaw. Therefore we consider it as a self-custodial wallet, requiring binary transparency.

Reproducibility

GitHub is their website and there is also their source code. On the main page in the paragraph Code signing & reproducible builds they state:

The NPM package, Linux AppImage/snap/tar.gz builds, macOS zip builds and the Windows installer are deterministically reproducible.

linking to a document that itself claims that also the “Android apk” was also reproducible. Let’s see how that goes …

$ mkdir ~/tmp
$ cd ~/tmp/
$ git clone https://github.com/shesek/spark-wallet && cd spark-wallet
$ git checkout v0.3.1 
HEAD is now at 4ffb929 v0.3.1
...
Step 14/35 : RUN apt-add-repository 'deb http://security.debian.org/debian-security stretch/updates main' && apt-get update   && apt-get install -y --no-install-recommends openjdk-8-jdk-headless=8u302-b08-1~deb9u1   && apt-add-repository --remove 'deb http://security.debian.org/debian-security stretch/updates main' && apt-get update
 ---> Running in a098df6b197f
Hit:1 http://security.debian.org/debian-security bullseye-security InRelease
Hit:2 http://deb.debian.org/debian bullseye InRelease
Hit:3 http://deb.debian.org/debian bullseye-updates InRelease
Get:4 http://security.debian.org/debian-security stretch/updates InRelease [53.0 kB]
Hit:5 https://dl.winehq.org/wine-builds/debian bullseye InRelease
Get:6 http://security.debian.org/debian-security stretch/updates/main amd64 Packages [748 kB]
Get:7 http://security.debian.org/debian-security stretch/updates/main i386 Packages [748 kB]
Fetched 1549 kB in 1s (1847 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
E: Version '8u302-b08-1~deb9u1' for 'openjdk-8-jdk-headless' was not found
The command '/bin/sh -c apt-add-repository 'deb http://security.debian.org/debian-security stretch/updates main' && apt-get update   && apt-get install -y --no-install-recommends openjdk-8-jdk-headless=8u302-b08-1~deb9u1   && apt-add-repository --remove 'deb http://security.debian.org/debian-security stretch/updates main' && apt-get update' returned a non-zero code: 100

Ok. That was not successful. Dependencies can go away and reproduction might succeed with a newer version of this now unavailable dependency. We will wait for the provider to figure out if the reproducible build still works after a short fix and consider the app in the meantime as not verifiable.

(lw, dg)

Verdict Explained

We could not verify that the provided code matches the binary!

As part of our Methodology, we ask:

Is the published binary matching the published source code? If not, we tag it Unreproducible!

Published code doesn’t help much if it is not what the published binary was built from. That is why we try to reproduce the binary. We

  1. obtain the binary from the provider
  2. compile the published source code using the published build instructions into a binary
  3. compare the two binaries
  4. we might spend some time working around issues that are easy to work around

If this fails, we might search if other revisions match or if we can deduct the source of the mismatch but generally consider it on the provider to provide the correct source code and build instructions to reproduce the build, so we usually open a ticket in their code repository.

In any case, the result is a discrepancy between the binary we can create and the binary we can find for download and any discrepancy might leak your backup to the server on purpose or by accident.

As we cannot verify that the source provided is the source the binary was compiled from, this category is only slightly better than closed source but for now we have hope projects come around and fix verifiability issues.

The product cannot be independently verified. If the provider puts your funds at risk on purpose or by accident, you will probably not know about the issue before people start losing money. If the provider is more criminally inclined he might have collected all the backups of all the wallets, ready to be emptied at the press of a button. The product might have a formidable track record but out of distress or change in management turns out to be evil from some point on, with nobody outside ever knowing before it is too late.