As part of our Methodology, we ask:
Published code doesn’t help much if the app fails to compile.
We try to compile the published source code using the published build instructions into a binary. If that fails, we might try to work around issues but if we consistently fail to build the app, we give it this verdict and open an issue in the issue tracker of the provider to hopefully verify their app later.
The product cannot be independently verified. If the provider puts your funds at risk on purpose or by accident, you will probably not know about the issue before people start losing money. If the provider is more criminally inclined he might have collected all the backups of all the wallets, ready to be emptied at the press of a button. The product might have a formidable track record but out of distress or change in management turns out to be evil from some point on, with nobody outside ever knowing before it is too late.But we also ask:
Bitcoin wallets are complex products and Bitcoin is a new, advancing technolgy. Projects that don’t get updated in a year are probably not well maintained.
This verdict may not get applied if the provider is active and expresses good reasons for not updating the product.
The product cannot be independently verified. If the provider puts your funds at risk on purpose or by accident, you will probably not know about the issue before people start losing money. If the provider is more criminally inclined he might have collected all the backups of all the wallets, ready to be emptied at the press of a button. The product might have a formidable track record but out of distress or change in management turns out to be evil from some point on, with nobody outside ever knowing before it is too late.The Analysis ¶
This does not represent a full code review.
App Description
As described in
this issue,
this app replaces
(old) RWallet
and as such had to start from zero with reviews, ratings and downloads.
RWallet is a multi-currency non-custodial wallet that supports Bitcoin. It supports BTC, Bitcoin on RSK (RBTC), RIF Token (RIF), Dollar On Chain (DOC)
The App
RWallet has three options:
- Create Basic Wallet
- Import Existing Wallet
- Add Read-only Wallet
Upon clicking “Create Basic Wallet”, you are allowed to choose from Segwit or Legacy crypto address. After this, you are given access to the 12-word recovery phrase and asked to safeguard it.
You can send and receive like a normal wallet.
After confirming that the recovery phrase has a backup, the app asks you to set a PIN. This PIN must be entered to access the recovery phrase again.
Code and Reproducibility
We were able to find a related website even though RWallet’s Google Page did not
have a website listed. The contact email address had a domain of
iovlabs.org. We could not find any mention of RWallet’s
open-source nature on that website. However, searching for the appID
‘com.rsk.rwallet.v2’ brought us to what could possibly be
RWallet’s GitHub repository. Although
this specific repository is not linked from the iovlabs.org, we feel that it
could be relevant as it mentions a lot of related items.
A while ago Emanuel had already looked into this app but as it had only few users, he did not check for reproducibility.
Back then he already ran into the issue that several files are not being provided in the source repository, making it hard to compile the project and impossible to compile it in a reproducible way, as the missing files affect the compiled app.
The new build instructions
link to a non-existing section about an .env file and do not mention the
google-services.json Emanuel had to create back then. It is mentioned though
that a signing key is required, which for our purpose should not be the case, as
we intend to work with an unsigned app. How can we build an unsigned version of
the released app?
We conclude, this app is currently not verifiable.
Do your own research!
Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.
If you find something we should include, you can create an issue or edit this analysis yourself and create a merge request for your changes.