bitcoin wallet validation/vetting

Is there any validation service that tests/validates/vets wallet implementations?

I use bitcoin-qt on the desktop and I'm not worried about that wallet, I assume it's been well vetted, but if I were to get a wallet for my (Android) phone, is there a way I can be assured the implementation is correct, secure, and not malevolent?

Added elaboration: It seems feasible for a trusted 3rd party to be in the business of validating wallet implementations. Wallet implementers would submit their implementation to the service, the service would run the wallet through a test suite, examine the code, etc. and if the implementation passed the service would publish a hash of the wallet. When you get a copy of the wallet implementation you could check its hash and against the published hash so you'd know it hasn't been tampered with.

Likewise an online wallet service (Mt. Gox) could submit its implementation for 3rd party validation to increase its trust factor.

obelia

Posted 2014-02-18T18:16:17.580

Reputation: 316

Answers

It is pretty much impossible to verify 100% if an implementation is correct.

See for example https://backdoorhiding.appspot.com/ or "The Underhanded C Contest" at http://underhanded.xcott.com/ - in both of these, people compete to write code that looks secure, but isn't.

Similarly, there are theories that the NSA has put back doors in various random number generators, even open-source ones. It is, however, very difficult to test this theory.

AMADANON Inc.

Posted 2014-02-18T18:16:17.580

Reputation: 412

Thanks. I understand the difficulty with 100% verification, but it seems an expert group's best effort at verification would be worth something. A combination of code (source code, byte code, and/or machine code) analysis, plus an execution test suite, would go a long way towards fighting mischief. – obelia – 2014-02-18T20:59:51.827

Third party audits cost a lot of money, especially if done right. I am sure that, if you wanted to pay, bitcoind would LOVE an audit. – AMADANON Inc. – 2014-02-18T21:43:34.883

Short answer: no. Imagine this scenario: a developer writes a closed-source Android wallet that becomes extremely popular. At some point the combined worth of the user wallets is $100M. The developer could have purposely left an open vulnerability, and claimed that a hacker exploited it. There would be no way to know if he was telling the truth.

Rule of thumb: keep the bulk of your BTC in cold storage. Online wallets should be treated like the wallet in your pocket. How much cash are you comfortable carrying around, knowing that you could lose your wallet and it's gone? That's how much you should have in an online wallet.

Diego Basch

Posted 2014-02-18T18:16:17.580

Reputation: 326

Thanks. I don't use online wallets, like to keep things local. I elaborated on my original question. – obelia – 2014-02-18T18:41:29.093

I think, in this case, "online" means "on a computer with an internet connection", not "a website". – AMADANON Inc. – 2014-02-18T20:21:18.850

Yes, that's what I meant by online. Presumably your phone is online most of the time, and as such it's vulnerable to a wide array of exploits. – Diego Basch – 2014-02-18T21:15:20.687

obelia: google "air gap" for a great way to keep your bitcoin safer. It is a hassle though. – AMADANON Inc. – 2014-02-18T21:41:04.250

@AMADANONInc. re: air gap - I wonder if there's an easy to do that, like keep wallet.dat on a flash drive and only plug it in to transact. – obelia – 2014-02-18T21:49:58.227

My wallet is encrypted/pass-phrase-protected. I was under the impression that that is fairly secure as long as my pass phrase is kept secret. – obelia – 2014-02-18T21:51:26.403

The main threat are keyloggers in viruses / trojans. Cryptocurrency has made hard drive contents potentially valuable to malware authors. Before this, the best they could do was turn your computer into a bot to click on ads or crack passwords. Now they can directly steal significant money. If you have a significant amount of money in bitcoins, cold storage is the way to go. Why risk it? – Diego Basch – 2014-02-18T22:32:18.423