FINNEY🔍 Last analysed 4th December 2021 . No source for current release found
Help spread awareness for build reproducibility
Please help us spread the word discussing transparency with FINNEY via their Twitter!
Do your own research!
Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.
The Analysis ¶
This app comes from the same providers as
From the product page:
State-of-the-art ultra secured Blockchain smartphone.
The FINNEY™ is powered by SIRIN OS™ which includes an outstanding Security Suite Layer, Embedded Cold Storage Wallet, Token Conversion Center and the best of DApp nation featured on Sirin’s dCENTER.
On the support page, there is information about the mnemonic.
The recovery seed contains a sequence of 24 word– - uniquely and securely generated inside your wallet when you first set it up.
A third-party article goes into detail about Finney’s “Embedded Cold Storage Wallet:”
The standout feature of the Finney phone is its Safe Screen, which is a 2-inch PMOLED touch screen that slides up from the back of the phone. When the Safe Screen is hidden, the cryptocurrency wallet is disconnected from the internet and remains fully offline. Sliding the screen up activates the cryptocurrency wallet.
When the Safe Screen is up and the wallet is active it’s possible to send, receive, and convert cryptocurrencies in the wallet. There is support for Bitcoin, Ethereum, and Sirin Labs’ own SRN token. Plans are in the works to add support for additional cryptocurrencies in the future.
FINNEY’s whitepaper was deleted from Sirin Labs website, although we were able to find a presumed copy.
The whitepaper also has information on the “Safe Screen.”
FINNEY Wallet comprises an app that you use on your device’s main screen and a hardware Safe Screen that slides up at the top of your device.
- Send cryptocurrency
- Receive cryptocurrency
- Convert cryptocurrency
- View your cryptocurrency balance
- See your cryptocurrency transaction history
- Sign and approve blockchain messages with a private key
Private keys can be created offline - ❓
The user guide can be downloaded here. Initialization involves pulling out or sliding up the “Safe Screen” to begin the initialization process. The FINNEY Wallet app is then installed as well as the firmware. A wallet is then generated with a 24-word seed phrase. The seed phrases are displayed on the Safe Screen and the user can then verify it.
The user guide then mentions syncing the FINNEY wallet app.
If the process is completed successfully, you are prompted to reenter your password. After successfully entering your password and if you are connected to a network, FINNEY syncs your wallet. (Page 16 of FINNEY user guide)
We assume that the syncing happens between the embedded cold-storage device and the phone it is attached to. However, since a network connection is needed in order to sync, much question can be raised as to what else happens during the course of syncing.
Private keys are not shared - ❓
It seems that the FINNEY’s primary security feature is centered on the safe screen. As mentioned:
Unique Physical Security Switch - turns the wallet power and communication on/off by sliding the safe screen (Page 36 of FINNEY user guide)
This reliance on the Safe Screen is evident on the warnings noted on Page 13.
Both for security and to protect the Safe Screen, you should only open the Safe Screen when needed or when prompted by the wallet app.
If the Safe Screen has been open for more than 5 minutes with no activity, the power to the Safe Screen turns off. To reactivate the Safe Screen, you will need to slide it down and then up again to power on.
Whenever you need to enter your password in the Safe Screen, you’ll have up to 10 attempts to enter the password successfully. After a 10th unsuccessful attempt, your wallet will be wiped and you will need to either recover or reconfigure the wallet.
While a screen lock after 10 minutes of inactivity might protect a user who forgot his digital wallet unlocked, it probably won’t help if savvy thieves were waiting for their opportunity get their hands on your device.
Device displays receive address for confirmation
The official youtube channel features a video in which the wallet sends a transaction. The Safe Screen’s display allows users to view the receiving address for confirmation.
Although FINNEY has a Github account, “sirin-labs,” there does not appear to be any repository for the firmware of the embedded cold storage wallet attached to the phone.
On the Amazon Store, we found the following review:
★☆☆☆☆ September 18, 2021
Do not buy this phone.
The custom Sirin OS hasn’t been updated in 2 years and is still running off of an old android branch.
The wallet (the big selling feature!) can not receive transfers, and appears to be completely offline.
The dCenter app is also offline, so you only have access to the play store.
Everything they are selling this phone on is no longer supported, and that is not shared anywhere in any of the information about this phone.
Without public source of the reviewed release available, this product cannot be verified!
As part of our Methodology, we ask:Is the source code publicly available? If not, we tag it No Source!
A wallet that claims to not give the provider the means to steal the users’ funds might actually be lying. In the spirit of “Don’t trust - verify!” you don’t want to take the provider at his word, but trust that people hunting for fame and bug bounties could actually find flaws and back-doors in the wallet so the provider doesn’t dare to put these in.
Back-doors and flaws are frequently found in closed source products but some remain hidden for years. And even in open source security software there might be catastrophic flaws undiscovered for years.
An evil wallet provider would certainly prefer not to publish the code, as hiding it makes audits orders of magnitude harder.
For your security, you thus want the code to be available for review.
If the wallet provider doesn’t share up to date code, our analysis stops there as the wallet could steal your funds at any time, and there is no protection except the provider’s word.
“Up to date” strictly means that any instance of the product being updated without the source code being updated counts as closed source. This puts the burden on the provider to always first release the source code before releasing the product’s update. This paragraph is a clarification to our rules following a little poll.
We are not concerned about the license as long as it allows us to perform our analysis. For a security audit, it is not necessary that the provider allows others to use their code for a competing wallet. You should still prefer actual open source licenses as a competing wallet won’t use the code without giving it careful scrutiny.
Share onTwitter Facebook LinkedIn
Or embed a widget in your website
<iframe src="https://walletscrutiny.com/widget/#appId=hardware/finney&theme=auto&style=short" name="_ts" style="min-width:180px;border:0;border-radius:10px;max-width:280px;min-height:30px;"> </iframe>
<iframe src="https://walletscrutiny.com/widget/#appId=hardware/finney&theme=auto&style=long" style="max-width:100%;width:342px;border:0;border-radius:10px;min-height:290px;"> </iframe>