Welcome to the Dash Forum!

Please sign up to discuss the most innovative cryptocurrency!

iOS Wallet Warning!

Discussion in 'Official Announcements' started by Ryan Taylor, Oct 26, 2016.

  1. Ryan Taylor

    Ryan Taylor Well-known Member
    Dash Core Team Foundation Member

    Joined:
    Jul 3, 2014
    Messages:
    498
    Likes Received:
    1,561
    Trophy Points:
    263
    As you may be aware, earlier this month a developer Nash Nobley managed to attain approval for a Dash wallet on iTunes, which is currently available for download. The purpose of this post is to alert the community of the risks posed by the wallet and some recent indications that the developer may be untrustworthy.

    The app appears to be based on the official Dash wallet previously rejected by Apple. However, because the source code of the app is not externally verifiable, the risk exists that the application might contain malicious code intended to defraud users.

    In light of this risk and prioritizing our users’ security, the Core Team attempted to negotiate access to the source code and Apple account to allow external verification of its contents. A written agreement was reached last week. However, after accepting a bounty and compensation for access to the account, the developer has breached the contract by failing to grant core team access. In addition, he continues to update the code.

    Throughout the process, this individual has acted in a self-interested manner, making additional demands after agreements were reached, and has failed to fulfill clearly agreed terms. Due to the ongoing issues and the continued inability to review the code to ensure the safety of users, we strongly caution all users of the extreme risks associated with this app.

    Meanwhile, we will continue attempting to access the account to verify the contents and validate the security of the application, and compel the developer to fulfill their obligations under the aforementioned agreement.

    It is regrettable that such a positive turn of events has soured so quickly, but the security of user funds is of paramount importance. We will post updates as they become available.
     
    • Informative x 18
    • Like x 4
    • Dislike x 1
    • Agree x 1
    • Funny x 1
    • Winner x 1
    • Useful x 1
  2. daf

    daf Active Member

    Joined:
    Oct 18, 2015
    Messages:
    169
    Likes Received:
    123
    Trophy Points:
    103
    Thanks for the alert.
     
    • Like Like x 1
    • Agree Agree x 1
  3. IOS Dev

    IOS Dev New Member

    Joined:
    Aug 5, 2016
    Messages:
    18
    Likes Received:
    3
    Trophy Points:
    3
    Since the details are unclear, another option would be just to have the developer transfer the application to another email/dev account. Since the developer has other applications it doesn't quite make sense for him to supply access to anyone else.
    The fact that the wallet was advertised as the "official" Dash wallet right at the start was a warning sign since it had in fact been modified from the github repo. When questioned about this on slack, the developer ignored the question - also a warning sign. However, he did convince some people that he had good intentions, so indeed it is regrettable that things have soured.
     
    • Informative Informative x 3
    • Like Like x 2
    • Agree Agree x 1
  4. GrandMasterDash

    GrandMasterDash Well-known Member
    Masternode Owner/Operator

    Joined:
    Jul 12, 2015
    Messages:
    2,388
    Likes Received:
    862
    Trophy Points:
    183
    Did the core team publish an ongoing account of the events as they progressed?
     
  5. TanteStefana

    TanteStefana Moderator
    Linguistic Foundation Member

    Joined:
    Mar 9, 2014
    Messages:
    2,835
    Likes Received:
    1,859
    Trophy Points:
    1,283
    If this is true, we should immediately alert Apple and tell them that the wallet is untrustworthy!

    Always safety first!
     
  6. Nash Nobley

    Nash Nobley New Member

    Joined:
    Oct 23, 2016
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    This isn't true I'm the developer of the app, I've been trying to send them the certificates but they won't tell me which ones they need. The app is perfectly safe all the changes are cosmetic not anything with the code.
     
    • Informative Informative x 3
    • Agree Agree x 1
  7. Nash Nobley

    Nash Nobley New Member

    Joined:
    Oct 23, 2016
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    The app is perfectly safe to use don't listen to them, I've been trying to send them the certificates but they won't tell me the ones they need.
     
    • Informative Informative x 1
  8. QuantumExplorer

    QuantumExplorer Official Dash Dev
    Core Developer

    Joined:
    Aug 20, 2014
    Messages:
    119
    Likes Received:
    164
    Trophy Points:
    93
    We need your certificate for signing apps, that you can export from the key chain if you use a mac (I'll assume you do), as well as a provisioning profile for the app for pushing to itunes, and the modified source code. Then once all this is done you need to authorize a new upload to the store, at which point I will upload your version after making sure there is no malicious code.

