Wallet Logo

Hexa Bitcoin App

Latest release: 2.0.75 ( 31st May 2022 ) 🔍 Last analysed 18th October 2021 . Failed to build from source provided!
5 ★★★★★
30 ratings
1 thousand
30th September 2021

Jump to verdict 

Help spread awareness for build reproducibility

Please help us spread the word discussing build reproducibility with Hexa Bitcoin App  via their Twitter!

Do your own research!

Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.

If you find something we should include, you can create an issue or edit this analysis yourself and create a merge request for your changes.

The Analysis 

Updated Verdict 2021-12-21

While the app developers claim that it is self-custodial, this app has failed to build from source. This was addressed in issue 2544.

I checked our build config the dev flavour of our app can be built in debug mode. The build script to create a release apk of our production version is not in the project.

I will add this to the project and add instructions on how to build it. I can’t specify a ETA for this right now but it will be done soon.

On a side note, I did 2 builds one after the other on AppCentre to see if they are the same. using Android APK analyser I could still see some differences; very tiny differences in a couple of auto generated files. I am keen to understand if you will be using APK analyser to verify builds or will it be a straight diff comparison of binaries, or something else.

This correspondence has been made in January 23, 2021. Since then, there has been no update.

App Description

The app’s Google play description claims that the app is non-custodial. It has partnered with Swan Bitcoin which is a custodial service that allows users to “DCA” (Dollar Cost Average) into bitcoin. The Swan service is built-in the Hexa app. Unlike most self-custodial wallets, Hexa splits the seed into recovery keys which are then spread out over multiple devices. We posted a screenshot of this on twitter.

The Site

The first level of security is the cloud backup. As Hexawallet aptly points out in their FAQ,

A normal Bitcoin Wallet relies on you remembering a set of words (often called a “mnemonic”) or a secret number (your “private key”) and losing these renders your account unusable. Hexa aims to simplify this by allowing you to recover access to your funds by splitting your seed into multiple parts (called “Recovery Keys”) shared between you and your Keepers (trusted people whom you can rely on in the event of emergency, like your mother)

Seeds are split into Recovery Keys:

Recovery Keys are encrypted parts of your seed that are split and shared with your Keepers. Hexa creates 5 Recovery Keys, and having access to any 3 enables you to recover your wallet. These Keys are encrypted, so no one can read them without you requesting for them in the event of an emergency.

(dg)

Verdict Explained

We encountered a build error while compiling from source code!

As part of our Methodology, we ask:

Can the product be built from the source provided? If not, we tag it Build Error!

Published code doesn’t help much if the app fails to compile.

We try to compile the published source code using the published build instructions into a binary. If that fails, we might try to work around issues but if we consistently fail to build the app, we give it this verdict and open an issue in the issue tracker of the provider to hopefully verify their app later.

The product cannot be independently verified. If the provider puts your funds at risk on purpose or by accident, you will probably not know about the issue before people start losing money. If the provider is more criminally inclined he might have collected all the backups of all the wallets, ready to be emptied at the press of a button. The product might have a formidable track record but out of distress or change in management turns out to be evil from some point on, with nobody outside ever knowing before it is too late.