Does the Open-Source Model Enable Bitcoin-Stealing Wallet Apps?
According to an Apple Insider report published on August 9, a disturbing trend has emerged on Apple’s App Store as a series of malicious copycats of well-known Bitcoin wallet apps became available to download. Some of the fake wallets looked quite similar to the real thing but were specifically tweaked to steal bitcoins from unsuspecting users. As a result some $20,000 reportedly ended up in the pockets of scam artists before Apple was able to filter and remove the apps from its store.
The relative “success” of the fake apps and the ease at which they were manufactured and distributed, for some, calls into question Bitcoin’s almost self-evident Free and Open Source Software (FOSS) ethos. Most Bitcoin wallets have been open source, which allows anyone to verify the legitimacy of the product. But as witnessed, it also allows scam artists to effortlessly copy that same software, to make minor adjustments in order to steal funds.
At least one popular wallet, the Jaxx wallet for Bitcoin, Ethereum and most recently Dash, has employed an approach to this ”open” model that is unusual in the space. While all the code is still openly and publicly visible on Jaxx’s website, this is limited to a type of view-only mode. The code can potentially be reviewed and verified by anyone but it cannot be copied and re-used — or at least not very easily.
Speaking to Bitcoin Magazine, Jaxx CEO Anthony Di Iorio explained:
“Part of the reason we do this is that we, as a company, necessarily have our operating costs and it’s not easy to make money when you give away your code for free. But the other part is that this strategy makes it harder for malicious actors to impersonate our wallet. As a company, we want to offer quality control and that’s impossible if anyone can simply take and tweak your product. We’re trying to find a balance between transparency and keeping our software proprietary, and that includes the insertion of certain friction points to discourage people from stealing our code.”
One of the wallets that was affected by the introduction of fake wallets, and which saw a fraudulent copycat appear in the App Store, is GreenAddress. GreenAddress has always been entirely open source which indeed means the code can be trivially copied and tweaked. Yet, developer Lawrence Nahum continues to stand behind the FOSS model.
Speaking to Bitcoin Magazine, Nahum explained:
“A wallet with all its code out in the open makes it easier to impersonate; sure. But even if a wallet is not open source, I don't think you can really stop these kinds of imposters in the end. There would still be ways to mimic wallets, especially if the code is open for review. And not distributing source code also means it will have less scrutiny and therefore less security. Most developers I know don't review code on a web page.”
Di Iorio, however, does not agree that limiting the availability of Jaxx’s code represents a trade-off in scrutiny or security.
“Even if a wallet is completely open source, there’s no way to tell that the app you download from the app store is the same code,” he said. “And really, there are very few people who actually care. Almost no one verifies the code, even if it is open source. 95 percent of users just want their wallet to work. Whether or not it’s open source doesn’t change that.”
Apple removed the fake wallets from the App Store after the Bitcoin community — including Nahum himself — filed complaints with the tech giant. This, along with Apple’s own review process, appears to at least prevent long-term harm.
Nahum acknowledged this solution is not water-tight either.
“Walled gardens like Apple’s don't scale much, as someone needs to check and verify every single app that’s introduced,” Nahum said. “And malicious apps can improve too. The fake wallets we have seen were easy to detect by a trained bitcoiner. But in the future there may be wallets that make no copyright infringement and are only selectively malicious.”
As such, says Nahum, a clear-cut solution is perhaps not available and users will simply need to be aware of potential copycats and act accordingly.
“We will notify Apple for any bad app we see. But I personally advise people who download apps to get them from a verified source. Check whether the developer is known, look up reviews, see if it’s submitted to bitcoin.org, always double check URLs and names and make sure you’re downloading the real thing.”