Bitcoin Apps Security

[Matthew Light]

Here is a question that started to bother me last night.

Personally, I hodl my coins in a paper wallet, except a fraction of a BTC also in Bither (iOS).

But for the masses, paper wallets properly prepared are probably not in the cards, at least for now.

So, how do I recommend that someone like that "prepare" for the possibility that our current financial system might fail and we might switch over to a global Bitcoin world.

Specifically, I would not mind advising friends and family that it would be prudent to hold a bitcoin or two as insurance. But if they buy it and send it to Bither or another iOS / android / whatever application, how can I be certain that the author of the application won't release a new version of their app that surreptitiously uploads private keys to steal their bitcoins. Even if I were to trust the authors of these apps, someone else might hold them and/or their families at gunpoint and force them to release an update (automatically pushed down from the app store) that does this. Or simply seize their computers, send them to a dark site, and then code and release a steal-private-keys update to the app store.

What safeguards are in case to prevent this from happening?

 

[Matthew Light]

Crickets, eh?

 

[allegro101]

They have to buy the bitcoin, right? Most start out with Coinbase or Circle. Security at either is fine for a few bitcoin. Just recommend they leave the bitcoin there until they have some experience buying and selling. Get used to using the Coinbase or Circle app.

I would definitely not recommend a paper wallet to someone who does not yet understand what a change address is. After they have some experience and are comfortable with Coinbase or Circle suggest they try Mycelium on their phone, and then maybe get a Trezor to use with Mycelium to totally secure their bitcoin from theft.

 

[Peter R]

It's not perfect, but I recommend people use BreadWallet and just make sure they save their recovery seed (i.e., write it down on paper and don't show anyone--people's natural reaction is to take a screen shot).

I then ask them to talk to me again if they end up with several thousand dollars worth or start to feel paranoid.

I think anything more complex decreases security for the average new user.

 

[Matthew Light]

@allegro101,

I understand your desire to not have newbies shoot themselves in the foot. Commendable. However given the plethora of bitcoin exchange demolitions, including the very largest (at the time) Mt. Gox, I cannot recommend that people buy one or two bitcoins "just in case" it takes over the financial system (as I believe it likely will, as the current system QEs / debt defaults itself to death) and then trust even Coinbase (who I use) to deliver the bitcoins when the going gets tough and every single bitcoin represents the life savings of a wealthy 0.1% individual. Just today I sent a small fractional bitcoin amount to a cryptsy victim, because I want him to keep saving and (hopefully!) be in a good position when the financial system sinks to the bottom of the North Atlantic. Bitcoin for the medium to long haul and keeping coins on an exchange do not mix, IMO of course.

Regarding "change address" - bither the iOS wallet I used today to sent btc for the first time from my private key put the change back in the originating bitcoin address. Are there wallets apps for iOS / Android that don't do this? The original wallet software sending the change to a new address is very unintuitive although perhaps safer from super-crypto-cracker and less traceable.

@Peter R,

I don't have anything at all against BreadWallet or any other wallet software program, and I do not doubt the honest of their authors. Just wondering what the Bitcoin world can do to prevent the scenario I postulated. Obviously, if someone can get control of billions of dollars purchasing power through hijacking the app, it is possible that someone might try and succeed at it. I for one only keep a token amount in my iOS wallet app.

Honestly, private key security seems, to me, to be one of the biggest challenges for having Bitcoin replace the broken, corrupt financial system we are suffering through today in its final, hospice stage of life.

 

[_mr_e]

Unfortunately I'm not sure there is much you can do other then disable auto update. Eventually something like Google Vault could really help here: http://techcrunch.com/2015/05/29/googles-project-vault-is-a-secure-computing-environment-on-a-micro-sd-card-for-any-platform/