This app was first launched on 15th January 2018 and currently has more than 50000 downloads, a 4.9 stars rating from 1149 users and the latest APK (version 3.0.2) was from 1st April 2020.
We found these ways of contacting the developers:
Help spread awareness for build verifiability
Please help us spread the word, asking Lumi Bitcoin and Crypto Wallet. Buy & Sell Bitcoin to support verifiable builds via their Twitter!
The following Analysis is not a full code review! We plan to make code reviews available in the future but even then it will never be a stamp of approval but rather a list of incidents and bad coding practice. We cannot find and tell you all the dark secrets the wallet providers might have.
Do your own research!
Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.
The description on their Playstore listing gets straight to the point:
Security is Lumi Wallet’s primary focus: private keys are kept exclusively on your device.
But … the paragraph continues to state:
All funds are held in cold storage and you always remain the sole owner of your cryptocurrency.
What is cold storage? --------------------- "cold" in a wallet context means that the key is not on a web-connected device. This could be your keys only existing on a piece of paper in form of 12 words or on a hardware wallet. As these approaches usually involve plugging the hardware wallet into a connected device or restoring the 12 words on such a device, these solutions are not suited for institutions. Institutions actually take "cold" to a higher level by having one computer that never is connected - that stays cold - and transactions are built on a "hot" computer and transferred to the "cold" computer on a pen-drive for example, to be signed and be carried back to the "hot" computer the same way.
So what is it? “your device” is pretty hot for being cold storage. Them using cold storage would be custodial.
Universal backup is possible due to the use of the HD wallet model - one mnemonic phrase will restore all your token wallets.
This sounds good again.
No need to provide any personal info.
This also is not typical for custodial apps, as these would be required by law to collect personal data.
On their website there is no mention of an Android wallet. The “Mobile apps” menu only contains two links that both redirect you to an iPhone app.
As their web-app also claims
Wallet is created locally on your device
we assume for now that their use of “cold storage” is different than ours and conclude they are probably not custodial but certainly closed source.
Our verdict: This app is not verifiable.
Not verifiable: No Open Source Code found
This verdict means that we could not find any source to compile the app from. Internally the company might do everything right but as we can't verify it, there is nothing protecting the user from an exit-scam where the provider releases an app that leaks the keys to the servers.
The app cannot be independently verified. If the provider puts your funds at risk on purpose or by accident, you will probably not know about the issue before people start losing money. If the provider is more criminally inclined he might have collected all the backups of all the wallets, ready to be emptied at the press of a button. The app might have a formidable track record but out of distress or change in management turns out to be evil from some point on, with nobody outside ever knowing before it is too late.