Wallet Logo

ADAMANT Messenger

App Store
Latest Release: 3.10.0 20th January 2025

Our wallet review process

We examine wallets starting at the code level and continue all the way up to the finished app that lives on your device. Provided below is an outline of each of these steps along with security tips for you and general test results.

Developer

ADAMANT TECH LABS LP

Website Twitter VK Telegram YouTube

Released

4th August 2018

Custody

Self-custodial: The user holds the keys

As part of our Methodology, we ask: Is the product self-custodial?

The answer is "yes". The user has control of their own keys.
Read more

Source code

Public on github

Application build

If you have a binary for a version that doesn't appear on the list, you can drop the file here to register it so somebody can verify its reproducibility:

Drop binary file to verify

or
Learn more

×

Distribution

App Store
4.9/5 stars

Platform notes

On the Apple App Store, there are many apps that have Bitcoin in their name or description but don’t allow the user to use Bitcoin or they don’t look like Bitcoin wallets but turn out to be. We run our tests and document our findings.

WalletScrutiny started out looking only into Android. This is because mobile wallets are the most used wallets, and Android is the most used among mobile wallets, but looking into iPhone wallets was high on the list from the start.

For Android, the reproducing build process is relatively clear; some apps did this before we started the project. For iPhone, this was not the case. As a result, iPhone app reproducibility was an open question.

We asked around. Several years passed. Nobody could reproduce any iPhone app.

At this point, we shift the burden of proof onto the providers (or Apple). If you want people to trust your app (or platform), explain how it can be audited.

Passed all 7 tests

We answered the following questions in this order:

Is this product the original?

The answer is "yes".
If the answer was "no", we would mark it as "Fake" and the following would apply:

The answer is "no". We marked it as "Fake".

We did not ask this question because we failed at a previous question.
If the answer was "no", we would mark it as "Fake" and the following would apply:

The bigger wallets often get imitated by scammers that abuse the reputation of the product by imitating its name, logo or both.

Imitating a competitor is a huge red flag and we urge you to not put any money into this product!

The product cannot be independently verified. If the provider puts your funds at risk on purpose or by accident, you will probably not know about the issue before people start losing money. If the provider is more criminally inclined he might have collected all the backups of all the wallets, ready to be emptied at the press of a button. The product might have a formidable track record but out of distress or change in management turns out to be evil from some point on, with nobody outside ever knowing before it is too late.
Is it a wallet?

The answer is "yes".
If the answer was "no", we would mark it as "Not a wallet" and the following would apply:

The answer is "no". We marked it as "Not a wallet".

We did not ask this question because we failed at a previous question.
If the answer was "no", we would mark it as "Not a wallet" and the following would apply:

If it’s called “wallet” but is actually only a portfolio tracker, we don’t look any deeper, assuming it is not meant to control funds. What has no funds, can’t lose your coins. It might still leak your financial history!

If you can buy Bitcoins with this app but only into another wallet, it’s not a wallet itself.

Is it for bitcoins?

The answer is "yes".
If the answer was "no", we would mark it as "A wallet but not for Bitcoin" and the following would apply:

The answer is "no". We marked it as "A wallet but not for Bitcoin".

We did not ask this question because we failed at a previous question.
If the answer was "no", we would mark it as "A wallet but not for Bitcoin" and the following would apply:

At this point we only look into wallets that at least also support BTC.

Can it send and receive bitcoins?

The answer is "yes".
If the answer was "no", we would mark it as "Can't send or receive bitcoins" and the following would apply:

The answer is "no". We marked it as "Can't send or receive bitcoins".

We did not ask this question because we failed at a previous question.
If the answer was "no", we would mark it as "Can't send or receive bitcoins" and the following would apply:

If it is for holding BTC but you can’t actually send or receive them with this product then it doesn’t function like a wallet for BTC but you might still be using it to hold your bitcoins with the intention to convert back to fiat when you “cash out”.

All products in this category are custodial and thus funds are at the mercy of the provider.