    I assumed you knew how to send us your certificate (with the signing keys), but if you need more help with that you can contact me. Having these keys allow me to sign apps as you and therefore push an app to the store on your behalf.

    However if you really want to push to the store, I can do something even more, after you give me the keys, I will make a special version of the app that can be verified from within the app as authentic. Then I'll give you this compiled version as an IPA and you can upload that to the store.

    Basically there are many ways to do this, you have recently said you didn't want to give access to itunes to us, this is a way around it.
     
    • Informative Informative x 6
    • Like Like x 1
  9. UdjinM6

    UdjinM6 Official Dash Dev
    Dash Core Team Moderator

    Joined:
    May 20, 2014
    Messages:
    3,602
    Likes Received:
    3,514
    Trophy Points:
    1,183
    Interesting... I wonder how that can be implemented. Smth like incorporating some private key (obviously without pushing the key to github) and signing arbitrary message in some dialog inside the app which (signature) can be verified in say Dash-Qt using complimentary public key announced in some way? Or is there some another way to verify AND have all the code openly published?
     
  10. ec1warc1

    ec1warc1 Active Member
    Masternode Owner/Operator

    Joined:
    Jul 26, 2016
    Messages:
    282
    Likes Received:
    135
    Trophy Points:
    103
    What the hell is wrong with Apple? They will not allow the Jaxx Wallet with Dash, but they allow "Nash Nobley" - whoever the heck he is - to include a Dash wallet on iOS? Does someone have Millicent Beauregard's telephone number?
     
    • Like Like x 5
  11. teamer

    teamer Active Member

    Joined:
    Jul 22, 2014
    Messages:
    175
    Likes Received:
    137
    Trophy Points:
    103
    What do you expect from those who removed the headphone jack? and the escape button!?
     
    • Funny Funny x 2
  12. crowning

    crowning Official Dash Dev
    Core Developer Moderator

    Joined:
    May 29, 2014
    Messages:
    1,430
    Likes Received:
    2,009
    Trophy Points:
    183
    No escape from Apple?
     
    • Funny Funny x 2
  13. rustycase

    rustycase Active Member

    Joined:
    Apr 19, 2016
    Messages:
    503
    Likes Received:
    120
    Trophy Points:
    113
    I would not be one to disparage anyone's efforts.
    I would expect such a person to 'have all their ducks in a row' before making a presentation in public...
    Especially when departing from the topic of 'fun' and entering the 'transfer of value' arena.

    Best
    rc
     
  14. jimbit

    jimbit Well-known Member
    Foundation Member Masternode Owner/Operator

    Joined:
    May 23, 2014
    Messages:
    225
    Likes Received:
    103
    Trophy Points:
    203
    What was the conclusion of this? did the app get verified or pulled?
     
    • Like Like x 1
  15. tungfa

    tungfa Administrator
    Dash Core Team Foundation Member Masternode Owner/Operator Moderator

    Joined:
    Apr 9, 2014
    Messages:
    8,441
    Likes Received:
    6,543
    Trophy Points:
    1,283
    apple pulled it eventually
     
  16. stellabelle

    stellabelle Active Member

    Joined:
    Mar 5, 2017
    Messages:
    293
    Likes Received:
    186
    Trophy Points:
    103
    I'm really glad I decided not to do testing for this wallet.
    I had a conversation with this developer to gauge what kind of risks were associated with it.
    After talking extensively with him, I decided to follow my gut instincts and not do any testing for it.
    This is very worrisome! Thanks for the warning......I am feeling unsettled right now!
     
  17. stellabelle

    stellabelle Active Member

    Joined:
    Mar 5, 2017
    Messages:
    293
    Likes Received:
    186
    Trophy Points:
    103
    Wait, what's the developer's handle in Slack?
     
  18. IOS Dev

    IOS Dev New Member

    Joined:
    Aug 5, 2016
    Messages:
    18
    Likes Received:
    3
    Trophy Points:
    3
    I think you are getting confused. The developer Nash Nobley has not been in slack for months. I commented on this thread earlier and was the one you chatted to on slack.
     
  19. Nash Nobley

    Nash Nobley New Member

    Joined:
    Oct 23, 2016
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    We all know apple wasn't going to approve it at the end and they contacted me two days before to tell me. I tried to state that to the other members, I don't know if my wording was bad or what but as far as using the wallet, it's safe. If you downloaded the app when it was up you can still redone load it from the iCloud library and still use it. There just won't be any updates :) also yes I'm no longer on the slack developer team. I have other things I need to do in the real world, so at the end I was just trying to help out. But in apples eyes they don't think dash is a real currency because you guys started to attack bitcoin. So please stop slandering my name on the forums. I was just trying to do my part and that's as far as I was able to go.

