Comments (6)
I support this enhancement request. I installed the app and uninstalled it immediately because it takes up too much internal memory.
from bitcoin-android.
The wallet.dat is tiny (relatively); so won't be using up a lot of memory.
However: bear this in mind... the SD card has no access permissions. any app can access any of it. There are already information stealing trojan apps appearing for android. When they figure out that there could be a wallet.dat on the freely-accessible SD card, there will be thefts.
Remember: theft of a wallet is undetectable. Until the day you put 1000 BTC in a wallet that someone copied five years ago. That's the day they empty it.
from bitcoin-android.
That's a very good point.
So it seems to come down to either relying on the Android security protecting the internal memory, or encrypting the wallet.dat in a form of the owner's choosing so it can be safely stored in the open.
If the app provides a default encryption technique then it needs to satisfy the following at a minimum:
- easy for a non-technical user to unlock when they want to buy their latte
- able to operate securely in a compromised environment (e.g. keylogging trojan is eavesdropping)
- offer strong offline protection against a sustained brute force attack (e.g. wallet.dat is copied to thief's machine and subjected to rainbow tables etc)
That's a tough list to meet. Some immediate (probably half-baked) thoughts are:
- simple PIN/gesture to unlock wallet in memory - combine with random salt (perhaps taken at startup or present in secure cloud storage)
- no idea how to overcome this (the eavesdropper has full access to everything and inifinte knowledge) - just rely on installing apps from reputable sources and marketplaces
- pretty much any of the Bouncy Castle algorithms will do the trick, AES is a good start.
from bitcoin-android.
I think mitigating against a keylogger on android is not worth bothering with. If you are that compromised, then you're doomed whatever.
However, there are plenty of trojans that trick people into installing them. They don't necessarily have free reign of the system, they aren't root and Android's permission system will keep them sandboxed to an extent. But... nobody worries too much when they see "accesses SD card" in the permissions list; most programs want to store data. That would be enough to read off a wallet.dat stored on the SD card.
At the very least (if storage space is an issue), encrypt the wallet on the SD card and keep the key on internal storage.
A PIN to make spending possible would be an excellent addition, but would be a bonus rather than a necessity.
The necessity is: don't store an unencrypted wallet on the SD card.
from bitcoin-android.
This issue is probably going to get resolved as part of ongoing developments in the underlying BitCoinJ library with common encrypted wallet formats and key management. Is that the general concensus of the developers?
from bitcoin-android.
Good discussion thanks! Yep for now we don't want to move the wallet to the SD card since other apps can read it there.
I think it's unlikely the wallet file would grow beyond 100k, even with tons of transactions.
The reason it uses so much internal memory is that we packaged the production blockchain with the app, so it ends up being 22MB. it may help to move the actual app to the SD card? You can do this from Settings -> Applications -> Bitcoin -> Move to SD card.
On my phone it installed there by default I think (we set this preference in the Android Manifest). But could be different on different hardware?
from bitcoin-android.
Related Issues (20)
- hang when changing network
- Background downloading data HOT 1
- Unable to access .apk HOT 2
- Make backup to cloud optional
- Encrypt wallet backup file HOT 1
- Show % complete on block chain download HOT 2
- Force quit as soon as it opens HOT 9
- add btc adress book HOT 1
- Blockchain never finishes updating on Motorola Droid running 2.2 HOT 4
- Transaction not completing. HOT 1
- pending send 24hrs+ HOT 2
- possible redesign contributed by Chris Robinson HOT 3
- Block chain updating problem HOT 5
- Lost coins HOT 1
- Send Money from an Intent HOT 1
- Use of Android Backup Service Is Insecure HOT 1
- process closes upon launch - lost coins! HOT 6
- Lost coin after phone reset HOT 1
- Is this app even working? HOT 1
- Not Successfull import because of gradle build folder files are missing in it. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bitcoin-android.