The product cannot be independently verified. If the provider puts your funds at risk on purpose or by accident, you will probably not know about the issue before people start losing money. If the provider is more criminally inclined he might have collected all the backups of all the wallets, ready to be emptied at the press of a button. The product might have a formidable track record but out of distress or change in management turns out to be evil from some point on, with nobody outside ever knowing before it is too late.
Is the product self-custodial?

The answer is "yes".
If the answer was "no", we would mark it as "Custodial: The provider holds the keys" and the following would apply:

The answer is "no". We marked it as "Custodial: The provider holds the keys".

We did not ask this question because we failed at a previous question.
If the answer was "no", we would mark it as "Custodial: The provider holds the keys" and the following would apply:

A custodial service is a service where the funds are held by a third party like the provider. The custodial service can at any point steal all the funds of all the users at their discretion. Our investigations stop there.

Some services might claim their setup is super secure, that they don’t actually have access to the funds, or that the access is shared between multiple parties. For our evaluation of it being a wallet, these details are irrelevant. They might be a trustworthy Bitcoin bank and they might be a better fit for certain users than being your own bank but our investigation still stops there as we are only interested in wallets.

Products that claim to be non-custodial but feature custodial accounts without very clearly marking those as custodial are also considered “custodial” as a whole to avoid misguiding users that follow our assessment.

This verdict means that the provider might or might not publish source code and maybe it is even possible to reproduce the build from the source code but as it is custodial, the provider already has control over the funds, so it is not a wallet where you would be in exclusive control of your funds.

We have to acknowledge that a huge majority of Bitcoiners are currently using custodial Bitcoin banks. If you do, please:

  • Do your own research if the provider is trust-worthy!
  • Check if you know at least enough about them so you can sue them when you have to!
  • Check if the provider is under a jurisdiction that will allow them to release your funds when you need them?
  • Check if the provider is taking security measures proportional to the amount of funds secured? If they have a million users and don’t use cold storage, that hot wallet is a million times more valuable for hackers to attack. A million times more effort will be taken by hackers to infiltrate their security systems.
The product cannot be independently verified. If the provider puts your funds at risk on purpose or by accident, you will probably not know about the issue before people start losing money. If the provider is more criminally inclined he might have collected all the backups of all the wallets, ready to be emptied at the press of a button. The product might have a formidable track record but out of distress or change in management turns out to be evil from some point on, with nobody outside ever knowing before it is too late.
Is the source code publicly available?

The answer is "yes".
If the answer was "no", we would mark it as "No source for current release found" and the following would apply:

The answer is "no". We marked it as "No source for current release found".

We did not ask this question because we failed at a previous question.
If the answer was "no", we would mark it as "No source for current release found" and the following would apply:

A wallet that claims to not give the provider the means to steal the users’ funds might actually be lying. In the spirit of “Don’t trust - verify!” you don’t want to take the provider at his word, but trust that people hunting for fame and bug bounties could actually find flaws and back-doors in the wallet so the provider doesn’t dare to put these in.

Back-doors and flaws are frequently found in closed source products but some remain hidden for years. And even in open source security software there might be catastrophic flaws undiscovered for years.

An evil wallet provider would certainly prefer not to publish the code, as hiding it makes audits orders of magnitude harder.

For your security, you thus want the code to be available for review.

If the wallet provider doesn’t share up to date code, our analysis stops there as the wallet could steal your funds at any time, and there is no protection except the provider’s word.

“Up to date” strictly means that any instance of the product being updated without the source code being updated counts as closed source. This puts the burden on the provider to always first release the source code before releasing the product’s update. This paragraph is a clarification to our rules following a little poll.

We are not concerned about the license as long as it allows us to perform our analysis. For a security audit, it is not necessary that the provider allows others to use their code for a competing wallet. You should still prefer actual open source licenses as a competing wallet won’t use the code without giving it careful scrutiny.