    _ cheers
     
    • Friendly Friendly x 1
  20. Nash Nobley

    Nash Nobley New Member

    Joined:
    Oct 23, 2016
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    As far as the app goes it's perfectly safe to use if you downloaded it, there identical to the app you can download for Xcode, all I did was just improve the look of the app that's all. Also yes I'm no longer on slack, I have real world problems to deal with right now.

    _ Cheers
     
  21. Nash Nobley

    Nash Nobley New Member

    Joined:
    Oct 23, 2016
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Deal with it I've been developing apps and have a good standing with apple so it lasted longer on the App Store.
     
  22. Acedian

    Acedian Member

    Joined:
    Mar 17, 2017
    Messages:
    252
    Likes Received:
    70
    Trophy Points:
    88
    Dash Address:
    XgVEQZtGSdFgDknrvthnBBNmWm4vQZTwAH
    Don't listen to the core developers?! Even if they were spouting nonsense we are unlikely to just stop listening, something would have to be done.
    I will not be using anything you have been involved with @Nash Nobley
     
  23. camosoul

    camosoul Well-known Member

    Joined:
    Sep 19, 2014
    Messages:
    1,919
    Likes Received:
    1,082
    Trophy Points:
    183
    That seems to happen with projects and parties with whom you get involved...

    As verdant as this report seems to be, my past experience with you requires that I suggest to the community that we're almost certainly not getting the whole story, but only the part of it that suits your optics and might give you leverage.

    Maybe it's entirely legit, but your name carries a stigma that only a fool would ignore.

    I have no first-hand knowledge of this situation, but the pattern is getting hard to ignore. Anything Ryan can't control and take credit for ends up getting slandered into nothingness, and once helpful parties simply find better things to do than put up with his dirty games.

    The shoe fits. Again. Still...
     
    #23 camosoul, Apr 4, 2017
    Last edited: Apr 4, 2017
    • Trolling Trolling x 2
    • Agree Agree x 1
  24. IOS Dev

    IOS Dev New Member

    Joined:
    Aug 5, 2016
    Messages:
    18
    Likes Received:
    3
    Trophy Points:
    3
    Well I would say some of the reasoning in the start of this thread is not exactly rock solid

    "The app appears to be based on the official Dash wallet previously rejected by Apple. However, because the source code of the app is not externally verifiable, the risk exists that the application might contain malicious code intended to defraud users."

    The source code of the any app on the AppStore is not externally verifiable. So any app has this risk. Perhaps Ryan meant that the source code of the app is not externally verifiable by him. As a developer of iphone apps, a statement like this by the core team would probably kill off interest in people using my app. This in turn kills off any diversity in the ecosystem where everything needs to be done by core team only or perhaps only by projects 'approved' by the core team. Stellabelle was afraid to even do testing of a wallet not sanctioned by core, even though there would be no need to risk more than a couple of cents. I don't see all of this as promising for the future of Dash
     
  25. David

    David Well-known Member
    Dash Support Group

    Joined:
    Jun 21, 2014
    Messages:
    619
    Likes Received:
    628
    Trophy Points:
    163
    I don't think it's unreasonable for Core Team to ask to see a Dash wallet's source code when it's a wallet that's been created by an unknown community member. Of course, said community member can tell them to pound sand, and said Core Team can make a public service announcement encouraging everybody to be cautious. Of course, users can tell Core Team to pound sand and use the wallet anyway.

    On the other hand, a "Core Team has reviewed the source and we believe this to be a legitimate and problem-free app and we believe the community may freely use it" would go a long way to speeding adoption. However, it's entirely your decision as an app developer.
     
  26. IOS Dev

    IOS Dev New Member

    Joined:
    Aug 5, 2016
    Messages:
    18
    Likes Received:
    3
    Trophy Points:
    3
    You have completely missed the point. I could easily share my source code with the Core Team but then actually build an application with other code. There is no way to tell which source code was used for an application on the AppStore.
     
  27. camosoul

    camosoul Well-known Member

    Joined:
    Sep 19, 2014
    Messages:
    1,919
    Likes Received:
    1,082
    Trophy Points:
    183
    Bingo.

    The snowflakes and yes men can mark my posts as "trolling" until their mouse-clicking fingers fall off. This consistent pattern of deception and manipulation only gets more obvious the more it is used. Eventually, it'll get obvious enough that even those who knowingly support the corruption can't stomach it anymore.

    Nobody likes the truth when they are complicit in the lie...

    We don't really know, and probably never will know, if @IOS Dev is up to no good. He's being asked to prove a negative. Neferious or not, no one can prove a negative.

