If there’s a new (beta?) version for Android I’d like to try it.
The current version fails with ‘Scan Error’ when importing my test-wallet-from-hell’, its a very old wallet with many (many!) small txns and a nasty test.
If there’s a new (beta?) version for Android I’d like to try it.
The current version fails with ‘Scan Error’ when importing my test-wallet-from-hell’, its a very old wallet with many (many!) small txns and a nasty test.
Sure, will keep you posted on the next Android update. And I’d very much like you to test your wallet with many many small txns against the next release.
(moving conversation to Wallet specific thread)
Hey @mika, Contributors usually branch off from the master branch. You’ve linked a work-in-progress branch. If you feel adventurous, feel free build it per the build instructions at nighthawk-wallet-android/README.md at master · nighthawk-apps/nighthawk-wallet-android · GitHub
The public repository is to make available the Nighthawk Wallet codebase open source. Feel free to go through the Contributing Guidelines if you’d like to be involved, like many others who have contributed. nighthawk-wallet-android/CONTRIBUTING.md at master · nighthawk-apps/nighthawk-wallet-android · GitHub
With the release of Nighthawk iOS v1.21 on App Store & Nighthawk Android v1.0.20 on Play Store, we have successfully reached the first Milestone. We would like to share our achievements, which are well received by end users on both Android & iPhone.
The status will be updated regularly and published at https://nighthawkwallet.com/changelog/
Additionally, we:
Android specific:
Developer community related updates:
Zcash users feature demands which we will R&D on as per bandwidth:
Things to improve on:
We thank @ZcashGrants for funding us and believing in our vision to ship Nighthawk Wallet on App Store, Play Store & soon F-Droid Store with regular updates.
Nighthawk Wallet on Android v1.0.20 is live on the Play Store https://play.google.com/store/apps/details?id=com.nighthawkapps.wallet.android
T-address → Z-address Shielding in action Nighthawk Android v1.0.20 - Album on Imgur
With the delay in NU5 on main-net, Nighthawk Wallet team would need to adjust the Milestone and deliverables. As promised in our last update, we have been maintaining the live status of development at https://nighthawkwallet.com/changelog/
In April this year, in line with the prospective July/August launch of NU5, we had planned the launch for UAs to be undertaken in Milestone 2/3, but it is clear now that only the Test-net will be available in Q4 2021 with Main-net launch in Q1 2022. While this delay would give us extra time to refine on UA support and testing before the Q1 readiness, but it will delay our final deliverable flowing in to Q1 22’.
With the extra cycles available in Q4, I have requested @ZcashGrants to review us undertake working on much needed areas to improve on the wallet:
Additionally, I would like to share a short retro for Milestone 2:
What went well
And Naomi Brockwell’s feature on Zcash!
What didn’t go well
Thanks for the update. Btw, was this feature reviewed by a security expert?
AFAIK, pdf security isn’t very good and there are pdf password crackers that claim they can break it in seconds.
What’s the time period for the 1000+ downloads of Nighthawk wallet?
True, PDF security is weak generally, hence we chose integrating iText Core 7 which makes libraries meeting Digital signature standards for PDF encryption iText 7 Core: an open-source PDF development library for Java and .NET.
It still creates pdf and these aren’t very secure, are they?
Let us know if you can crack the password protected PDFs generated via Nighthawk (via our Disclosure Policy https://nighthawkwallet.com/disclosure/)
And maybe even contribute to the public upstream repo: GitHub - itext/itext7: iText 7 for Java represents the next level of SDKs for developers that want to take advantage of the benefits PDF can bring. Equipped with a better document engine, high and low-level programming capabilities and the ability to create, edit and enhance PDF documents, iText 7 can be a boon to nearly every workflow.
Hey, it’s not about iText 7. It creates encrypted PDF but encrypted PDF aren’t very secure.
I’m not a security expert, but maybe you should consult one? Maybe @daira @str4d ?
