iOS Wallet Warning!

[Ryan Taylor]

As you may be aware, earlier this month a developer Nash Nobley managed to attain approval for a Dash wallet on iTunes, which is currently available for download. The purpose of this post is to alert the community of the risks posed by the wallet and some recent indications that the developer may be untrustworthy.

The app appears to be based on the official Dash wallet previously rejected by Apple. However, because the source code of the app is not externally verifiable, the risk exists that the application might contain malicious code intended to defraud users.

In light of this risk and prioritizing our users’ security, the Core Team attempted to negotiate access to the source code and Apple account to allow external verification of its contents. A written agreement was reached last week. However, after accepting a bounty and compensation for access to the account, the developer has breached the contract by failing to grant core team access. In addition, he continues to update the code.

Throughout the process, this individual has acted in a self-interested manner, making additional demands after agreements were reached, and has failed to fulfill clearly agreed terms. Due to the ongoing issues and the continued inability to review the code to ensure the safety of users, we strongly caution all users of the extreme risks associated with this app.

Meanwhile, we will continue attempting to access the account to verify the contents and validate the security of the application, and compel the developer to fulfill their obligations under the aforementioned agreement.

It is regrettable that such a positive turn of events has soured so quickly, but the security of user funds is of paramount importance. We will post updates as they become available.

 

[daf]

Thanks for the alert.

 

[IOS Dev]

Since the details are unclear, another option would be just to have the developer transfer the application to another email/dev account. Since the developer has other applications it doesn't quite make sense for him to supply access to anyone else.
The fact that the wallet was advertised as the "official" Dash wallet right at the start was a warning sign since it had in fact been modified from the github repo. When questioned about this on slack, the developer ignored the question - also a warning sign. However, he did convince some people that he had good intentions, so indeed it is regrettable that things have soured.

 

[GrandMasterDash]

Did the core team publish an ongoing account of the events as they progressed?

 

[TanteStefana]

If this is true, we should immediately alert Apple and tell them that the wallet is untrustworthy!

Always safety first!

 

[Nash Nobley]

This isn't true I'm the developer of the app, I've been trying to send them the certificates but they won't tell me which ones they need. The app is perfectly safe all the changes are cosmetic not anything with the code.

 

[Nash Nobley]

The app is perfectly safe to use don't listen to them, I've been trying to send them the certificates but they won't tell me the ones they need.

 

[QuantumExplorer]

We need your certificate for signing apps, that you can export from the key chain if you use a mac (I'll assume you do), as well as a provisioning profile for the app for pushing to itunes, and the modified source code. Then once all this is done you need to authorize a new upload to the store, at which point I will upload your version after making sure there is no malicious code.

I assumed you knew how to send us your certificate (with the signing keys), but if you need more help with that you can contact me. Having these keys allow me to sign apps as you and therefore push an app to the store on your behalf.

However if you really want to push to the store, I can do something even more, after you give me the keys, I will make a special version of the app that can be verified from within the app as authentic. Then I'll give you this compiled version as an IPA and you can upload that to the store.

Basically there are many ways to do this, you have recently said you didn't want to give access to itunes to us, this is a way around it.

 

[UdjinM6]

...
However if you really want to push to the store, I can do something even more, after you give me the keys, I will make a special version of the app that can be verified from within the app as authentic. Then I'll give you this compiled version as an IPA and you can upload that to the store.
...

Interesting... I wonder how that can be implemented. Smth like incorporating some private key (obviously without pushing the key to github) and signing arbitrary message in some dialog inside the app which (signature) can be verified in say Dash-Qt using complimentary public key announced in some way? Or is there some another way to verify AND have all the code openly published?

 

[ec1warc1]

What the hell is wrong with Apple? They will not allow the Jaxx Wallet with Dash, but they allow "Nash Nobley" - whoever the heck he is - to include a Dash wallet on iOS? Does someone have Millicent Beauregard's telephone number?

 

[teamer]

What the hell is wrong with Apple? They will not allow the Jaxx Wallet with Dash, but they allow "Nash Nobley" - whoever the heck he is - to include a Dash wallet on iOS? Does someone have Millicent Beauregard's telephone number?

What do you expect from those who removed the headphone jack? and the escape button!?

 

[crowning]

What do you expect from those who removed ... the escape button!?

No escape from Apple?

 

[rustycase]

This isn't true I'm the developer of the app, I've been trying to send them the certificates but they won't tell me which ones they need. The app is perfectly safe all the changes are cosmetic not anything with the code.

