Reproducible
Bitcoin Wallet (Schildbach)
Mycelium Bitcoin Wallet
Phoenix | The Bitcoin wallet from the future
AirGap Vault - Tezos, Cosmos, Ethereum, Bitcoin
Unstoppable - Invest In Crypto
ABCore
Not Reproducible
Blockchain Wallet: Buy and Sell Bitcoin & Crypto
BRD Bitcoin Wallet. Buy BTC Bitcoin Cash, Ethereum
BitPay - Buy Crypto
Electrum Bitcoin Wallet
Edge - Bitcoin, Ethereum, Monero, Ripple Wallet
Bitcoin Wallet - Airbitz
Green: Bitcoin Wallet
Coin Bitcoin Wallet
Haven - Private Shopping
Samourai Wallet
Trustee Wallet - best bitcoin and crypto wallet
Bitcoin Wallet Blockchain
Eclair Mobile
BLW: Bitcoin and Lightning Wallet
Lunes Wallet - Lunes, Bitcoin, Litecoin, Buy BTC
Bitcoin Paper Wallet
HODL Wallet : Bitcoin Wallet
Zap: Bitcoin Lightning Wallet
Muun - Bitcoin and Lightning Wallet
Melis Bitcoin, Bitcoin Cash, Litecoin Wallet
Bitcoin Wallet for COINiD
COINiD Vault
Lightning: Fast Bitcoin Wallet
Breez: Lightning Network Client & Point-of-Sale
No source!
Trust Crypto Wallet: Bitcoin Ethereum Tron XRP PAX
Coinomi Wallet :: Bitcoin Ethereum Altcoins Tokens
Bitcoin Wallet by Bitcoin.com
Coinbase Wallet — Crypto Wallet & DApp Browser
Enjin: Bitcoin, Ethereum, Blockchain Crypto Wallet
Exodus: Crypto Bitcoin Wallet
Bitcoin Wallet & Ethereum Ripple Tron EOS
Bitcoin Wallet Totalcoin - Buy and Sell Bitcoin
Cobo Wallet: Bitcoin, Ethereum, Dash, XRP, XLM
Jaxx Liberty: Blockchain Wallet
Infinito Wallet - Crypto Wallet & DApp Browser
Lumi Bitcoin and Crypto Wallet
Eidoo: Bitcoin and Ethereum Wallet and Exchange
Sylo - Smart Wallet & Messenger
Guarda Crypto Wallet: Bitcoin, Ethereum, Litecoin
DoWallet: Bitcoin Wallet. A Secure Crypto Wallet.
Monarch Wallet
Bitpie Wallet - Bitcoin USDT ETH EOS BCH TRON LTC
Crypto.com l DeFi Wallet
Paytomat Wallet: Bitcoin, Ethereum, EOS, tokens
ZenGo Crypto & Bitcoin Wallet: Buy, Earn & Trade
ZelCore - Multi Asset Crypto Wallet
PumaPay Blockchain Wallet 4 Bitcoin & Crypto Coins
Magnum Wallet – Bitcoin, Ethereum, Crypto Exchange
Evercoin: Bitcoin, Ripple, ETH
ViaWallet - Multi-chain Wallet
PolisPay - Cryptocurrency wallet
AnkerPay: Blockchain Crypto Wallet – BTC, ETH, LTC
iWallet - blockchain wallet for Bitcoin, Ethereum