The product cannot be independently verified. If the provider puts your funds at risk on purpose or by accident, you will probably not know about the issue before people start losing money. If the provider is more criminally inclined he might have collected all the backups of all the wallets, ready to be emptied at the press of a button. The product might have a formidable track record but out of distress or change in management turns out to be evil from some point on, with nobody outside ever knowing before it is too late.
Is the decompiled binary legible?

The answer is "yes".
If the answer was "no", we would mark it as "Obfuscated" and the following would apply:

The answer is "no". We marked it as "Obfuscated".

We did not ask this question because we failed at a previous question.
If the answer was "no", we would mark it as "Obfuscated" and the following would apply:

When compiling source code to binary, usually a lot of meta information is retained. A variable storing a masterseed would usually still be called masterseed, so an auditor could inspect what happens to the masterseed. Does it get sent to some server? But obfuscation would rename it for example to _t12, making it harder to find what the product is doing with the masterseed.

In benign cases, code symbols are replaced by short strings to make the binary smaller but for the sake of transparency this should not be done for non-reproducible Bitcoin wallets. (Reproducible wallets could obfuscate the binary for size improvements as the reproducibility would assure the link between code and binary.)

Especially in the public source cases, obfuscation is a red flag. If the code is public, why obfuscate it?

As obfuscation is such a red flag when looking for transparency, we do also sometimes inspect the binaries of closed source apps.

As looking for code obfuscation is a more involved task, we do not inspect many apps but if we see other red flags, we might test this to then put the product into this red-flag category.

The product cannot be independently verified. If the provider puts your funds at risk on purpose or by accident, you will probably not know about the issue before people start losing money. If the provider is more criminally inclined he might have collected all the backups of all the wallets, ready to be emptied at the press of a button. The product might have a formidable track record but out of distress or change in management turns out to be evil from some point on, with nobody outside ever knowing before it is too late.
ADAMANT Messenger  Google Play

Application build test result

(Analysis from Android review)

Build Attempt 2024-09-13

Build Instructions for Android App:

Although the instructions are extensive, there is a lot of information missing from the build instructions that could help third-party builders be more efficient in building. These are the generic instructions:

Clone the repository:

git clone --recursive https://github.com/Adamant-im/adamant-im.git

Install dependencies:

npm install

Prepare environment variables:

cp capacitor.env.example capacitor.env

Replace necessary ENV values before build.

Build the Android app as an AAB:

npm run android:build

We spent the better part of the day grappling with errors following these instructions to the dot, but we will summarize for the convenience of the reader.

We first start by generating a dummy keystore

   keytool -genkey -v -keystore android/app/dummy.keystore -alias dummy -keyalg RSA -keysize 2048 -validity 10000 -storepass dummy123 -keypass dummy123 -dname "CN=Dummy,OU=Dummy,O=Dummy,L=Dummy,S=Dummy,C=US"

There is a need to modify three files from the Adamant repository:

  • android/app/build.gradle
  • capacitor.env.example (is renamed capacitor.env)

  • scripts/capacitor/build-android.mjs

    • android/app/build.gradle. Here, we insert the defaultConfig and signingConfigs configuration blocks above buildTypes 
      defaultConfig {
    applicationId "im.adamant.adamantmessengerpwa"
    minSdkVersion rootProject.ext.minSdkVersion
    targetSdkVersion rootProject.ext.targetSdkVersion
    versionCode 481
    versionName "4.8.1"
    testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
    aaptOptions {
         // Files and dirs to omit from the packaged assets dir, modified to accommodate modern web apps.
         // Default: https://android.googlesource.com/platform/frameworks/base/+/282e181b58cf72b6ca770dc7ca5f91f135444502/tools/aapt/AaptAssets.cpp#61
        ignoreAssetsPattern '!.svn:!.git:!.ds_store:!*.scc:.*:!CVS:!thumbs.db:!picasa.ini:!*~'
    }
}

signingConfigs {
    release {
        storeFile file("dummy.keystore")
        storePassword "dummy123"
        keyAlias "dummy"
        keyPassword "dummy123"
    }
}

