Online Walletlatest release: 1.1.3 ( 22nd April 2021 ) last analysed 22nd November 2021 Custodial: The provider holds the keys
Do your own research!
Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.
The Analysis ¶
The wallet has no listed website on its Google Play page. But its developer is searchable: XCritical Soft. Ltd. The app’s Terms and Conditions list xcritical.com as its page.
The app claims to support Bitcoin and can send and receive. There was no mention of private keys or seed phrases.
Termination Clause in User Agreement
The user agreement can be accessed via the app.
Section 4.5 Termination. We may close , terminate, enable or disable any or all of the Services, your User Account or your access to the Services at any time and for any reason. Depending on the Services available to you in your User Account, we may require you to take certain actions in order to complete a pending transaction or provide additional information prior to closing such User Account. You are solely responsible for any fees already incurred.
The wallet is further described in Section 5.
Section 5.1.1 The Wallet is provided to you exclusively by Online Wallet. At no point will Online Wallet ever take custody of Virtual Currency stored in a Wallet. The Wallet is only capable of supporting certain Virtual Currencies. Under no circumstances should you attempt to store Virtual Currencies in your Wallet that the Wallet does not support.
Section 5.1.2 When you create a Wallet, the Wallet software generates a cryptographic private and public key pair that you may use to send and receive any supported Virtual Currency via the relevant Virtual Currency network. YOU MUST STORE OUTSIDE OF THE SERVICES, A BACKUP OF ALL WALLET CREDENTIALS, INCLUDING YOUR PASSPHRASES, IDENTIFIERS, BACKUP PHRASES, PRIVATE KEYS AND NETWORK ADDRESSES. If you do not maintain a backup of your Wallet data outside of the Services, you will not be able to access Virtual Currency previously accessed using your Wallet in the event that we discontinue or no longer offer some or all of the Services or may otherwise lose access to Virtual Currency. We are not responsible for maintaining this data on your behalf.
We downloaded the app and found Bitcoin support with send and receive functions. We tried looking for any options that allow for the backing up of the wallet via seed phrases but could not find any.
We emailed Online Wallet (posted screenshot on twitter) to ask them how to backup the wallet.
With no clear website to get more information from, we are left with the resources at hand. The app does not make it a point to make backing up the wallet easier. Yet in its Terms and Conditions, mentions that it’s the user’s responsibility to backup the private keys. Yet in Section 4.5, the service mentions the power to “close, terminate, enable or disable any or all of the Services”. If the service is disabled - how can you access the wallet without the private key? We’re giving this service a custodial verdict making the app non-verifiable until such time that their support clarifies this with us.
As the provider of this product holds the keys, verifiability of the product is not relevant to the security of the funds!
As part of our Methodology, we ask:Is the product self-custodial? If not, we tag it Custodial!
A custodial service is a service where the funds are held by a third party like the provider. The custodial service can at any point steal all the funds of all the users at their discretion. Our investigations stop there.
Some services might claim their setup is super secure, that they don’t actually have access to the funds, or that the access is shared between multiple parties. For our evaluation of it being a wallet, these details are irrelevant. They might be a trustworthy Bitcoin bank and they might be a better fit for certain users than being your own bank but our investigation still stops there as we are only interested in wallets.
Products that claim to be non-custodial but feature custodial accounts without very clearly marking those as custodial are also considered “custodial” as a whole to avoid misguiding users that follow our assessment.
This verdict means that the provider might or might not publish source code and maybe it is even possible to reproduce the build from the source code but as it is custodial, the provider already has control over the funds, so it is not a wallet where you would be in exclusive control of your funds.
We have to acknowledge that a huge majority of Bitcoiners are currently using custodial Bitcoin banks. If you do, please:
- Do your own research if the provider is trust-worthy!
- Check if you know at least enough about them so you can sue them when you have to!
- Check if the provider is under a jurisdiction that will allow them to release your funds when you need them?
- Check if the provider is taking security measures proportional to the amount of funds secured? If they have a million users and don’t use cold storage, that hot wallet is a million times more valuable for hackers to attack. A million times more effort will be taken by hackers to infiltrate their security systems.
Share onTwitter Facebook LinkedIn
Or embed a widget in your website
<iframe src="https://walletscrutiny.com/widget/#appId=android/com.wallet.online&theme=auto&style=short" name="_ts" style="min-width:180px;border:0;border-radius:10px;max-width:280px;min-height:30px;"> </iframe>
<iframe src="https://walletscrutiny.com/widget/#appId=android/com.wallet.online&theme=auto&style=long" style="max-width:100%;width:342px;border:0;border-radius:10px;min-height:290px;"> </iframe>