BLW: Bitcoin and Lightning Wallet

1 minute read

Published:

Wallet Logo

This app was first launched on 1st May 2018 and currently has more than 10000 downloads, a 4.4 stars rating from 274 users and the latest APK (version 0.4.2) was from 30th January 2020 and is newer than the below reviewed version of the app.

Our analysis was done on 23rd November 2019 based on data found in their Playstore description and their website and their source repository. We discuss the issue with verification with the provider here.

We found these ways of contacting the developers:

Disclaimer

The following Analysis is not a full code review! We plan to make code reviews available in the future but even then it will never be a stamp of approval but rather a list of incidents and bad coding practice. We cannot find and tell you all the dark secrets the wallet providers might have.

Do your own research!

Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.

The Analysis

Update: The issue about reproducibility was deleted just like every other issue on their GitHub, given our issue number was 158 and the repository lists no issues at all.

Original Review:

This wallet claims to be non-custodial and on their website we find their source code repository. Let’s see how that goes …

$ git clone git@github.com:btcontract/lnwallet.git

… 750MB download later …

$ cd lnwallet
$ git tag
0.3-130
v0.3-129

there is no v0.4 and upon further investigation it turns out the project doesn’t update the versionName with every release, so it’s more complicated to determine which version we are dealing with on Google Play.

The latest Bump version commit defines getSupportActionBar setSubtitle "App version 0.4-142" yet in my install of the app I find “App version 0.4-141”. When was that introduced? In this commit. So … we try to go from there:

$ git checkout 91e65f52f0e7
$ ./gradlew build
Parallel execution is an incubating feature.
Incremental java compilation is an incubating feature.

FAILURE: Build failed with an exception.

* What went wrong:
A problem occurred configuring project ':app'.
> No toolchains found in the NDK toolchains folder for ABI with prefix: mips64el-linux-android

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output.

BUILD FAILED

Which is a known issue: The gradle version is outdated. It should be 3.1 or above but is defined as

classpath 'com.android.tools.build:gradle:2.3.0'

So if there is a good reason for using an old gradle version (2.3 is from early 2015), the team should explain that and give clear build instructions.

At this point we give up and decide the wallet is not easily verifiable.

Verdict Explained

Not verifiable: The provided Open Source Code could not be verified to match the app released on Google Play

This verdict means that the provider did share some source code but that we could not verify that this source code matches the released app. This might be due to the source being released later than the app or due to the provided instructions on how to compile the app not being sufficient or due to the provider excluding parts from the public source code. In any case, the result is a discrepancy between the app we can create and the app we can find on GooglePlay and any discrepancy might leak your backup to the server on purpose or by accident.

As we cannot verify that the source provided is the source the app was compiled from, this category is only slightly better than closed source but for now we have hope projects come around and fix verifiability issues.

The app cannot be independently verified. If the provider puts your funds at risk on purpose or by accident, you will probably not know about the issue before people start losing money. If the provider is more criminally inclined he might have collected all the backups of all the wallets, ready to be emptied at the press of a button. The app might have a formidable track record but out of distress or change in management turns out to be evil from some point on, with nobody outside ever knowing before it is too late.