buildTypes {
    release {
    signingConfig signingConfigs.release
        minifyEnabled false
        proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
    }
}
    • capacitor.env is located at the root of the cloned adamant-im folder. Capacitor is a native bridge for cross-platform apps. It usually holds variables that are needed for the build environment. 
      ANDROID_KEYSTORE_PATH="app/dummy.keystore"
ANDROID_KEYSTORE_PASSWORD="dummy123"
ANDROID_KEYSTORE_ALIAS="dummy"
ANDROID_KEYSTORE_ALIAS_PASSWORD="dummy123"
ANDROID_RELEASE_TYPE="AAB"
    • scripts/capacitor/build-android.mjs is Adamant’s build script 
      import dotenv from 'dotenv'
import { $ } from 'execa'
import path from 'path'
import fs from 'fs'

// Load environment variables from capacitor.env
const envConfig = dotenv.parse(fs.readFileSync('capacitor.env'))
for (const k in envConfig) {
process.env[k] = envConfig[k]
}

void run()

async function run() {
const $$ = $({ shell: true, stdout: 'inherit' })
    
console.log('Environment variables:')
console.log('ANDROID_KEYSTORE_PATH:', process.env.ANDROID_KEYSTORE_PATH)
console.log('ANDROID_KEYSTORE_PASSWORD:', process.env.ANDROID_KEYSTORE_PASSWORD)
console.log('ANDROID_KEYSTORE_ALIAS:', process.env.ANDROID_KEYSTORE_ALIAS)
console.log('ANDROID_KEYSTORE_ALIAS_PASSWORD:', process.env.ANDROID_KEYSTORE_ALIAS_PASSWORD)
console.log('ANDROID_RELEASE_TYPE:', process.env.ANDROID_RELEASE_TYPE)

await $$`npm run build` // build PWA
await $$`cap sync` // copy web assets to ./android
    
const keystorePath = path.resolve(process.cwd(), 'android', process.env.ANDROID_KEYSTORE_PATH)
    
const buildArgs = [
    `--keystorepath="${keystorePath}"`,
    `--keystorepass="${process.env.ANDROID_KEYSTORE_PASSWORD}"`,
    `--keystorealias="${process.env.ANDROID_KEYSTORE_ALIAS}"`,
    `--keystorealiaspass="${process.env.ANDROID_KEYSTORE_ALIAS_PASSWORD}"`,
    `--androidreleasetype="${process.env.ANDROID_RELEASE_TYPE}"`,
    '--signing-type jarsigner'
]
    
console.log('Build arguments:', buildArgs)
    
await $$`cap build android ${buildArgs}`
}

Build output after these modifications:

  • We then run npm run android:build
✔ Copying web assets from dist to android/app/src/main/assets/public in 43.57ms
✔ Creating capacitor.config.json in android/app/src/main/assets in 1.28ms
✔ copy android in 118.22ms
✔ Updating Android plugins in 19.33ms
✔ update android in 114.17ms
✔ copy web in 38.59ms
✔ update web in 36.08ms
[info] Sync finished in 0.506s
Build arguments: [
'--keystorepath="/home/danny/work/builds/im.adamant.adamantmessengerpwa/4.8.1/2/adamant-im/android/app/dummy.keystore"',
'--keystorepass="dummy123"',
'--keystorealias="dummy"',
'--keystorealiaspass="dummy123"',
'--androidreleasetype="AAB"',
'--signing-type jarsigner'
]
✔ Running Gradle build in 1.56s
✔ Signing Release in 1.69s
[success] Successfully generated app-release-signed.aab at:
/home/danny/work/builds/im.adamant.adamantmessengerpwa/4.8.1/2/adamant-im/android/app/build/outputs/bundle/release

Now we need to generate 3 split apks to match those we pulled from our phone from the AAB we generated.

- base.apk 
- split_config.en.apk  
- split_config.xhdpi.apk

Extracting the split APKs from the AAB

Copy the device-spec.json file from our device

$ cp ~/work/device-spec/a11/device-spec.json .

