Wallet Logo

Cheetah Mobile SafeWallet Pro

🔍 Last analysed 29th April 2022 . Bad Interface Not functioning anymore
31st January 2018

Jump to verdict 

Help spread awareness for build reproducibility

Please help us spread the word discussing build reproducibility with Cheetah Mobile SafeWallet Pro  via their Twitter!

Do your own research!

Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.

If you find something we should include, you can create an issue or edit this analysis yourself and create a merge request for your changes.

The Analysis 

⚠️ Note: Cheetah Mobile Inc. was reportedly involved in corporate irregularities and other allegations. The company has two domains associated with SafeWallet, cmcm.com and cmcmbc.com. The latter of which, is no longer available. It is Cheetah Mobile Blockchain Research Lab’s website.

Product Description

Information from FCCid.io’s copy of the Cheetah Mobile SafeWallet Pro User Manual

  • This hardware is for storage cryptocurrency private keys. It can work with SafeWallet APP.
  • SafeStore will storage your private keys, Each hardware storage a part.
  • SafeWallet APP have to use any hardware’s key to send transactions. If you lose your phone or any part of the hardware, you will never lose your private key.
  • Small hardware, main hardware and your Phone, lose any of them, you can recover your private key by the other two things.


The SafeWallet Pro has a companion app which is no longer available on Google Play.

Analysis

We were not able to find an online shop where we can buy the SafeWallet Pro. With the primary website and Play Store app for the wallet no longer online, the only traces for the device’s existence are in the Youtube instructional material, press releases, as well as the user manuals.

Since the Google Play app is also no longer available, and operation of the device can only proceed with the app, it is possible that either the device only had limited production or only working prototypes were released. Suffice to say, no further mention of the device was made after 2018.

From the instructional video, we also glean that the device does not have a display wherein users could verify and authorize transactions. Verification of transactions is done by clicking a button on the side of the device while it is paired with the mobile app.

In conclusion, we determine that the Cheetah Mobile SafeWallet Pro is heavily reliant on the mobile phone app and thus prone to threats on the other system.

(dg)

Verdict Explained

The design of the device does not allow to verify what is being signed!

As part of our Methodology, we ask:

Can the user verify and approve transactions on the device? If not, we tag it Bad Interface!

These are devices that might generate secure private key material, outside the reach of the provider but that do not have the means to let the user verify transactions on the device itself. This verdict includes screen-less smart cards or USB-dongles.

The wallet lacks either an output device such as a screen, an input device such as touch or physical buttons or both. In consequence, crucial elements of approving transactions is being delegated to other hardware such as a general purpose PC or phone which defeats the purpose of a hardware wallet.

Another consquence of a missing screen is that the user is faced with the dilemma of either not making a backup or having to pass the backup through an insecure device for display or storage.

The software of the device might be perfect but this device cannot be recommended due to this fundamental flaw.

But we also ask:

Is the product still supported by the still existing provider? If not, we tag it Defunct!

Discontinued products or worse, products of providers that are not active anymore, are problematic, especially if they were not formerly reproducible and well audited to be self-custodial following open standards. If the provider hasn’t answered inquiries for a year but their server is still running or similar circumstances might get this verdict, too.