You can create a backup to see where the wallet.json is placed. In my case Android/data/org.comunes.ginkgo/files
This is the application folder so you don’t need perms to access it. Brave save a wallet export in a similar place.
I tested the APK, it’s very handy on the phone 
we get a better sense of the app use than in the browser
GVA allows to be very quickly notified about a new transfer, that’s a game changer, thanks to bring it to life!
Feature requests:
- add information on the “send” button when it is grayed out to explain why
- add scan button in the contact panel to be able to add a new contact from there
PS: I added Ğ1nkgo to the software page on duniter website: Duniter | Software
3 Likes
J’ai exporté mon portefeuille depuis l’application, et je le retrouve quand je tente de faire un import.
J’ai incliné mon téléphone pour voir le nom du fichier en entier.
I exported my wallet from the app, and I can find it again when I try to do an import.
I tilted my phone to see the full file name.
.
Quand je cherche ce fichier ou ce dossier avec mon gestionnaire de fichier, je ne retrouve que les portefeuilles que j’avais exportés depuis le site web.
Je ne retrouve pas le dossier utilisé par l’application.
When I search for this file or folder with my file manager, I only find the wallets I had exported from the website.
I can’t find the folder used by the application.
I’ll add to the the issues, thanks for the feedback.
Merci!
See the directory below “Select the wallet backup” .
Does your file manager have access to others directory?
Merci! Can you add better: https://g1nkgo.comunes.org/ (the other is more a demo/test site)
BTW, I’ve just published a new version with fixes, and the apk includes notifications (let’s see if works as expected).
https://git.duniter.org/vjrj/ginkgo/uploads/5e9eb1cf77dc480539b73b2ec97b53ad/ginkgo-0.0.16.apk
1 Like
Does your file manager have access to others directory?
Mon gestionnaire de fichier me permet de naviguer sur tous les répertoires. J’ai même activé l’affichage des fichiers caché.
Mais je ne trouve pas le répertoire utilisé par l’application.
Je suis un utilisateur basique, Mes compétences sont très basses. Mais je pense que cette application est prévue pour les utilisateurs comme moi.
My file manager allows me to browse all directories. I have even activated the display of hidden files.
But I can’t find the directory used by the application.
I am a basic user, my skills are very low. But I think this application is meant for users like me.
I’ll try to fix with more energy because I spent a lot of time trying to use the downloads directory without success with permissions issues (this changed a lot between different Android versions, and the documentation and libraries seems to me not very up-to-date). The app application folder does not have so much restrictions.
Can you try the new version I’ve just published?
- If qr works without google services
- New qr scan in contacts
- I also improved the send button that it should work better now
https://git.duniter.org/vjrj/ginkgo/uploads/b8d1e25053db2e8c114359fb76f388da/ginkgo-0.0.17.apk
More info in:
These and other issues in:
2 Likes
Le problème, c’est que je n’arrive pas à retrouver le dossier de l’application, je ne sais pas comment le retrouver pour y mettre le .json que j’avais exporté depuis le site web.
Par contre, l’utilisation des contacts avec le scan de qrcode et le glisser pour faire des payements est vraiment super pratique, j’adore.
The problem is that I can’t find the application folder, I don’t know how to find it to put the .json I had exported from the website.
I’m not sure how to find the .json file that I exported from the website, but the use of the contacts with the qrcode scan and slide to make payments is really super practical, I love it.
It should be here:
but I have to find other easier option, please follow:
Je l’ai trouvé, merci.
Pas évident pour l’utilisateur lambda.
SI je pouvais le sauvegarder directement sur la carte SD ce serait réellement un plus.
I found it, thanks.
Not obvious to the average user.
If I could save it directly on the SD card it would be a real plus.
-
If qr works without google services -
New qr scan in contacts
-
I also improved the send button that it should work better now
Works perfectly! For the send button, I did not see the difference. It could display “insufficient balance” on long tap when greyed out for example.
You are right, it was working better when I tested. Let me improve it…
Merci for the feedback!
Last build of the week, sorry for the spam.
Insufficient balance and other improvements: ginkgo-0.0.18.apk
More info: 0.0.18 · vjrj / ginkgo · GitLab
2 Likes
With Ğinkgo I had the wallet DqMzACN4rHxJXduBZXHTWrMaudLDxvFz761QDdji8LnZ
I sent 10 G1 to it.
But payments are disable online…
Then export ginkgo-wallet-DqMzACN4.json (546 Octets)
But when I tried to Import in 0.0.17
I have a “wrong patern error”.
Any idea?
Great question !!
TLDR: It’s far too much work for not enough money
Summary
So, if I wanted to hack the web app, I would first get ready with my web app patch. The patch would skip the hash check and return it as valid. I would then have to recreate a complete wallet module on another web site and link my web app patch to it. The wallet module should redirect every payment to a new wallet that is created on the fly (of course, I have all the private keys)
After being ready, I would have to take at the same time ownerships of the website where the app is located and of the other website where the wallet module is located. Which is insanely hard : you need many many powerfull computers to achieve that !!
Once done, I would have to wait for people to pay using the app, redirecting every payment directly in my wallets. Because draining wallet when they connect would be too obvious.
The time it takes for a payment recipient to acknowledge that he hadn’t receive the payment, to declare it to the forum and for the dev team to retrieve ownership of the website (or at least shuting down) would be enough to grab some money.
I would then try to send all my wallet’s money into a mixer and then to other different wallets to hide my tracks, hoping that my wallets are not flagged as frozen by the dev team.
