jb.tech.bitpiewallet.md 4.66 KB
Newer Older
Leo Wandersleb's avatar
Leo Wandersleb committed
1
---
Leo Wandersleb's avatar
Leo Wandersleb committed
2
wsId: 
Leo Wandersleb's avatar
Leo Wandersleb committed
3
4
title: "Bitcan Bitcoin Wallet - USDT ETH BCH TRON"
altTitle: 
Leo Wandersleb's avatar
Leo Wandersleb committed
5
6
authors:
- leo
Leo Wandersleb's avatar
Leo Wandersleb committed
7
users: 1000
Leo Wandersleb's avatar
Leo Wandersleb committed
8
9
appId: jb.tech.bitpiewallet
launchDate: 
Leo Wandersleb's avatar
Leo Wandersleb committed
10
11
latestUpdate: 2021-02-01
apkVersionName: "1.3"
Leo Wandersleb's avatar
Leo Wandersleb committed
12
stars: 4.0
Leo Wandersleb's avatar
Leo Wandersleb committed
13
ratings: 71
Leo Wandersleb's avatar
Leo Wandersleb committed
14
reviews: 69
Leo Wandersleb's avatar
Leo Wandersleb committed
15
16
17
18
19
20
size: 11M
website: 
repository: 
issue: 
icon: jb.tech.bitpiewallet.png
bugbounty: 
Leo Wandersleb's avatar
Leo Wandersleb committed
21
22
verdict: custodial # wip fewusers nowallet nobtc obfuscated custodial nosource nonverifiable reproducible bounty defunct
date: 2021-01-20
Leo Wandersleb's avatar
Leo Wandersleb committed
23
reviewStale: true
Leo Wandersleb's avatar
Leo Wandersleb committed
24
25
26
27
28
29
30
31
32
33
signer: 
reviewArchive:


providerTwitter: 
providerLinkedIn: 
providerFacebook: 
providerReddit: 

redirect_from:
Leo Wandersleb's avatar
Leo Wandersleb committed
34

Leo Wandersleb's avatar
Leo Wandersleb committed
35
36
37
---


Leo Wandersleb's avatar
Leo Wandersleb committed
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
This wallet imitates [Bitpie Wallet](/android/com.bitpie). It's `appId` being
`jb.tech.bitpiewallet` was the first hint but there are many more similarities.
The description for example was also copied.

The provider has no website, so that's certainly also suspicious.

Nevertheless they claim:

> As a true decentralized wallet, your private key will never leave the device.

and unless we can proof that this is not the case, we will have to list it as
merely "no source"? We had a look at their app for smoking guns, cause reviews
like:

> AVOID AVOID AVOID.. BEWARE FAKE WALLET, ADDRESSES DISPLAYED ARE NOT YOURS, FUND ARE TRANSFERED BUT NOT TO YOU. CHECKED ON BLOCKCHAIN AND ADDRESSES WERE ALREADY LIVE WITH MULTIPLE TRANSACTIONS . LESSON LEARNT, YOU ABSOLUTE SCUM.

> Awful!! I sent $800 btc to Bitcan wallet and the money NEVER showed up! I copied Receive before I sent......then, after Receive is different and btc not found!!! Scam ‼️

> Fake app, you coins get deposited to someone else's wallet. DO NOT USE!

...

but that might just be haters, right? After all there is many 5 star ratings,
too, like [this one](https://play.google.com/store/apps/details?id=jb.tech.bitpiewallet&reviewId=gp%3AAOqpTOEV6Zl0NS6j6AHFQV7woTr9SJmXiFximwKNxE3j-Q2_RhiBsQTrNxcnCfQsCjM2q71gfTKWSXbWfad2Bg):

> Wow this is great just after sending my deposit 15Btc it appeared immediately even before confirm.

which sounds like the fake reviewers are not even trying to look serious. WTH?

We downloaded the apk and threw it at jadx and and there, we went straight for
the receive screen. `jb.tech.bitpiewallet.Receive` should be it, right? There
in `onCreate`, the starting point of the Activity/screen, `getWallet()` is
called. Here it is:

```
public void getWallet() {
  try {
    FirebaseDatabase.getInstance().getReference("Users").child(uid).addListenerForSingleValueEvent(new ValueEventListener() {
      /* class p009jb.tech.bitpiewallet.Receive.C13267 */

      @Override // com.google.firebase.database.ValueEventListener
      public void onCancelled(DatabaseError databaseError) {
      }

      @Override // com.google.firebase.database.ValueEventListener
      public void onDataChange(DataSnapshot dataSnapshot) {
        Receive.this.prd.show();
        Receive.walletid = (String) dataSnapshot.child("WalletId").getValue(String.class);
        Receive.walletname = (String) dataSnapshot.child("WalletName").getValue(String.class);
        TextView textView = Receive.this.tv48waltname;
        textView.setText(Receive.walletname + " Receiving Addresses");
        TextView textView2 = Receive.this.tv46name;
        textView2.setText("My " + Receive.walletname + " Addresses");
        FirebaseDatabase.getInstance().getReference("Wallets").child(Receive.walletid).addListenerForSingleValueEvent(new ValueEventListener() {
          /* class p009jb.tech.bitpiewallet.Receive.C13267.C13271 */

          @Override // com.google.firebase.database.ValueEventListener
          public void onCancelled(DatabaseError databaseError) {
          }

          @Override // com.google.firebase.database.ValueEventListener
          public void onDataChange(DataSnapshot dataSnapshot) {
            Receive.walletaddress = (String) dataSnapshot.child("Address").getValue(String.class);
            Receive.walletqr = (String) dataSnapshot.child("QrCode").getValue(String.class);
            Picasso.with(Receive.this).load(Receive.walletqr).into(Receive.this.iv8qr);
            Receive.this.tv49address.setText(Receive.walletaddress);
          }
        });
        Receive.this.prd.dismiss();
      }
    });
  } catch (Exception unused) {
  }
}
```

In the third line it calls `FirebaseDatabase` which according to
[the Firebase documentation](https://firebase.google.com/docs/database/) is:

> Store and sync data with our NoSQL cloud database.

So if the private keys never leave the device, why would the Receive Activity
have to ask a *cloud database* for the receive address?

Without creating a new category **very obvious obvious scam** we file it as
**custodial** (The "provider" holds the coins), assuming it's prompt removal but
either way it's certainly **not verifiable**.