Flare Wallet
Chameleon Pay
Vidulum - Multi-Asset Cryptocurrency Wallet
Ownbit - Blockchain Wallet
Casa App - Secure your Bitcoin
Shango Lightning Wallet
Pungo App
Custodial!
Cash App
Coinbase – Buy & Sell Bitcoin. Crypto Wallet
Coins.ph Wallet
Binance: Bitcoin Marketplace & Crypto Wallet
eToro
Zebpay Bitcoin and Cryptocurrency Exchange
Xapo
Luno: Buy Bitcoin, Ethereum and Cryptocurrency
Crypto.com - Buy Bitcoin Now
Unocoin Wallet
Uphold: buy and sell Bitcoin
Huobi Global
Paxful Bitcoin Wallet
Bitcoin Wallet - Buy BTC
Abra Bitcoin Crypto Wallet Buy Trade Earn Interest
Ripio Bitcoin Wallet: the new digital economy
Bitcoin Wallet. Buy & Exchange BTC coin-Freewallet
Bitcoin Wallet by SpectroCoin
Gemini: Buy Bitcoin Instantly
OKEx - Bitcoin/Crypto Trading Platform
Remitano - Buy & Sell Bitcoin Fast & Securely
Bitcoin and Crypto Blockchain Wallet by Freewallet
Bitstamp – Buy & Sell Bitcoin at Crypto Exchange
Cryptonator cryptocurrency wallet
Kraken Pro: Advanced Bitcoin & Crypto Trading
Poloniex Crypto Exchange
Bcoiner - Free Bitcoin Wallet
CoinPayments - Crypto Wallet for Bitcoin/Altcoins
Coinbase Pro – Bitcoin & Crypto Trading
TenX - Buy Bitcoin & Crypto Card
YouHodler - Crypto and Bitcoin Wallet
Change: Crypto Wallet to Buy Sell & Trade Bitcoin
COBINHOOD - Zero Fees Bitcoin Exchange & Wallet
BitMart - Cryptocurrency Exchange
HitBTC – Cryptocurrency Exchange & Trading BTC App
Shakepay: Buy Bitcoin in Canada
SWFT Blockchain
Crypto Exchange Currency.com
CoinEx
Busha: Buy & Sell Bitcoin, Ethereum. Crypto Wallet
BlueWallet Bitcoin Wallet
BuyCoins - Buy & Sell Bitcoin, Ethereum, Litecoin
Coinsquare
Conio Bitcoin Wallet
Bitrefill - Use Bitcoin to buy Gift Cards & Topups
Buda.com - Bitcoin wallet. Compra, vende, almacena
ILC / BTC Wallet
Wallet of Satoshi
PayWay Wallet
Bit2Me - Buy and Sell Cryptocurrencies
Mercury Cash
Bithumb Singapore - Global Cryptocurrency Exchange
Kraken Futures: Bitcoin & Crypto Futures Trading
BitWallet - Buy & Sell Bitcoin
STASIS Stablecoin Wallet
BuyUcoin - Popular Indian Crypto Currency Exchange
XZEN — Bitcoin Wallet and Exchange
Bitcoin Wallet BitBucks
Altcoin Bitcoin Trade
EBC Wallet
(more apps)

