Wallet Logo

BlueWallet - Bitcoin wallet

Latest release: 6.3.2 ( 23rd November 2022 ) 🔍 Last analysed 25th February 2023 . Failed to build from source provided!
4.1 ★★★★★
506 ratings
27th May 2018

We encountered a build error while compiling from source code!

As part of our Methodology, we ask:

Can the product be built from the source provided?

If the answer is "no", we mark it as "Failed to build from source provided!".

Published code doesn’t help much if the app fails to compile.

We try to compile the published source code using the published build instructions into a binary. If that fails, we might try to work around issues but if we consistently fail to build the app, we give it this verdict and open an issue in the issue tracker of the provider to hopefully verify their app later.

The product cannot be independently verified. If the provider puts your funds at risk on purpose or by accident, you will probably not know about the issue before people start losing money. If the provider is more criminally inclined he might have collected all the backups of all the wallets, ready to be emptied at the press of a button. The product might have a formidable track record but out of distress or change in management turns out to be evil from some point on, with nobody outside ever knowing before it is too late.

Show Older Reviews

Help spread awareness for build reproducibility

Please help us spread the word discussing build reproducibility with BlueWallet - Bitcoin wallet  via their Twitter!

Do your own research!

Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.

If you find something we should include, you can create an issue or edit this analysis yourself and create a merge request for your changes.

The Analysis 

(Analysis from Android review)

As announced two days ago, the default custodial LN backend for BlueWallet Bitcoin Wallet is being discontinued. We tried it out and as of today, creating a default LN account stopped working if the user does not provide some backend URL. This resolves a long-standing issue that had us list this product as “custodial” as a whole. As BlueWallet Bitcoin Wallet now is in its entirety self-custodial (unless the user takes deliberate action to configure a third party custodian), we have to look deeper into this popular and feature-rich product.

The product has public source code, the latest version on Play Store - 6.3.2 - is also the latest release on GitHub.

So, let’s see if we can compile it …

The Readme does not describe how to locally build a release APK. Only how to install a developer version on a connected device. In RELEASE.md, the process is described though, right? The document mainly focuses on bumping app version, release message and testing the release before pushing it to all users. The one line about actually building the release would be:

  • go to appcenter.ms, find this exact build under master builds, and press Distribute -> Store -> Production.

AppCenter is a Microsoft tool to

Continuously build, test, release, and monitor apps for every platform.

which means we have to figure out how Microsoft builds their product as the provider doesn’t build or doesn’t share that configuration.

… actually, there is this old issue of ours where we had tried many times to reproduce this product years ago. /scripts folder they said?

$ git clone https://github.com/BlueWallet/BlueWallet
$ cd BlueWallet/
$ cat scripts/build-release-apk.sh 

# assumes 2 env variables: KEYSTORE_FILE_HEX & KEYSTORE_PASSWORD
# PS. to turn file to hex and back:
#     $ xxd -plain test.txt > test.hex
#     $ xxd -plain -revert test.hex test2.txt

echo $KEYSTORE_FILE_HEX > bluewallet-release-key.keystore.hex
xxd -plain -revert bluewallet-release-key.keystore.hex > ./android/bluewallet-release-key.keystore
rm bluewallet-release-key.keystore.hex

cd android
TIMESTAMP=$(date +%s)
sed -i'.original'  "s/versionCode 1/versionCode $TIMESTAMP/g" app/build.gradle
./gradlew assembleRelease
mv ./app/build/outputs/apk/release/app-release-unsigned.apk ./app/build/outputs/apk/release/app-release.apk
$ANDROID_HOME/build-tools/30.0.2/apksigner sign --ks ./bluewallet-release-key.keystore   --ks-pass=pass:$KEYSTORE_PASSWORD ./app/build/outputs/apk/release/app-release.apk

requires a keystore and introduces randomnes in the result, which would break reproducibility. The latter is also referenced in this open issue so in the best case we expect to find this product miss the goal of reproducibility by only a timestamp. Let’s see …

$ git checkout v6.3.2 
HEAD is now at 81ed68b55 Merge pull request #5182 from BlueWallet/renovate/react-navigation-monorepo
$ podman run -it --rm -v$PWD:/mnt --workdir=/mnt walletscrutiny/android
# mkdir -p ~/.ssh
# ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts
# apt update -y
# apt install npm -y
# npm install
npm WARN read-shrinkwrap This version of npm is compatible with lockfileVersion@1, but package-lock.json was generated for lockfileVersion@2. I'll try to do my best with it!
npm WARN tar ENOENT: no such file or directory, open '/mnt/node_modules/.staging/crypto-js-0bc3b6fd/LICENSE'
npm WARN tar ENOENT: no such file or directory, open '/mnt/node_modules/.staging/crypto-js-0bc3b6fd/aes.js'
npm WARN tar ENOENT: no such file or directory, open '/mnt/node_modules/.staging/crypto-js-0bc3b6fd/cipher-core.js'
npm WARN tar ENOENT: no such file or directory, lstat '/mnt/node_modules/.staging/react-native-99ce84bc/ReactCommon/react/renderer/components'
npm WARN tar ENOENT: no such file or directory, lstat '/mnt/node_modules/.staging/react-native-99ce84bc/ReactCommon/react/renderer/components'
npm WARN tar ENOENT: no such file or directory, open '/mnt/node_modules/.staging/react-native-99ce84bc/ReactCommon/hermes/inspector/Inspector.cpp'
npm ERR! Error while executing:
npm ERR! /usr/bin/git ls-remote -h -t ssh://git@github.com/BlueWallet/react-native-secure-key-store.git
npm ERR! 
npm ERR! git@github.com: Permission denied (publickey).
npm ERR! fatal: Could not read from remote repository.
npm ERR! 
npm ERR! Please make sure you have the correct access rights
npm ERR! and the repository exists.
npm ERR! 
npm ERR! exited with error code: 128

… which is apparently a regression as this issue about ssh dependencies was closed as fixed two years ago.

We file this product as not verifiable for now and hope the provider resolves all the relevant issues for a re-evaluation:

  • https://github.com/BlueWallet/BlueWallet/issues/3059
  • https://github.com/BlueWallet/BlueWallet/issues/3148
  • https://github.com/BlueWallet/BlueWallet/issues/758