    But, yet again, we can see that @babygiraffe most definitely is. He's the one demanding that a negative be proven, with full knowledge that this cannot be done, and with full knowledge that the process he demands would still prove noting, yet it would have the "side effect" of granting him total power... So he comes here to slander.

    The advertised purpose would still never be fulfilled, but he would end up with control. Not getting his way, slander. He does the same thing every time he doesn't get his way. With no concern for the delays and loss to the project as a whole.

    Reminds me of a dirty woman using a child in a tug-of-war legal battle. Man that actually cares about child backs off because he doesn't want to see his kid put through it, but she doesn't give a damn. It's all about her. She wins because she's always ready and willing to sacrifice the child's happiness for a buck. Makes me wonder how Ryan grew up and where he learned to play this game.

    Rinse. Lather. Repeat.

    Same thing he always does.

    We've watched this same dirty game play out over and over and over again, and who's always in the middle? When will MNOs wake up?

    We could already be using DASH in retail. It could be old news by now. But the petty need to play this game is more important than progress.
     
    #27 camosoul, Apr 5, 2017
    Last edited: Apr 5, 2017
  28. mranderson010

    mranderson010 New Member

    Joined:
    Nov 14, 2016
    Messages:
    39
    Likes Received:
    5
    Trophy Points:
    8
    Yep, that was our fatal error that lead to our demise........Yes, and we have moved on to find better things but I care enough to share with those who think they will be rewarded/supported for bringing immense value to the community. You will be stepped on by the giraffe if you have not received proper support and kissed the ring.

    Yep, I feel the pain. Dash Corp private blockchain is obvious. How many unique human MNOs are there really? Granted the corporations's little song and dance is fully supported by the few non-company MNO's for now, but first real sign of trouble they will already be gone.

    Without relevance or use by both consumers and businesses (small and big), there is zero chance of Dash seen as money. It is one missed or blundered opportunity after another for real adoption, which is where Dash could immediately shine over Bitcoin and is quickly extinguished for short sited reasons. I am not saying there is overt malice, but this only company approved approach has destroyed almost all chance of organically growing decentralization and Dash adoption. Centralized governance is hands down the best approach initially, but just like all others before them they hit that glass ceiling of scalability and instead of letting go of the weight absolute power causes........they hold on to it all the way to the bottom of the ocean.

    I am using Dash in retail both in POS and Retail, there are great options for both that have been available for months........but unless another merchant like me who is crazy enough to spend the time to read this forum and spend time to type out a response, no one in retail has a single reason to care about Dash or any crypto at this point. They don't care about that another exchange is integrating Dash to make it easier to dump or pump or another marketing angle on how Dash is less hollow than any other payment processor. In the end the Dash Corp has proven they would rather burn the money they don't need than let any other contributor steal their thunder. Just my 2 duffs.
     
    #28 mranderson010, Apr 7, 2017
    Last edited: Apr 7, 2017
  29. camosoul

    camosoul Well-known Member

    Joined:
    Sep 19, 2014
    Messages:
    1,919
    Likes Received:
    1,082
    Trophy Points:
    183
    Lets not be snowflakes about this tho... I voted down your proposal. Not because I hate you, or think it was necessarily a bad idea. I just don't think that the DASH budget should be a grant system for external projects. My neighbors shouldn't pay my electric bill, either.

    DASH could already have IX-enable retail use. I had it all lined up. but The Usual Suspects went tot he extreme of threatening frivolous lawsuits just because they don't want anyone stealing their thunder.

    I've been asked for proof. I have it. But, I am like that father in a custody battle that actually cares about his child. If I actually exposed these parties, there would be a massive loss of confidence in the project. I'm not willing to bring down the roof. I'm fine with letting the weak-minded label me as a troll as long as the project doesn't get sacrificed. For The Usual Suspects, this is about ego. They've never succeeded at anything before, and it's their first time in the spotlight. That has become more important to them than the project and mindset that got them there. Since Evan let Ryan bend his ear, this project has been all but derailed. They've lost their way. My interest lies in seeing DASH succeed, not in ego trips and spotlights. So, I make the statement, but I'll never deliver the proof.

    If DASH can win with degenerates at the helm, as long as it wins, I don't really care. It's the idea and the project that matter to me, not the shitbags running the show.
     
  30. kingscrown

    kingscrown New Member

    Joined:
    Apr 13, 2017
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    3
    Dash Address:
    Xt9mKNtwWfRJfkzpj3Y9LxntPv69rnZ6ZL
    iOS add is needed for sure. Shame they banned it before.
     
    • Agree Agree x 1

Share This Page