Haven - Private Shopping

Published:

Wallet Logo

This Android app currently has more than 100000 downloads, a 3.8 stars rating from 371 users and the latest release is version 1.3.7.

Our last analysis was done on 27th August 2020 based on data found in their Google Play description and their website and their source repository. Our verdict was Not reproducible from the source provided (details below).

We found these ways of contacting the developers:

Older reviews (show 0 of 1 reproducible)

Help spread awareness for build reproducibility

Please help us spread the word, asking Haven - Private Shopping to support reproducible builds via their Twitter!

Do your own research!

Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.

The Analysis

Update: @StevieZollo sent a tweet:

@WalletScrutiny @LeoWandersleb it looks like you reviewed @HavenPrivacy the day before it went open source. You can find its source code here: https://github.com/OpenBazaar/haven

so we can check its source code after all. Let’s see how that goes:

Just in case, we reviewed their website again if this is the official repo but there is no link to it, so that doesn’t leave us with much hope. Also: Unless the provider endorses this repository, you should not assume it is anything official or trustworthy! Anyway …

/tmp$ git clone https://github.com/OpenBazaar/haven
Cloning into 'haven'...
remote: Enumerating objects: 12, done.
remote: Counting objects: 100% (12/12), done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 766 (delta 2), reused 5 (delta 0), pack-reused 754
Receiving objects: 100% (766/766), 15.25 MiB | 9.58 MiB/s, done.
Resolving deltas: 100% (46/46), done.
/tmp$ cd haven/
/tmp/haven(master)$ git tag
/tmp/haven(master)$ git branch 
* master
/tmp/haven(master)$ git log --oneline
ef354df (HEAD -> master, origin/master, origin/HEAD) Merge pull request #1 from OpenBazaar/add-license-1
de4cced (origin/add-license-1) Create LICENSE
2a5fe76 Update readme
f486f33 feat: havenBuildConfigFiles setup
a0a8bc8 Initial commit

So there is essentially only one revision as far as the Android app goes. Changes to license or readme should not affect the app on Android itself. The missing tag will be a problem later on though.

root@4be0f50e58d3:/mnt# apt install nodejs npm -y
root@4be0f50e58d3:/mnt# npm install -g npm yarn
root@4be0f50e58d3:/mnt# yarn
root@4be0f50e58d3:/mnt# apt install curl
root@4be0f50e58d3:/mnt# yarn
root@4be0f50e58d3:/mnt# find . | grep '\.env'

At this point, the build instructions read

Copy .env file to the root directory

but according to find . | grep '\.env' there is no .env file anywhere. The instruction:

The env file should look like this:

BRANCH_KEY=
COUNTLY_ROOT_URL=
COUNTLY_APP_KEY=
STREAM_API_KEY=
STREAM_APP_ID=
HMAC_SECRET=

looks like the provider is not sharing all details necessary to build this app but let’s see what happens …

It doesn’t get better. Next we are supposed to

Copy those files into havenBuildConfigFiles folder:

AppCenter-Config.plist
GoogleService-Info.plist
appcenter-config.json
google-services.json

and again those are not files provided by the company.

So to little surprise, compiling doesn’t go all too well:

root@4be0f50e58d3:/mnt/android# cd android/
root@4be0f50e58d3:/mnt/android# ./gradlew clean assembleRelease
...
FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':app:processReleaseGoogleServices'.
> File google-services.json is missing. The Google Services Plugin cannot function without it. 
   Searched Location: 
  /mnt/android/app/src/nullnull/release/google-services.json
  /mnt/android/app/src/release/nullnull/google-services.json
  /mnt/android/app/src/nullnull/google-services.json
  /mnt/android/app/src/release/google-services.json
  /mnt/android/app/src/nullnullRelease/google-services.json
  /mnt/android/app/google-services.json

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.

* Get more help at https://help.gradle.org

Deprecated Gradle features were used in this build, making it incompatible with Gradle 7.0.
Use '--warning-mode all' to show the individual deprecation warnings.
See https://docs.gradle.org/6.5/userguide/command_line_interface.html#sec:command_line_warnings

BUILD FAILED in 4m 14s
330 actionable tasks: 299 executed, 31 up-to-date

At this point we give up and give the verdict not verifiable.

Verdict Explained

Not reproducible from the source provided The app provider also shares code but we could so far not verify that the published code matches the published app!

This verdict means that the provider did share some source code but that we could not verify that this source code matches the released app. This might be due to the source being released later than the app or due to the provided instructions on how to compile the app not being sufficient or due to the provider excluding parts from the public source code. In any case, the result is a discrepancy between the app we can create and the app we can find on GooglePlay and any discrepancy might leak your backup to the server on purpose or by accident.

As we cannot verify that the source provided is the source the app was compiled from, this category is only slightly better than closed source but for now we have hope projects come around and fix verifiability issues.

The app cannot be independently verified. If the provider puts your funds at risk on purpose or by accident, you will probably not know about the issue before people start losing money. If the provider is more criminally inclined he might have collected all the backups of all the wallets, ready to be emptied at the press of a button. The app might have a formidable track record but out of distress or change in management turns out to be evil from some point on, with nobody outside ever knowing before it is too late.