UNSTOPPABLE - Bitcoin Wallet

3 minute read

Published:

Wallet Logo

This relatively new app currently has more than 1000 downloads, a 4.3 stars rating from 117 users and the latest APK (version 0.12.0) was from 3rd March 2020.

Our analysis was done on 25th March 2020 based on data found in their Playstore description and their website and their source repository. We discuss the issue with verification with the provider here.

We found these ways of contacting the developers:

Older reviews

Disclaimer

The following Analysis is not a full code review! We plan to make code reviews available in the future but even then it will never be a stamp of approval but rather a list of incidents and bad coding practice. We cannot find and tell you all the dark secrets the wallet providers might have.

Do your own research!

Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.

The Analysis

The latest version on Google Play is “0.12.0”. Lets see if that’s verifiable:

Update: We claimed to have tested that version before and the provider requested to verify the results as git tag 0.12 is supposed to match Google version 0.12.0. So, here we go again:

The file from Google was obtained from our Android phone after updating the wallet. For convenience it was renamed to wallet.apk but apktools confirms it is version 0.12.0, a version which can’t be found in the git repository, which is why the test script errors out there:

$ ./test.sh /tmp/wallet.apk 
Extracting APK content ...
I: Using Apktool 2.4.0-dirty on wallet.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /home/leo/.local/share/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Baksmaling classes2.dex...
I: Baksmaling classes3.dex...
I: Baksmaling classes4.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...

Testing "/tmp/wallet.apk" (io.horizontalsystems.bankwallet version 0.12.0)

Testing Unstoppable Wallet
[sudo] password for leo:
Cloning into 'unstoppable-wallet-android'...
remote: Enumerating objects: 269, done.
remote: Counting objects: 100% (269/269), done.
remote: Compressing objects: 100% (168/168), done.
remote: Total 46489 (delta 166), reused 85 (delta 69), pack-reused 46220
Receiving objects: 100% (46489/46489), 27.04 MiB | 1.41 MiB/s, done.
Resolving deltas: 100% (30694/30694), done.
Trying to checkout version 0.12.0 ...

and here we take over with a manual review:

$ cd /tmp/testUnstoppable/unstoppable-wallet-android/
$ git checkout 0.12
$ docker run -it --rm --volume $(pwd):/project --workdir /project mycelium-wallet
root@08cb2548183d:/project# ./gradlew clean :app:assembleProductionMainnetRelease
...
BUILD SUCCESSFUL in 8m 5s
197 actionable tasks: 188 executed, 9 up-to-date
<-------------> 0% WAITING
> IDLE
> IDLE
> IDLE
> IDLE
> IDLE
> IDLE
> IDLE
> IDLE
> IDLE
root@08cb2548183d:/project# exit
$ apktool d -o fromPlay /tmp/wallet.apk 
$ apktool d -o fromBuild app/build/outputs/apk/productionMainnet/release/app-productionMainnet-release-unsigned.apk 
$ diff --brief --recursive from* | wc -l
638

Just as in our last run there is 638 files that differ. That is not ok. This app is not verifiable.

We apologize for a copy-paste error in the last review, where erroneously was a mention of 0.11.0. This happened because the script couldn’t find the correct revision, so the process was done manually, following the protocol from earlier tests and the protocol was updated to reflect the latest changes. The apk file name was not update in the process. Sorry.

Verdict Explained

Not verifiable: The provided Open Source Code could not be verified to match the app released on Google Play

This verdict means that the provider did share some source code but that we could not verify that this source code matches the released app. This might be due to the source being released later than the app or due to the provided instructions on how to compile the app not being sufficient or due to the provider excluding parts from the public source code. In any case, the result is a discrepancy between the app we can create and the app we can find on GooglePlay and any discrepancy might leak your backup to the server on purpose or by accident.

As we cannot verify that the source provided is the source the app was compiled from, this category is only slightly better than closed source but for now we have hope projects come around and fix verifiability issues.

The app cannot be independently verified. If the provider puts your funds at risk on purpose or by accident, you will probably not know about the issue before people start losing money. If the provider is more criminally inclined he might have collected all the backups of all the wallets, ready to be emptied at the press of a button. The app might have a formidable track record but out of distress or change in management turns out to be evil from some point on, with nobody outside ever knowing before it is too late.