I would not be one to disparage anyone's efforts.
I would expect such a person to 'have all their ducks in a row' before making a presentation in public...
Especially when departing from the topic of 'fun' and entering the 'transfer of value' arena.

Best
rc

 

[jimbit]

What was the conclusion of this? did the app get verified or pulled?

 

[tungfa]

What was the conclusion of this? did the app get verified or pulled?

apple pulled it eventually

 

[stellabelle]

I'm really glad I decided not to do testing for this wallet.
I had a conversation with this developer to gauge what kind of risks were associated with it.
After talking extensively with him, I decided to follow my gut instincts and not do any testing for it.
This is very worrisome! Thanks for the warning......I am feeling unsettled right now!

 

[stellabelle]

Wait, what's the developer's handle in Slack?

 

[IOS Dev]

I'm really glad I decided not to do testing for this wallet.
I had a conversation with this developer to gauge what kind of risks were associated with it.
After talking extensively with him, I decided to follow my gut instincts and not do any testing for it.
This is very worrisome! Thanks for the warning......I am feeling unsettled right now!

I think you are getting confused. The developer Nash Nobley has not been in slack for months. I commented on this thread earlier and was the one you chatted to on slack.

 

[Nash Nobley]

We all know apple wasn't going to approve it at the end and they contacted me two days before to tell me. I tried to state that to the other members, I don't know if my wording was bad or what but as far as using the wallet, it's safe. If you downloaded the app when it was up you can still redone load it from the iCloud library and still use it. There just won't be any updates also yes I'm no longer on the slack developer team. I have other things I need to do in the real world, so at the end I was just trying to help out. But in apples eyes they don't think dash is a real currency because you guys started to attack bitcoin. So please stop slandering my name on the forums. I was just trying to do my part and that's as far as I was able to go.

_ cheers

 

[Nash Nobley]

I'm really glad I decided not to do testing for this wallet.
I had a conversation with this developer to gauge what kind of risks were associated with it.
After talking extensively with him, I decided to follow my gut instincts and not do any testing for it.
This is very worrisome! Thanks for the warning......I am feeling unsettled right now!

As far as the app goes it's perfectly safe to use if you downloaded it, there identical to the app you can download for Xcode, all I did was just improve the look of the app that's all. Also yes I'm no longer on slack, I have real world problems to deal with right now.

_ Cheers

 

[Nash Nobley]

What the hell is wrong with Apple? They will not allow the Jaxx Wallet with Dash, but they allow "Nash Nobley" - whoever the heck he is - to include a Dash wallet on iOS? Does someone have Millicent Beauregard's telephone number?

Deal with it I've been developing apps and have a good standing with apple so it lasted longer on the App Store.

 

[Acedian]

don't listen to them

Don't listen to the core developers?! Even if they were spouting nonsense we are unlikely to just stop listening, something would have to be done.
I will not be using anything you have been involved with @Nash Nobley

 

[camosoul]

It is regrettable that such a positive turn of events has soured so quickly...

That seems to happen with projects and parties with whom you get involved...

As verdant as this report seems to be, my past experience with you requires that I suggest to the community that we're almost certainly not getting the whole story, but only the part of it that suits your optics and might give you leverage.

Maybe it's entirely legit, but your name carries a stigma that only a fool would ignore.

I have no first-hand knowledge of this situation, but the pattern is getting hard to ignore. Anything Ryan can't control and take credit for ends up getting slandered into nothingness, and once helpful parties simply find better things to do than put up with his dirty games.

The shoe fits. Again. Still...

 

[IOS Dev]

Don't listen to the core developers?! Even if they were spouting nonsense we are unlikely to just stop listening, something would have to be done.
I will not be using anything you have been involved with @Nash Nobley

Well I would say some of the reasoning in the start of this thread is not exactly rock solid

"The app appears to be based on the official Dash wallet previously rejected by Apple. However, because the source code of the app is not externally verifiable, the risk exists that the application might contain malicious code intended to defraud users."

The source code of the any app on the AppStore is not externally verifiable. So any app has this risk. Perhaps Ryan meant that the source code of the app is not externally verifiable by him. As a developer of iphone apps, a statement like this by the core team would probably kill off interest in people using my app. This in turn kills off any diversity in the ecosystem where everything needs to be done by core team only or perhaps only by projects 'approved' by the core team. Stellabelle was afraid to even do testing of a wallet not sanctioned by core, even though there would be no need to risk more than a couple of cents. I don't see all of this as promising for the future of Dash

 

[David]

Well I would say some of the reasoning in the start of this thread is not exactly rock solid

"The app appears to be based on the official Dash wallet previously rejected by Apple. However, because the source code of the app is not externally verifiable, the risk exists that the application might contain malicious code intended to defraud users."