However, because the June is not convertible, I would not be able to convert it back to Euro, or any other fiat / crypto currencies. I would have to spend it on the network. And if flagged, that would be impossible.
Anyway, like said before, this is too much hard work and risky, I would definitely use phishing / scam to make more money faster.
Also, note that if I can powned the website, I can also pown the .apk / extension and insert malicious code to do the same trick. Even faster, as only one app patch is needed.
Note that average users have “auto update apps” option set by default, and when connected to the Play Store, updates the .apk as soon as it is connected to internet. The same happens with extensions.
Like said before, if that trick was easy to do, Solflare would have been already hacked. And Solana or other SPL tokens are convertible to fiat / crypto currencies, so it’s easier to take the money and fly away.
Awesome remark !!
TLDR: Always have a “hot wallet” for everyday life and a “cold wallet” for storage
Summary
What would be achievable by powning the web site (see “How-To” above) would be to intercept transactions happening on the web site to stay hidden the longer possible.
But you are absolutely right, “don’t put all your eggs in the same basket” and if you fear for your account being on the web browser, you should definitely have a simple and practical “hot wallet” like the web app, where there is enough June to pay for things in everyday life, and a “cold wallet” used only to store your money, like a numeric vault (or a ledger).
Like when you go out to a flee market with cash, you don’t take all of your money (especially if you have a lot)
Maybe it’s also a great advice in everyday life with traditional banking as well 
Let’s keep in mind that everything is hackable. But it’s not because it’s hackable that it will be hacked.
I totally agree with @vjrj analogy: if you keep your house behind alarms, armored doors and window and you have to close it using 12 different keys everytime you leave / enter your fortress, it will just be a great waste of time and energy. Especially if inside of your house, you just live like a stoic !
A global advice on security (for example on the forum) would be nice. But letting people decide what is best for them is key.
1 Like
In my project, I personnaly use steganography which is storing the encrypted key in a simple sentence (two words sentence). Hence, this “sentence” could easily be send / share over the network using chat / mail / note without the risk of losing it.
Congrats for the hard work !! You are a coding beast 
I don’t understand why the webapp’s server admin can’t just change the webapp code to include the wallet code. Or just replace it with a false GUI which sends the private keys to a server. Or compromise both servers.
I’m not sure to understand how it works. If the webapp is able to check the wallet’s hash, then the wallet has to be executed by the webapp. So the webapp has access to the wallet’s local storage. If the wallet is executed as its own domain, then it can lie to the webapp about its hash.
1 Like
I really love your questions / ways of thinking !
Those questions are really important, so many thanks for asking them 
That would be changing too much code at once, so it’s too noticeable.
The web app does not handle the private keys. The web app is like the current version of gecko mobile : it can only read the blockchain, not write / send tx, nor read private keys
The wallet module is equivalent to the web extension.
- Already compromising a server is very hard. Physically, you have to find breaches, do a ddos attacks or a js injection. I don’t know about flutter, but the security on Next.js is harsh.
The best way would be to become a trusted dev member, or to pay the website admins and be able to publish without being approved by other devs. - The second server (with the wallet) should have different dev access and more protections as it is the one handling private keys / transactions / signatures. As the wallet code barely never changes after it is created, any change should trigger an alarm. So it’s more complicated to access.
- Finally, the hash is kept on the blockchain, with a multisig account. I would not even think of attacking this one.
==> It means that to attack, you have to compromise at least 2 of the 3 modules which are physically isolated. That should give enough time to prevent any damages.
The web app and the wallet send messages to each other. It’s like sending a http request to another server and the server replying with a response. It’s not really executing the server, it’s asking for a service.
Web app: “Sign this transaction, please ?”, Wallet: “Here is the signed transaction !” for example.
So the web app never has access to private keys.
The wallet module does the same as the extension, without the hassle (a mobile can’t use an extension).
Yes, it does. But it’s own local storage, as local storage is dependant on the domain.
So it never has access to the Wallet’s local storage where the private key is stored.
Nope, because the hash is calculated each time the wallet’s code is modified and stored on the blockchain. That would be a real pain if the code changed often (like the web app’s code does), but as the wallet’s code barely never change, it’s ok.
The wallet never knows nor manipulates it’s own hash.
1 Like
If the wallet is served by another server, how can the webapp be sure that the checked hash is the same as the one corresponding to the version executed by the user?
Example: I initiate a transaction. The webapp downloads the wallet code and checks the hash against the blockchain. Then it redirects the user to the wallet. But this time the wallet server serves a different code without telling the blockchain. Even if the difference is huge, the user won’t look at the code (especially if it’s compiled/minified) so nobody will notice.
3 Likes
Hi Frederic I added more tests to detect issues generating on each test 50 wallets and encrypting/decryptying them without detecting issues.
But a pattern failed to me today. But what happened is that instead of type, lets say “1234”, I noticed that I typed “11234” because the pattern widget is a bit more sensible than normal.
Please don’t share your export key in public, for you safety.
I totally agree.
Again, I totally agree.
Thanks, flutter helps a lot to do these things (and to like a lot this initiative & philosophy too).
PS: I’ve just published another version with fixes, enhancements and new translations:
https://git.duniter.org/vjrj/ginkgo/uploads/fdb0517cdc4e19158cb4a8f9bbcb44a1/ginkgo-0.0.19.apk
PS2: Where is the best place to talk about a GVA issue I detected? I have a small payment stuck in a GVA node so its always in txsHistoryMp.sending in one address and in the txsHistoryMp.receiving in the other address for days. If some want to check: HQvpc5EVTGxjWBF7zsUQR9qgAba3Mn2vNivCLphLQVpS is the sender.
2 Likes