Haven - Private ShoppingLatest release: 1.3.7 ( 27th September 2020 ) 🔍 Last analysed 23rd January 2021 . Not reproducible from source provided Not functioning anymore
Older reviews (show 0 of 1 reproducible)
Help spread awareness for build reproducibility
Please help us spread the word, asking Haven - Private Shopping to support reproducible builds via their Twitter!
Do your own research!
Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.
The Analysis ¶
@WalletScrutiny @LeoWandersleb it looks like you reviewed @HavenPrivacy the day before it went open source. You can find its source code here: https://github.com/OpenBazaar/haven
so we can check its source code after all. Let’s see how that goes:
Just in case, we reviewed their website again if this is the official repo but there is no link to it, so that doesn’t leave us with much hope. Also: Unless the provider endorses this repository, you should not assume it is anything official or trustworthy! Anyway …
/tmp$ git clone https://github.com/OpenBazaar/haven Cloning into 'haven'... remote: Enumerating objects: 12, done. remote: Counting objects: 100% (12/12), done. remote: Compressing objects: 100% (11/11), done. remote: Total 766 (delta 2), reused 5 (delta 0), pack-reused 754 Receiving objects: 100% (766/766), 15.25 MiB | 9.58 MiB/s, done. Resolving deltas: 100% (46/46), done. /tmp$ cd haven/ /tmp/haven(master)$ git tag /tmp/haven(master)$ git branch * master /tmp/haven(master)$ git log --oneline ef354df (HEAD -> master, origin/master, origin/HEAD) Merge pull request #1 from OpenBazaar/add-license-1 de4cced (origin/add-license-1) Create LICENSE 2a5fe76 Update readme f486f33 feat: havenBuildConfigFiles setup a0a8bc8 Initial commit
So there is essentially only one revision as far as the Android app goes. Changes to license or readme should not affect the app on Android itself. The missing tag will be a problem later on though.
root@4be0f50e58d3:/mnt# apt install nodejs npm -y root@4be0f50e58d3:/mnt# npm install -g npm yarn root@4be0f50e58d3:/mnt# yarn root@4be0f50e58d3:/mnt# apt install curl root@4be0f50e58d3:/mnt# yarn root@4be0f50e58d3:/mnt# find . | grep '\.env'
At this point, the build instructions read
.envfile to the root directory
but according to
find . | grep '\.env' there is no
.env file anywhere. The
The env file should look like this:
BRANCH_KEY= COUNTLY_ROOT_URL= COUNTLY_APP_KEY= STREAM_API_KEY= STREAM_APP_ID= HMAC_SECRET=
looks like the provider is not sharing all details necessary to build this app but let’s see what happens …
It doesn’t get better. Next we are supposed to
Copy those files into
AppCenter-Config.plist GoogleService-Info.plist appcenter-config.json google-services.json
and again those are not files provided by the company.
So to little surprise, compiling doesn’t go all too well:
root@4be0f50e58d3:/mnt/android# cd android/ root@4be0f50e58d3:/mnt/android# ./gradlew clean assembleRelease ... FAILURE: Build failed with an exception. * What went wrong: Execution failed for task ':app:processReleaseGoogleServices'. > File google-services.json is missing. The Google Services Plugin cannot function without it. Searched Location: /mnt/android/app/src/nullnull/release/google-services.json /mnt/android/app/src/release/nullnull/google-services.json /mnt/android/app/src/nullnull/google-services.json /mnt/android/app/src/release/google-services.json /mnt/android/app/src/nullnullRelease/google-services.json /mnt/android/app/google-services.json * Try: Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights. * Get more help at https://help.gradle.org Deprecated Gradle features were used in this build, making it incompatible with Gradle 7.0. Use '--warning-mode all' to show the individual deprecation warnings. See https://docs.gradle.org/6.5/userguide/command_line_interface.html#sec:command_line_warnings BUILD FAILED in 4m 14s 330 actionable tasks: 299 executed, 31 up-to-date
At this point we give up and give the verdict not verifiable.
We could not verify that the provided code matches the binary!
As part of our Methodology, we ask:Is the published binary matching the published source code? If not, we tag it Unreproducible!
Published code doesn’t help much if it is not what the published binary was built from. That is why we try to reproduce the binary. We
- obtain the binary from the provider
- compile the published source code using the published build instructions into a binary
- compare the two binaries
- we might spend some time working around issues that are easy to work around
If this fails, we might search if other revisions match or if we can deduct the source of the mismatch but generally consider it on the provider to provide the correct source code and build instructions to reproduce the build, so we usually open a ticket in their code repository.
In any case, the result is a discrepancy between the binary we can create and the binary we can find for download and any discrepancy might leak your backup to the server on purpose or by accident.
As we cannot verify that the source provided is the source the binary was compiled from, this category is only slightly better than closed source but for now we have hope projects come around and fix verifiability issues.
But we also ask:Is the product still supported by the still existing provider? If not, we tag it Defunct!
Discontinued products or worse, products of providers that are not active anymore, are problematic, especially if they were not formerly reproducible and well audited to be self-custodial following open standards. If the provider hasn’t answered inquiries for a year but their server is still running or similar circumstances might get this verdict, too.
Share onTwitter Facebook LinkedIn
Or embed a widget in your website
<iframe src="https://walletscrutiny.com/widget/#appId=android/io.ob1.nativeandroid&theme=auto&style=short" name="_ts" style="min-width:180px;border:0;border-radius:10px;max-width:280px;min-height:30px;"> </iframe>
<iframe src="https://walletscrutiny.com/widget/#appId=android/io.ob1.nativeandroid&theme=auto&style=long" style="max-width:100%;width:342px;border:0;border-radius:10px;min-height:290px;"> </iframe>