The source code of the any app on the AppStore is not externally verifiable. So any app has this risk. Perhaps Ryan meant that the source code of the app is not externally verifiable by him. As a developer of iphone apps, a statement like this by the core team would probably kill off interest in people using my app. This in turn kills off any diversity in the ecosystem where everything needs to be done by core team only or perhaps only by projects 'approved' by the core team. Stellabelle was afraid to even do testing of a wallet not sanctioned by core, even though there would be no need to risk more than a couple of cents. I don't see all of this as promising for the future of Dash

I don't think it's unreasonable for Core Team to ask to see a Dash wallet's source code when it's a wallet that's been created by an unknown community member. Of course, said community member can tell them to pound sand, and said Core Team can make a public service announcement encouraging everybody to be cautious. Of course, users can tell Core Team to pound sand and use the wallet anyway.

On the other hand, a "Core Team has reviewed the source and we believe this to be a legitimate and problem-free app and we believe the community may freely use it" would go a long way to speeding adoption. However, it's entirely your decision as an app developer.

 

[IOS Dev]

I don't think it's unreasonable for Core Team to ask to see a Dash wallet's source code when it's a wallet that's been created by an unknown community member. Of course, said community member can tell them to pound sand, and said Core Team can make a public service announcement encouraging everybody to be cautious. Of course, users can tell Core Team to pound sand and use the wallet anyway.

On the other hand, a "Core Team has reviewed the source and we believe this to be a legitimate and problem-free app and we believe the community may freely use it" would go a long way to speeding adoption. However, it's entirely your decision as an app developer.

You have completely missed the point. I could easily share my source code with the Core Team but then actually build an application with other code. There is no way to tell which source code was used for an application on the AppStore.

 

[camosoul]

everything needs to be done by core team only or perhaps only by projects 'approved' by the core team.

Bingo.

The snowflakes and yes men can mark my posts as "trolling" until their mouse-clicking fingers fall off. This consistent pattern of deception and manipulation only gets more obvious the more it is used. Eventually, it'll get obvious enough that even those who knowingly support the corruption can't stomach it anymore.

Nobody likes the truth when they are complicit in the lie...

We don't really know, and probably never will know, if @IOS Dev is up to no good. He's being asked to prove a negative. Neferious or not, no one can prove a negative.

But, yet again, we can see that @babygiraffe most definitely is. He's the one demanding that a negative be proven, with full knowledge that this cannot be done, and with full knowledge that the process he demands would still prove noting, yet it would have the "side effect" of granting him total power... So he comes here to slander.

The advertised purpose would still never be fulfilled, but he would end up with control. Not getting his way, slander. He does the same thing every time he doesn't get his way. With no concern for the delays and loss to the project as a whole.

Reminds me of a dirty woman using a child in a tug-of-war legal battle. Man that actually cares about child backs off because he doesn't want to see his kid put through it, but she doesn't give a damn. It's all about her. She wins because she's always ready and willing to sacrifice the child's happiness for a buck. Makes me wonder how Ryan grew up and where he learned to play this game.

Rinse. Lather. Repeat.

Same thing he always does.

We've watched this same dirty game play out over and over and over again, and who's always in the middle? When will MNOs wake up?

We could already be using DASH in retail. It could be old news by now. But the petty need to play this game is more important than progress.

 

[mranderson010]

That seems to happen with projects and parties with whom you get involved...

As verdant as this report seems to be, my past experience with you requires that I suggest to the community that we're almost certainly not getting the whole story, but only the part of it that suits your optics and might give you leverage.

Maybe it's entirely legit, but your name carries a stigma that only a fool would ignore.

I have no first-hand knowledge of this situation, but the pattern is getting hard to ignore. Anything Ryan can't control and take credit for ends up getting slandered into nothingness, and once helpful parties simply find better things to do than put up with his dirty games.

The shoe fits. Again. Still...

Yep, that was our fatal error that lead to our demise........Yes, and we have moved on to find better things but I care enough to share with those who think they will be rewarded/supported for bringing immense value to the community. You will be stepped on by the giraffe if you have not received proper support and kissed the ring.

Bingo.

