Wallet Logo


Latest release: 2.0.1 ( 1st July 2021 ) 🔍 Last analysed 10th January 2022 . Failed to build from source provided!
5 ★★★★★
5 ratings
8th July 2020

Jump to verdict 

Help spread awareness for build reproducibility

Please help us spread the word discussing build reproducibility with RWallet  via their Twitter!

Do your own research!

Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.

If you find something we should include, you can create an issue or edit this analysis yourself and create a merge request for your changes.

The Analysis 

(Analysis from Android review)

App Description

As described in this issue, this app replaces (old) RWallet Development Defunct! and as such had to start from zero with reviews, ratings and downloads.

RWallet is a multi-currency non-custodial wallet that supports Bitcoin. It supports BTC, Bitcoin on RSK (RBTC), RIF Token (RIF), Dollar On Chain (DOC)

The App

RWallet has three options:

  • Create Basic Wallet
  • Import Existing Wallet
  • Add Read-only Wallet

Upon clicking “Create Basic Wallet”, you are allowed to choose from Segwit or Legacy crypto address. After this, you are given access to the 12-word recovery phrase and asked to safeguard it.

You can send and receive like a normal wallet.

After confirming that the recovery phrase has a backup, the app asks you to set a PIN. This PIN must be entered to access the recovery phrase again.

Code and Reproducibility

We were able to find a related website even though RWallet’s Google Page did not have a website listed. The contact email address had a domain of iovlabs.org. We could not find any mention of RWallet’s open-source nature on that website. However, searching for the appID ‘com.rsk.rwallet.v2’ brought us to what could possibly be RWallet’s GitHub repository. Although this specific repository is not linked from the iovlabs.org, we feel that it could be relevant as it mentions a lot of related items.

A while ago Emanuel had already looked into this app but as it had only few users, he did not check for reproducibility.

Back then he already ran into the issue that several files are not being provided in the source repository, making it hard to compile the project and impossible to compile it in a reproducible way, as the missing files affect the compiled app.

The new build instructions link to a non-existing section about an .env file and do not mention the google-services.json Emanuel had to create back then. It is mentioned though that a signing key is required, which for our purpose should not be the case, as we intend to work with an unsigned app. How can we build an unsigned version of the released app?

We conclude, this app is currently not verifiable.


Verdict Explained

We encountered a build error while compiling from source code!

As part of our Methodology, we ask:

Can the product be built from the source provided?

If the answer is "no", we mark it as "Failed to build from source provided!".

Published code doesn’t help much if the app fails to compile.

We try to compile the published source code using the published build instructions into a binary. If that fails, we might try to work around issues but if we consistently fail to build the app, we give it this verdict and open an issue in the issue tracker of the provider to hopefully verify their app later.

The product cannot be independently verified. If the provider puts your funds at risk on purpose or by accident, you will probably not know about the issue before people start losing money. If the provider is more criminally inclined he might have collected all the backups of all the wallets, ready to be emptied at the press of a button. The product might have a formidable track record but out of distress or change in management turns out to be evil from some point on, with nobody outside ever knowing before it is too late.