AFAIK, pdf encryption is good as long as the passwords are good but they don’t do key stretching to slow down brute force attacks.
This delay pushes out the planned implementation for Unified Addresses support in @NighthawkApps further than anticipated. I am happy to see the release plan mature towards a well aligned release of NU5 + Halo Arc, which enables official Zcash SDK users and partners to support NU5 with verified code along with the protocol upgrade taking effect.
As brought up in the monthly update, contributors to Nighthawk Wallet are working with researchers to develop a Proof of Concept with a novel approach to sync transaction data between light clients and Zcash block server. This work will focus on reducing possible information leakage via lightwalletd and improving sync times for a better end user experience for Nighthawk users. We might be able to target the demo of this improvement along with the NU5 launch.
To clarify, how was iText 7 acquired? It would seem Nighthawk Wallet either is currently in violation of its licensing terms (AGPL) or not actively OSS.
As for security, it appears to use a 160-bit MD5 hash of the owner password to encrypt the user password into a checksum. The owner and user passwords seem to be frequently referred to as equivalent in general use and that is the case with Nighthawk wallet. Due to the lack of salting, that enables precomputation with ease, yet I couldn’t comment on how many such tables exist nor their scope. There does also appear to be software utilizing GPUs available to break keys yet I haven’t downloaded it to try.
iText7 is licensed as AGPL/Commercial Software. GitHub - itext/itext7: iText 7 for Java represents the next level of SDKs for developers that want to take advantage of the benefits PDF can bring. Equipped with a better document engine, high and low-level programming capabilities and the ability to create, edit and enhance PDF documents, iText 7 can be a boon to nearly every workflow.
Since Nighthawk has not modified the AGPL licensed iText7 library and is merely using it in binary form, “as-is”, the library doesn’t have to do anything other than improving the app and is fully compatible with Nighthawk Wallet. The wallet app is able to function without using the iText7’s features which are only used when a user decides to export a password-protected PDF.
The intention of having a password-protected PDF backup of the seed words is simply a feature to be used by the individual when securely backing up & transferring the seed words via digital media format. The primary suggestion(as present in the app) to take a backup of seed words is to write them down on a piece of paper.
Right, except AGPL is a propagating license, just like GPL. Because Nighthawk wallet links with it, it must also be AGPL, yet Nighthawk is currently licensed as Apache 2.0. That’s why I said Nighthawk would be in violation of its licensing terms.
Section 5 (source) has the following quotes:
“You may convey a work based on the Program”
" * c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it."
Despite you using iText7 as a compiled JAR (presumably), it’s directly linked into your app which has the modern interpretation of the GPL consider your work derivative. You also are conveying source (Nighthawk) based on iText7 (as you are conveying source based on the “Program”, and the license doesn’t require it to be based on the “Program’s source”). If you had sandboxed it in an isolated app, solely that app would be AGPL, yet the direct linkage is generally considered to be pretty damning. You could get an exception, yet that exception (if limited to the group behind Nighthawk) could void Nighthawk as an OSS project due to the inability to fork off from it without relicensing (it may be legal for someone to fork Apache 2.0 work and relicense as AGPL without permission? I’m not entirely sure as AGPL should be more restrictive and therefore still honor Apache 2.0 but… it’s just a complete and utter mess to discuss).
IANAL. You should absolutely get a lawyer to review this. I wouldn’t touch the Nighthawk codebase, personally, with a ten foot stick until a lawyer confirms the legality of this. You can say iText 7 has yet to complain so you don’t care yet that’s really not a healthy solution (as it means iText 7 has the power to remove your app at any time, leaving you to fight them while the DMCA claim is active, potentially leading to a lawsuit in their jurisdiction).
I’ll also note your app, despite providing a UI, doesn’t appear to have any copyright statements in it.
" * d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so."