The advertised purpose would still never be fulfilled, but he would end up with control. Not getting his way, slander. He does the same thing every time he doesn't get his way. With no concern for the delays and loss to the project as a whole.

Rinse. Lather. Repeat.

Same thing he always does.

We've watched this same dirty game play out over and over and over again, and who's always in the middle? When will MNOs wake up?

We could already be using DASH in retail. It could be old news by now. But the petty need to play this game is more important than progress.

Yep, I feel the pain. Dash Corp private blockchain is obvious. How many unique human MNOs are there really? Granted the corporations's little song and dance is fully supported by the few non-company MNO's for now, but first real sign of trouble they will already be gone.

Without relevance or use by both consumers and businesses (small and big), there is zero chance of Dash seen as money. It is one missed or blundered opportunity after another for real adoption, which is where Dash could immediately shine over Bitcoin and is quickly extinguished for short sited reasons. I am not saying there is overt malice, but this only company approved approach has destroyed almost all chance of organically growing decentralization and Dash adoption. Centralized governance is hands down the best approach initially, but just like all others before them they hit that glass ceiling of scalability and instead of letting go of the weight absolute power causes........they hold on to it all the way to the bottom of the ocean.

I am using Dash in retail both in POS and Retail, there are great options for both that have been available for months........but unless another merchant like me who is crazy enough to spend the time to read this forum and spend time to type out a response, no one in retail has a single reason to care about Dash or any crypto at this point. They don't care about that another exchange is integrating Dash to make it easier to dump or pump or another marketing angle on how Dash is less hollow than any other payment processor. In the end the Dash Corp has proven they would rather burn the money they don't need than let any other contributor steal their thunder. Just my 2 duffs.

 

[camosoul]

Yep, that was our fatal error that lead to our demise........Yes, and we have moved on to find better things but I care enough to share with those who think they will be rewarded/supported for bringing immense value to the community. You will be stepped on by the giraffe if you have not received proper support and kissed the ring.

Yep, I feel the pain. Dash Corp private blockchain is obvious. How many unique human MNOs are there really? Granted the corporations's little song and dance is fully supported by the few non-company MNO's for now, but first real sign of trouble they will already be gone.

Without relevance or use by both consumers and businesses (small and big), there is zero chance of Dash seen as money. It is one missed or blundered opportunity after another for real adoption, which is where Dash could immediately shine over Bitcoin and is quickly extinguished for short sited reasons. I am not saying there is overt malice, but this only company approved approach has destroyed almost all chance of organically growing decentralization and Dash adoption. Centralized governance is hands down the best approach initially, but just like all others before them they hit that glass ceiling of scalability and instead of letting go of the weight absolute power causes........they hold on to it all the way to the bottom of the ocean.

I am using Dash in retail both in POS and Retail, there are great options for both that have been available for months........but unless another merchant like me who is crazy enough to spend the time to read this forum and spend time to type out a response, no one in retail has a single reason to care about Dash or any crypto at this point. They don't care about that another exchange is integrating Dash to make it easier to dump or pump or another marketing angle on how Dash is less hollow than any other payment processor. In the end the Dash Corp has proven they would rather burn the money they don't need than let any other contributor steal their thunder. Just my 2 duffs.

Lets not be snowflakes about this tho... I voted down your proposal. Not because I hate you, or think it was necessarily a bad idea. I just don't think that the DASH budget should be a grant system for external projects. My neighbors shouldn't pay my electric bill, either.

DASH could already have IX-enable retail use. I had it all lined up. but The Usual Suspects went tot he extreme of threatening frivolous lawsuits just because they don't want anyone stealing their thunder.

I've been asked for proof. I have it. But, I am like that father in a custody battle that actually cares about his child. If I actually exposed these parties, there would be a massive loss of confidence in the project. I'm not willing to bring down the roof. I'm fine with letting the weak-minded label me as a troll as long as the project doesn't get sacrificed. For The Usual Suspects, this is about ego. They've never succeeded at anything before, and it's their first time in the spotlight. That has become more important to them than the project and mindset that got them there. Since Evan let Ryan bend his ear, this project has been all but derailed. They've lost their way. My interest lies in seeing DASH succeed, not in ego trips and spotlights. So, I make the statement, but I'll never deliver the proof.

If DASH can win with degenerates at the helm, as long as it wins, I don't really care. It's the idea and the project that matter to me, not the shitbags running the show.

 

[kingscrown]

iOS add is needed for sure. Shame they banned it before.