This post is also available in: esEspañol

A privacy-related vulnerability was discovered in the Coinomi wallet, which provoked a hostile reaction from its developers.

Coinomi is a multi-coin wallet long trusted as one of the most reliable, secure, and easy to use. Recently, however, a vulnerability was discovered that could potentially affect users’ privacy. Initially discovered earlier this month by Luke Childs, the wallet apparently connects to Electrum servers unencrypted without SSL. Childs brought this issue up on GitHub:

“Great work on Coinomi!

Looking at the source it would appear your app is powered by Electrum servers. Connecting to these servers shows they are unencrypted without SSL:

$ telnet vtc-cce-1.coinomi.net 5028
Trying 46.4.85.241…
Connected to socrates.coinomi.net.
Escape character is ‘^]’.
{ “id”: 0, “method”: “server.version” }
{“jsonrpc”: “2.0”, “id”: 0, “result”: “ElectrumX 1.0.14″}
Does this mean your Android app is making all Electrum requests in plain text?”

After over a week with no reply, Childs reiterated the gravity of the situation before taking to social media for a response:

“So basically opening the Coinomi app is broadcasting all of my Bitcoin addresses in plain text over the network.

Seriously guys, this is a massive privacy issue and needs addressing. ElectrumX supports SSL out of the box, all you need to do is generate a certificate. Do you have any plans to fix this?”

Developers give a strong and defensive response

Nearly two weeks after the issue was initially brought to light, one of the developers responded to the issue on GitHub:

“Hey all,

We have been working on extending the electrum protocol to support secure websockets so we could have a unified electrum indexer API for the mobile apps and websites.

Keep an eye on the ElectrumX repo for a pull request.

Sorry that it took so long to fix.”

However, later the official Coinomi Twitter account responded to previously posted ongoing threads negatively to Childs for spreading awareness of the issue after having been unable to receive an initial response in a timely manner:

Coinomi also called on Childs to apologize for bringing to light information that may cause users to seek an alternative, dubbed by Coinomi as “inferior and insecure.”

Coinomi may have been referring to the Jaxx wallet, which had a certain degree of drama following the revelation that it stored its security pin unencrypted. Coinomi had used that instance as an opportunity for negative advertising:

Users should do their due diligence as to which services to trust

Dash users should always take precautions with the services they trust with their funds. Cryptocurrency is decentralized, peer-to-peer, and trustless, and while this provides many advantages over more traditional and centralized methods of transacting, it also imparts a greater responsibility on the consumer to do proper research into the services they use. While a major coin like Dash with a thoroughly-vetted code may be easily trusted, the myriad of smaller apps and services that comprise the Dash ecosystem may not have had the benefit of being exposed to the same level of scrutiny. As a starting point, users should only trust wallets listed on Dash.org (and keep abreast of any new vulnerabilities discovered in even these third-party wallets), and take caution when trusting other services.