-
@ Leo Wandersleb
2024-03-12 16:45:41Opinion about Mycelium Bitcoin Wallet (android)
As its former maintainer, my opinion might be biased but ... here we go:
Some background
History
Mycelium is one of the oldest Android wallets and started as "Bitcoin Spinner". Its code repository started in June of 2013 giving "all code credit to Jan Møller", who left this project to found probably the most controversial company in the space: Chainalysis". Legends say that Alexander Kuzmin bought the rights to the project and subsequently renamed it to "Mycelium" involving a barrel of neft vodka which is produced in Austria, where the second round of lead developers were located. Austrian Daniel Weigl led the project development when I joined basically cold-calling them as I was using the project since the Bitcoin Spinner days and needed something fixed. So they hired me and when Daniel left, I took over as the maintainer and lead developer.
My role
As the maintainer, I was responsible to coordinate the development and above all, keep the product secure while the upper management wanted to see features being added. So my work transitioned from being the lead developer, contributing code to being only the maintainer, almost exclusively reviewing other developer's work for security issues.
WalletScrutiny
In my job interview at Mycelium, I already suggested to improve the transparency of the product by making sure it was reproducible. The team had worked on that already but never got time to actually finish it and with me on the team it took another year before Mycelium switched to committing to only release fully auditable versions.
I founded WalletScrutiny while at Mycelium because I saw the lack of this transparency as a systemic issue and not only an issue at my own work place.
Security
Mycelium has a very old code base and maintains its own crypto library which did attract some attention around external experts but certainly not as much as others. I did spend a lot of time reviewing it until three years ago but I never had formal training as a cryptographer.
Mycelium has many features and tends to only add more:
- Shamir Shared Secret
- Login with Bitcoin
- Colored Coins
- Sign messages
- Import Xpubs or Xprivs
- Spend from a QR-Code
- FIO protocol
- Some shitcoins (Bitcoin Vault, ETH, ETH tokens)
- ...
That means it has a huge code base and uses dependencies of questionable provenance. Especially the FIO and BTCV dependencies are probably poorly audited and could contain backdoors affecting users that don't even use these features. That said, while I was the maintainer I had to add these two features and those were stressful weeks of me pushing back a quick release. While my push-backs were always well received at the time, I worry about today's maintainer maybe being less insisting when it comes to security. Sadly Mycelium is very quiet about such internals, so I don't even know who this maintainer would be now or what Mycelium was up to recently.
Features
A very much missing feature is lightning. Without lightning, this product will be obsolete with on-chain fees rising.
Privacy
When I joined the company, privacy was a top priority. The product had its custom servers that did not log IP addresses and the client did support TOR.
The TOR button is still in the app but it essentially does nothing.
Management often requested to keep logs of wallet balances to have some metrics of success beyond the downloads that Google reports and it was engineers who pushed back successfully. I cannot know to which degree this is still kept up and especially the ignorance regarding the TOR feature makes me not very confident about them not tracking wallets by now.
Openness
Mycelium and especially its owner always was very low profile with officially no official social media activity.
The public issue tracker is getting attention on a yearly basis - maybe.
But ... the source code is 100% public and reproducible.
Summary
The Mycelium wallet for Android was my main driver while I worked as its security guy but my lack of insight into their current security practices and their openness to adding questionable ads and features leads me to not trust this product with any significant amount.
It is a good tool to spend with a Trezor on the go though.
WalletScrutiny #nostrOpinion