Download bundletool

wget https://github.com/google/bundletool/releases/download/1.15.6/bundletool-all-1.15.6.jar

Use bundletool to generate APKs

java -jar bundletool-all-1.15.6.jar build-apks --bundle=/home/danny/work/builds/im.adamant.adamantmessengerpwa/4.8.1/2/adamant-im/android/app/build/outputs/bundle/release/app-release-signed.aab --output=device-specific.apks --device-spec=device-spec.json

Extract the APKs

unzip device-specific.apks -d device_specific_apks

We then copy the split apks from our phone to the build server and place them in the fromOfficial/ folder

We normalize the apk names both for build and official

We unzip the normalized apks to their respective folders

We run a diff on the corresponding folders:

danny@lw10:~/work/compare/im.adamant.adamantmessngerpwa/4.8.1$ diff -r from*/base
Binary files fromBuild/base/AndroidManifest.xml and fromOfficial/base/AndroidManifest.xml differ
Only in fromOfficial/base/META-INF: BNDLTOOL.RSA
Only in fromOfficial/base/META-INF: BNDLTOOL.SF
Only in fromOfficial/base/META-INF: MANIFEST.MF
Binary files fromBuild/base/res/xml/splits0.xml and fromOfficial/base/res/xml/splits0.xml differ
Binary files fromBuild/base/resources.arsc and fromOfficial/base/resources.arsc differ
Only in fromOfficial/base: stamp-cert-sha256

danny@lw10:~/work/compare/im.adamant.adamantmessngerpwa/4.8.1$ diff -r from*/en
Binary files fromBuild/en/AndroidManifest.xml and fromOfficial/en/AndroidManifest.xml differ
Only in fromOfficial/en: META-INF

Binary files fromBuild/en/resources.arsc and fromOfficial/en/resources.arsc differ
Only in fromOfficial/en: stamp-cert-sha256

danny@lw10:~/work/compare/im.adamant.adamantmessngerpwa/4.8.1$ diff -r from*/xhdpi
Binary files fromBuild/xhdpi/AndroidManifest.xml and fromOfficial/xhdpi/AndroidManifest.xml differ
Only in fromOfficial/xhdpi: META-INF
Binary files fromBuild/xhdpi/resources.arsc and fromOfficial/xhdpi/resources.arsc differ
Only in fromOfficial/xhdpi: stamp-cert-sha256

Analysis of the diffs

In contrast with Bitkey - Bitcoin Wallet    , the diffs are almost identical. We can find signing related diffs in files such as: BNDLTOOL.RSA, BNDLTOOL.SF, MANIFEST.MF, stamp-cert-sha256 and META-INF. These are only present in the fromOfficial or the APKs we extracted from our phone. Similarly, we also find a difference in resources.arsc.

diffoscope –text resources.arsc.diff.txt fromBuild/base/resources.arsc fromOfficial/base/resources.arsc

danny@lw10:~/work/compare/im.adamant.adamantmessngerpwa/4.8.1$ cat resources.arsc.diff.txt 
--- fromOfficial/base/resources.arsc
+++ fromBuild/base/resources.arsc
│┄ Format-specific differences are supported for Android package resource table (ARSC) but no file-specific differences were detected; falling back to a binary diff. file(1) reports: Android package resource table (ARSC), 261 string(s), utf8
@@ -3496,15 +3496,15 @@
0000da70: 7461 696e 6572 0024 2457 6964 6765 742e  tainer.$$Widget.
0000da80: 436f 6d70 6174 2e4e 6f74 6966 6963 6174  Compat.Notificat
0000da90: 696f 6e41 6374 696f 6e54 6578 7400 2020  ionActionText.  
0000daa0: 5769 6467 6574 2e53 7570 706f 7274 2e43  Widget.Support.C
0000dab0: 6f6f 7264 696e 6174 6f72 4c61 796f 7574  oordinatorLayout
0000dac0: 0006 0663 6f6e 6669 6700 0a0a 6669 6c65  ...config...file
0000dad0: 5f70 6174 6873 0007 0773 706c 6974 7330  _paths...splits0
-0000dae0: 0000 0000 0202 1000 7400 0000 0100 0100  ........t.......
+0000dae0: 0000 0000 0202 1000 7400 0000 0100 0000  ........t.......
0000daf0: 1900 0000 0000 0000 0000 0000 0000 0000  ................
0000db00: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000db10: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000db20: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000db30: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000db40: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000db50: 0000 0000 0000 0000 0102 5400 4802 0000  ..........T.H...

