Add Visual Bitcoin Wallet

[btcontract]

Hi there.

In this pull request I'm proposing to add my Visual Bitcoin Wallet for Android.
Application has been publicly available for almost 4 months now and has a 4.5 rating with 1K downloads on Play Store: https://play.google.com/store/apps/details?id=com.btcontract.wallet

This wallet is pretty basic feature wise but I've put a lot of efforts into it's design and added some special features like destruction code and seamless multisend. More info: http://btcontract.github.io/VisualBitcoinWallet/

Regards,
Anton

[crwatkins]

In a very quick overview of Visual Bitcoin Wallet v1.03 from the APK:

When I attempt to send an amount of 0.00015 BTC, Visual Bitcoin Wallet sends 0.00014999 BTC.
Likewise when I request to receive 0.00015, the wallet requests 0.00014999.
Math and rounding errors in wallets are very concerning.

[btcontract]

Got it, rounding bug has just been fixed. I've updated application in store and uploaded new APK to repository.

[crwatkins]

I have reviewed Visual Bitcoin Wallet based on the current wallet requirements criteria and my evaluation is below. The summary is that I found nothing wrong with the overall architecture, and only one concerning issue with the wallet which was immediately fixed. Otherwise, the wallet behaved well, met functional criteria, and was completely stable. However, because of the insufficient usage based feedback, I cannot at this time recommend it for listing. I would be happy to re-review Visual Bitcoin Wallet after sufficient usage has been identified or an independent audit has been performed. The requirements criteria allow for an independent audit as an alternative to usage feedback.

Visual Bitcoin Wallet

v1.03

Review Version 2015120401

The wallet list is based on the personal evaluation of the maintainer(s) and regular contributors of this site, according to the criteria detailed below.

These requirements are meant to be updated and strengthened over time. Innovative wallets are exciting and encouraged, so if your wallet has a good reason for not following some of the rules below, please submit it anyway and we'll consider updating the rules.

Basic requirements:

• Sufficient users and/or developers feedback can be found without concerning issues, or independent security audit(s) is available

NOTE No evidence of usage on Reddit

NOTE Google Play: 1000-5000 installs, 45 ratings, 3 reviews non substantive

NOTE No users found on bitcointalk.org

NOTE No users found with generic searches using Google and Bing

NOTE No independent security audit is available

FAIL Insufficient evidence of usage found to conclude that there are no concerning issues

• No indication that users have been harmed considerably by any issue in relation to the wallet

PASS No indication found

• No indication that security issues have been concealed, ignored, or not addressed correctly in order to prevent new or similar issues from happening in the future

PASS No indication found

• No indication that the wallet uses unstable or unsecure libraries

PASS Uses bitcoinj

• No indication that changes to the code are not properly tested

PASS No indication found

• Wallet was publicly announced and released since at least 3 months

PASS Reviews found on Google Play from August 2015

• No concerning bug is found when testing the wallet

NOTE During testing, a very concerning rounding math error was discovered both while sending and requesting funds

PASS This was reported and immediately fixed

• Website supports HTTPS and 301 redirects HTTP requests

FAIL Website at http://btcontract.github.io/VisualBitcoinWallet/ does not redirect to HTTPS

• SSL certificate passes Qualys SSL Labs SSL test

PASS https://btcontract.github.io/ has an A rating

• Website serving executable code or requiring authentication uses HSTS with a max-age of at least 180 days

PASS Executable code is available on Google Play

NOTE Website https://btcontract.github.io/ does not use HSTS, but does not directly link to executable code

• The identity of CEOs and/or developers is public

PASS Github user btcontract, Anton Kumaigorodski, is referenced on http://btcontract.github.io/VisualBitcoinWallet/

NOTE A more direct reference, with perhaps more information on the web page would be preferred

• Avoid address reuse by using a new change address for each transaction

PASS A new change address is used for each transaction

• Refuses weak passwords (short passwords and/or common passwords) used to secure access to any funds, or provides an aggressive account lock-out feature in response to failed login attempts along with a strict account recovery process.

NOTE Encryption keys are stored on the mobile device protected by a password

PASS Passwords must be 8 characters or longer

NOTE Poor passwords such as "00000000" or "password" are accepted. A password complexity check or meter should be considered.

• Allows backup of the wallet

PASS Backups are made by recording the BIP39 seed phrase available at setup or from wallet settings

• Restoring wallet from backup is working

PASS Funds can be restored by erasing app data from Android app settings and starting over by entering the saved phrase. The BIP39 phrase was also successfully used to restore funds to a MultiBit HD wallet.

• Source code is public and kept up to date under version control system

PASS https://github.com/btcontract/VisualBitcoinWallet is kept up to date

NOTE There is only one release currently tagged in github. All releases must be tagged.

Optional criteria (some could become requirements):

• Received independent security audit(s)

NOTE No independent security audits are available

• Avoid address reuse by displaying a new receiving address for each transaction in the wallet UI

PASS Displays an unused address for each receive

NOTE A receive address my be re-displayed if it has not yet received a transaction

• Does not show "received from" Bitcoin addresses in the UI

PASS Does not show "received from" addresses

• Uses deterministic ECDSA nonces (RFC 6979)

PASS A transaction generated by the wallet was signed with pybitcointools and the same RFC 6979 signature with low S was generated

• Provides a bug reporting policy on the website

FAIL No specific bug reporting policy on website

NOTE Developer's email address is on the Google Play page

• Supports HD wallets (BIP32)

PASS Supports BIP32 with standard m/0'/c/i BIP32 path

• Provides users with step to print or write their wallet seed on setup

PASS Provides users with an option to view the seed along with an option to read documentation explaining the importance

• Uses a strong KDF and key stretching for wallet storage and backups

PASS Scrypt (N=65536) is used for key generation with AES 256 bit encryption for storage