AirGap Vault - Ethereum, Aeternity & Other Crypto

1 minute read

Published:

Wallet Logo

This relatively new app currently has more than 5000 downloads, a 4.2 stars rating from 30 users and the latest APK (version 3.0.0) was from 6th December 2019.

Our analysis was done on 6th January 2020 based on data found in their Playstore description and their website and their source repository. We discuss the issue with verification with the provider here. In our GitLab this app is discussed in Issue #92.

We found these ways of contacting the developers:

Older reviews

Help spread awareness for build verifiability

Please follow AirGap Vault - Ethereum, Aeternity & Other Crypto and thank them for being verifiable via their Twitter!

Disclaimer

The following Analysis is not a full code review! We plan to make code reviews available in the future but even then it will never be a stamp of approval but rather a list of incidents and bad coding practice. We cannot find and tell you all the dark secrets the wallet providers might have.

Do your own research!

Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.

The Analysis

We found this app reviewing AirGap Wallet. These two apps work in concert. AirGap Wallet does the communication to the web and AirGap Vault holds the private keys, ideally on a phone that doesn’t have internet. This is certainly an interesting approach.

the private key is generated and securely stored on another device with the AirGap Vault app.

This claims to be a non-custodial app.

On the description there is no mention of Open Source but on the website there is a link to GitHub.

Let’s see how far we get building this app, version 3.0.0. The build instructions explain how to run the app, not how to build the release version and the actual build instructions are at the time of this writing only to be found in the issue we opened with them.

The new build instructions are also not without issues:

  • Each app build requires building a new Docker image
  • The Docker image is huge with its 6.24GB
  • The Docker container is also persisted for subsequent extraction of the APK.
  • We have to edit a versioned file (config.xml)
  • We have to know a BUILD_NR (14555 for the current build) and don’t understand yet where that is supposed to come from.

But as we have not yet established strict rules of how easy or “standard” build instructions have to be, we go with it:

$ sed -i -e "s/version=\"0.0.0\"/version=\"3.0.0\"/g" config.xml
$ docker build -f build/android/Dockerfile -t airgap-vault --build-arg BUILD_NR="14555" --build-arg VERSION="3.0.0" .
$ docker run --name "airgap-vault-build" airgap-vault echo "container ran."
$ docker cp airgap-vault-build:/app/android-release-unsigned.apk airgap-vault-release-unsigned.apk
$ apktool d -o fromBuild airgap-vault-release-unsigned.apk 
$ diff --brief --recursive from*
Files fromBuild/apktool.yml and fromPlay/apktool.yml differ
Files fromBuild/original/META-INF/MANIFEST.MF and fromPlay/original/META-INF/MANIFEST.MF differ
Only in fromPlay/original/META-INF: PAPERS.RSA
Only in fromPlay/original/META-INF: PAPERS.SF

apktool.yml is generated by apktool in the prior command. The other three files are the expected missing signature.

Our verdict: This wallet is verifiable.

Verdict Explained

Verifiable: The provided Open Source Code matches the app released on Google Play

The app can be independently verified. If the provider puts your funds at risk on purpose or by accident, security researchers can see this if they care to look. It also means that inside the company engineers can verify that the release manager is releasing the app based on code known to all engineers on the team. A scammer would have to work under the potential eyes of security researchers. He would have to take more effort in hiding any exploit.

"Verifiable" does not mean "verified". There is good reason to believe that security researchers as of today would not detect very blatant backdoors in the open source code before it gets exploited, much less if the attacker takes moderate efforts to hide it.