One such minor difference could be found at offset 0000dae0. Specifically the last 0100 (1 in decimal - official) and 0000 (0 in decimal - built). Which was also described in the bitkey review. The Bitkey team noted in resources.arsc:

Unfortunately Google Play has changed how they build resources.arsc. From our testing, it seems like they are using a previously reserved byte. When built using bundletool, that byte is always 0, thus making direct comparison using diff impossible.

Looking into this deeper, I find that generating hexdumps for built and official resources.arsc, will show more instances of these changes. (Complete nosbin of the diffoscope of the hexdump)

Using xxd shows more differences in resources.arsc

$ xxd fromBuild/base/resources.arsc > built_resources.hex
$ xxd fromOfficial/base/resources.arsc > official_resources.hex
$ diffoscope built_resources.hex official_resources.hex
  1. At offset 0000dae0: 
    - 0100 0000  
+ 0100 0100
  2. At offset 0000dda0: 
    - 0200 0000  
+ 0200 0100
  3. At offset 0000de90: 
    - 0300 0000  
+ 0300 0100
  4. At offset 00010fc0: 
    - 0400 0000  
+ 0400 0200
  5. At offset 00011c20: 
    - 0600 0000  
+ 0600 0700
  6. At offset 00014b90: 
    - 0800 0000  
+ 0800 0100
  7. At offset 00015e20: 
    - 0900 0000  
+ 0900 0100
  8. At offset 00015f20: 
    - 0a00 0000  
+ 0a00 0100
  9. At offset 00016ba0: 
    - 0d00 0000  
+ 0d00 0100
  10. At offset 00016ff0: 
    - 0e00 0000  
+ 0e00 0d00
  11. At offset 00020020: 
    - 1000 0000  
+ 1000 0100
  12. At offset 00016020: 
    - 0b00 0000  
+ 0b00 0300

From what I understand with Bitkey’s case, the difference in resources.arsc is only with 1 byte. Running xxd to generate a hexdump prior to running diffoscope on the hexdump between build and official results in diffs in at least 12 offsets.

These diffs could be significant, especially if they are control bytes. Although they may seem insignificant, a difference between 0 and 1 could be the difference between turning an option, flag, or switch “on” or “off”.

For this reason, we are amending our verdict to nonverifiable.

We filed an issue with them, and invited them to collaborate.

Previous Review 2024-07-20

We found the repository for Adamant IM Messenger with a GitHub release version that is close to the Google Play version.

App Description from Google Play 2023-04-15

CRYPTO WALLET. Just a single password for all the internal cryptocurrencies: ADAMANT, Bitcoin, Ethereum, Doge, Dash, Binance coin, Bit-Z token, KuCoin token, Resfinex token, Stably Dollar. You have full control over private keys.

Analysis

The app has multiple features integrated in 1 app. It has messenger, wallet, a GPT powered chat and an exchange among other things.

We took a look at its repository and found 21 of these component parts - however, the Android repository has notably been archived since 2021.

This goes to say that while it may have been publicly available for a time, the Android app’s source code hasn’t been for a long time. What’s noteworthy about this is that their Google Play app has recently been updated on March 2023.

Tests performed by Daniel Andrei R. Garcia

Do your own research

In addition to reading our analysis, it is important to do your own checks. Before transferring any bitcoin to your wallet, look up reviews for the wallet you want to use. They should be easy to find. If they aren't, that itself is a reason to be extra careful.