Bitcoin Wallet - Airbitz

3 minute read

Published:

Wallet Logo

This app was first launched on 1st April 2014 and currently has more than 100000 downloads, a 3.8 stars rating from 1124 users and the latest APK (version 2.4.12) was from 21st September 2018 and is newer than the below reviewed version of the app.

Our analysis was done on 10th November 2019 based on data found in their Playstore description and their website and their source repository. We discuss the issue with verification with the provider here.

We found these ways of contacting the developers:

Disclaimer

The following Analysis is not a full code review! We plan to make code reviews available in the future but even then it will never be a stamp of approval but rather a list of incidents and bad coding practice. We cannot find and tell you all the dark secrets the wallet providers might have.

Do your own research!

Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.

The Analysis

Bitcoin Wallet - Airbitz claims to be non-custodial and open source but being the predecessor of Edge, it gets a bit confusing here as it points to the same website for its open source:

• Open-source code. Available at https://github.com/Airbitz

At github.com/Airbitz though, as mentioned in the article on Edge there is no code and we get forwarded to github.com/EdgeApp where there are currently 130 repositories and 81 repositories created by EdgeApp. There at first sight, the most likely open source for Airbitz Android app is airbitz-android-gui.

airbitz version on playstore

The Playstore mentiones Airbitz currently and since one year to be at version 2.4.12 yet on GitHub the latest tag is 2.2.0 from three years ago. The currently latest commit on master appears promising, as it has the commit comment “2.4.12”, the version we would hope to see matching the Playstore apk.

So … what do the build instructions tell us?

The Airbitz android application comes in 3 flavors. Production, Testnet and Develop. To build it issue one of the following commands:

Develop version (Seperate App ID which does not conflict with production version. Also uses the develop branch of airbitz-core-java)

./gradlew installDevelopDebug

Testnet version

./gradlew installNettestDebug

Production version

./gradlew installProdDebug

For a verifiable build I would have hoped to find some buildProdRelease and not only ...Debug.

So … lets try this:

airbitz-android-gui/Airbitz$ ./gradlew installProdDebug
Parallel execution is an incubating feature.
Incremental java compilation is an incubating feature.

FAILURE: Build failed with an exception.

* What went wrong:
A problem occurred configuring project ':airbitz'.
> Could not resolve all dependencies for configuration ':airbitz:_nettestDebugApk'.
   > A problem occurred configuring project ':libs:airbitz-directory'.
      > No toolchains found in the NDK toolchains folder for ABI with prefix: mips64el-linux-android

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output.

BUILD FAILED

Total time: 1.415 secs

Given there is no promise of verifiability and no instructions on how to build the release version or implicit promise about plugins and apis not resulting in big differences, we give up here for now and conclude the now obsolete but still available for install wallet Airbitz is not easily verifiable in its current version.

Verdict Explained

Not verifiable: The provided Open Source Code could not be verified to match the app released on Google Play

This verdict means that the provider did share some source code but that we could not verify that this source code matches the released app. This might be due to the source being released later than the app or due to the provided instructions on how to compile the app not being sufficient or due to the provider excluding parts from the public source code. In any case, the result is a discrepancy between the app we can create and the app we can find on GooglePlay and any discrepancy might leak your backup to the server on purpose or by accident.

As we cannot verify that the source provided is the source the app was compiled from, this category is only slightly better than closed source but for now we have hope projects come around and fix verifiability issues.

The app cannot be independently verified. If the provider puts your funds at risk on purpose or by accident, you will probably not know about the issue before people start losing money. If the provider is more criminally inclined he might have collected all the backups of all the wallets, ready to be emptied at the press of a button. The app might have a formidable track record but out of distress or change in management turns out to be evil from some point on, with nobody outside ever knowing before it is too late.