• Forum has been upgraded, all links, images, etc are as they were. Please see Official Announcements for more information

iOS Wallet Warning!

Status
Not open for further replies.

Ryan Taylor

Well-known member
Foundation Member
As you may be aware, earlier this month a developer [name redacted] managed to attain approval for a Dash wallet on iTunes, which is currently available for download. The purpose of this post is to alert the community of the risks posed by the wallet and some recent indications that the developer may be untrustworthy.

The app appears to be based on the official Dash wallet previously rejected by Apple. However, because the source code of the app is not externally verifiable, the risk exists that the application might contain malicious code intended to defraud users.

In light of this risk and prioritizing our users’ security, the Core Team attempted to negotiate access to the source code and Apple account to allow external verification of its contents. A written agreement was reached last week. However, after accepting a bounty and compensation for access to the account, the developer has breached the contract by failing to grant core team access. In addition, he continues to update the code.

Throughout the process, this individual has acted in a self-interested manner, making additional demands after agreements were reached, and has failed to fulfill clearly agreed terms. Due to the ongoing issues and the continued inability to review the code to ensure the safety of users, we strongly caution all users of the extreme risks associated with this app.

Meanwhile, we will continue attempting to access the account to verify the contents and validate the security of the application, and compel the developer to fulfill their obligations under the aforementioned agreement.

It is regrettable that such a positive turn of events has soured so quickly, but the security of user funds is of paramount importance. We will post updates as they become available.
 
Last edited by a moderator:
Since the details are unclear, another option would be just to have the developer transfer the application to another email/dev account. Since the developer has other applications it doesn't quite make sense for him to supply access to anyone else.
The fact that the wallet was advertised as the "official" Dash wallet right at the start was a warning sign since it had in fact been modified from the github repo. When questioned about this on slack, the developer ignored the question - also a warning sign. However, he did convince some people that he had good intentions, so indeed it is regrettable that things have soured.
 
If this is true, we should immediately alert Apple and tell them that the wallet is untrustworthy!

Always safety first!
 
This isn't true I'm the developer of the app, I've been trying to send them the certificates but they won't tell me which ones they need. The app is perfectly safe all the changes are cosmetic not anything with the code.
 
The app is perfectly safe to use don't listen to them, I've been trying to send them the certificates but they won't tell me the ones they need.
 
We need your certificate for signing apps, that you can export from the key chain if you use a mac (I'll assume you do), as well as a provisioning profile for the app for pushing to itunes, and the modified source code. Then once all this is done you need to authorize a new upload to the store, at which point I will upload your version after making sure there is no malicious code.

I assumed you knew how to send us your certificate (with the signing keys), but if you need more help with that you can contact me. Having these keys allow me to sign apps as you and therefore push an app to the store on your behalf.

However if you really want to push to the store, I can do something even more, after you give me the keys, I will make a special version of the app that can be verified from within the app as authentic. Then I'll give you this compiled version as an IPA and you can upload that to the store.

Basically there are many ways to do this, you have recently said you didn't want to give access to itunes to us, this is a way around it.
 
...
However if you really want to push to the store, I can do something even more, after you give me the keys, I will make a special version of the app that can be verified from within the app as authentic. Then I'll give you this compiled version as an IPA and you can upload that to the store.
...
Interesting... I wonder how that can be implemented. Smth like incorporating some private key (obviously without pushing the key to github) and signing arbitrary message in some dialog inside the app which (signature) can be verified in say Dash-Qt using complimentary public key announced in some way? Or is there some another way to verify AND have all the code openly published?
 
What the hell is wrong with Apple? They will not allow the Jaxx Wallet with Dash, but they allow "[redacted]" - whoever the heck he is - to include a Dash wallet on iOS? Does someone have Millicent Beauregard's telephone number?
 
Last edited by a moderator:
What the hell is wrong with Apple? They will not allow the Jaxx Wallet with Dash, but they allow "[redacted]" - whoever the heck he is - to include a Dash wallet on iOS? Does someone have Millicent Beauregard's telephone number?
What do you expect from those who removed the headphone jack? and the escape button!?
 
Last edited by a moderator:
I'm really glad I decided not to do testing for this wallet.
I had a conversation with this developer to gauge what kind of risks were associated with it.
After talking extensively with him, I decided to follow my gut instincts and not do any testing for it.
This is very worrisome! Thanks for the warning......I am feeling unsettled right now!
 
I'm really glad I decided not to do testing for this wallet.
I had a conversation with this developer to gauge what kind of risks were associated with it.
After talking extensively with him, I decided to follow my gut instincts and not do any testing for it.
This is very worrisome! Thanks for the warning......I am feeling unsettled right now!

I think you are getting confused. The developer [redacted] has not been in slack for months. I commented on this thread earlier and was the one you chatted to on slack.
 
Last edited by a moderator:
We all know apple wasn't going to approve it at the end and they contacted me two days before to tell me. I tried to state that to the other members, I don't know if my wording was bad or what but as far as using the wallet, it's safe. If you downloaded the app when it was up you can still redone load it from the iCloud library and still use it. There just won't be any updates :) also yes I'm no longer on the slack developer team. I have other things I need to do in the real world, so at the end I was just trying to help out. But in apples eyes they don't think dash is a real currency because you guys started to attack bitcoin. So please stop slandering my name on the forums. I was just trying to do my part and that's as far as I was able to go.

_ cheers
 
I'm really glad I decided not to do testing for this wallet.
I had a conversation with this developer to gauge what kind of risks were associated with it.
After talking extensively with him, I decided to follow my gut instincts and not do any testing for it.
This is very worrisome! Thanks for the warning......I am feeling unsettled right now!
As far as the app goes it's perfectly safe to use if you downloaded it, there identical to the app you can download for Xcode, all I did was just improve the look of the app that's all. Also yes I'm no longer on slack, I have real world problems to deal with right now.

_ Cheers
 
What the hell is wrong with Apple? They will not allow the Jaxx Wallet with Dash, but they allow "[redacted]" - whoever the heck he is - to include a Dash wallet on iOS? Does someone have Millicent Beauregard's telephone number?
Deal with it I've been developing apps and have a good standing with apple so it lasted longer on the App Store.
 
Last edited by a moderator:
Status
Not open for further replies.
Back
Top