Counterfeit Bitcoin wallets frequently appear in Apple's App Store, stealing $20,000 from users. Is it the fault of open source?

According to an internal report from Apple, a large number of well-known Bitcoin wallet knockoffs have appeared in its App Store. Some of these knockoff wallets are exactly the same as the original ones and are mainly used to steal users' Bitcoins. Before Apple completely removed these apps, users had lost nearly $20,000.

The fact that these fake apps can be developed and spread so easily makes people question whether the free and open source nature of Bitcoin is a good thing or a bad thing. Most Bitcoin wallets are open source, which means that anyone can verify and maintain them. But from another perspective, scammers can easily obtain software information and illegally steal funds with just a few modifications.

Bitcoin wallet Jaxx, Ethereum, and Dash have all realized this and made some changes. For example, on the Jaxx website, all codes are public, but read-only. Anyone has the right to check the code, but cannot copy and use it, or simply copy and paste the code.

Jaxx CEO Anthony Di Iorio explained to Bitcoin Magazine:

Part of the reason we do this is for ourselves. Because we are a company, companies have operating costs, and if you contribute your code for free, you won't make any money at all. Another reason is to prevent someone from maliciously imitating our wallet. As a company, we want to provide quality management services, and if someone can easily imitate your product, it would be a failure. We are always trying to find a balance between transparency and software ownership. At present, we have embedded specific friction points in the code to prevent it from being stolen.

One of the victims of the copycat wallet incident is GreenAddress. GreenAddress has always been completely open source, which means that its code can be directly copied and used. However, GreenAddress developer Lawrence Nahum still supports the free and open source software (FOSS) model as always.

Open source wallet code does make it easier to copycat. But even if a wallet is not open source, I think it will be hard to escape the fate of being copied by malicious people. Even if the code is read-only, scammers can still find ways to imitate your wallet. Moreover, not making the source code public also means that your code has not been carefully reviewed, so it will only give people the impression that it is not secure. Most developers I know never review the code directly on the website.

However, Di Iorio doesn't think that setting permissions on code necessarily means giving up scrutiny or security.

Even if the wallet is completely open source, you can’t be sure that the wallet you downloaded from the app store uses the same code. And not many people care. No one will double-check the code before downloading a wallet. 95% of users just need a wallet that works, and it has nothing to do with whether it is open source or not.

Apple removed these copycat wallets after receiving complaints from the Bitcoin community. The actions of the Bitcoin community and Apple’s official review system prevented the long-term harm caused by copycat wallets in a timely manner.

But Nahum doesn't think this solution is a long-term solution.

Apple is like a walled garden that won’t expand, so someone must review every piece of software that is loaded into the App Store. Malware will also be updated. Although experienced bitcoiners can still identify pirated software, in the future some software may not need to be pirated at all to achieve its evil purposes.

Nahum said that as of now, there is no perfect solution. Users can only pay attention to potential pirated software and take corresponding measures.

We notify Apple as soon as we detect malware. But I still recommend that you verify the source of the software when you download it. Check if you know the developer, what the reviews say, and whether the software has been submitted to bitcoin.org. Be sure to check the URL and software name several times to make sure you are downloading genuine software.