I don’t believe iText 7, a library, has UIs so that exemption shouldn’t apply, but I could be wrong as I haven’t worked with iText 7. My main focus is on the fact that Nighthawk doesn’t display any legal notices AFAICT. It seems to be the main page, an info button linking to Zcash, a ‘profile’ page (which has a box saying “Nighthawk” + version yet tapping it doesn’t expand it for more info), and settings, all without copyright statements. This may have issues for other libraries you use if they’re BSD-3/GPL.
EDIT: For further reading reference:
licensing - AGPL - what you can do and what you can't - Software Engineering Stack Exchange ← Says your work must be AGPL no matter what.
licensing - Use of Unmodified AGPLv3 lib - am I AGPL too? - Software Engineering Stack Exchange ← Says your work must be AGPL unless the AGPL code is sandboxed in another binary (as GPL code generally is when dealing with these problems). The first link contradicts that by saying even that isn’t enough, as the AGPL was intended to avoid web based license exploits (you’re never distributing the app, and therefore having users who you’re responsible to under these licenses, if you’re solely distributing a website which makes POST requests to your app). I believe as long as you still communicate the AGPL licensing of the other binary in your non-AGPL app, you can have a non-AGPL app.
The best reference may be Frequently Asked Questions about the GNU Licenses - GNU Project - Free Software Foundation which seems to say it’s okay for Nighthawk itself to be Apache 2.0 (as it’s GPLv3 compatible) AS LONG AS it’s also licensed as GPLv3 and the sum product is released as a GPL binary (in contradiction to some of my commentary and parts of these other links). The distinction is you’re not currently releasing it as a GPL binary (see comments on copyright inclusion).
Various Licenses and Comments about Them - GNU Project - Free Software Foundation and the AGPL section 13 seem to confirm this.
It’s all a mess. This is why I’d get a lawyer to review this and give you a statement you can have ready for these discussions.
Luke, Thanks for sharing all your concerns.
The iText 7’s AGPL was carefully reviewed and discussed with my friends at FSF before adding it as a feature enabler for the Android client app. Additionally, developers contributing to Nighthawk have worked with Black Duck Software and are experienced with complex license structures. As noted earlier, Nighthawk does not provide the web interface to a program running remotely to an internet-facing customer to process a PDF, and uses an unmodified binary of the library for an optional feature that can be taken out by anyone forking the project. AGPL primarily deals with network-enabled web service programs. iText7 offers binaries that are usable in web services and end clients as well. It is fully compatible with Nighthawk.
The new app designs have an About screen with licenses planned.
The integration is straightforward and not “all a mess” as alluded to by your comments. I would still make a point to contact iText7 sales to revisit any changes to newer versions of the library. And I would be open to connecting with lawyers to review the license as well if the funding can be arranged for the same. Rest assured, Nighthawk Wallet is aiming to be the least dependent on any network services that might result in information leaks.
The AGPL was expanded to cover that scenario (network services) as it was an effective loophole in the GPL. That is not the only scenario it handles however, and it generally acts like the GPL (just also handling that scenario). I acknowledge that isn’t relevant here and didn’t make any part of my commentary predicated on a belief Nighthawk was communicating with iText 7 over the internet.
The GNU FAQ writings I linked seem to state your app binary must be GPL licensed, as I covered. If you’ve confirmed with lawyers that your app isn’t a derivative work (despite the authors of the license in question stating that your app would be as it links with the library and that’s sufficient to be derivative, regardless of modification to the work), or that those license requirements otherwise don’t apply, then that’s that. IANAL.
I would posit contacting their sales team means nothing. You’d either want to contact your lawyers or their lawyers. If you contact their sales team and get permission for your group, that wouldn’t extend to forks, hence one of the reasons I said it’s a mess.
Thanks for bringing this up @kayabaNerve. I’m not a lawyer but it is my strong belief this would be in violation of the AGPL license. I’d even go so far as to say I wouldn’t feel comfortable include the library even if a lawyer told me I could (without a negotiated license).
Even if I’m wrong about the AGPL it seems clear to me from their README that letting people use this library for free in their non-agpl commercial products is not what is intended.
iText 7 is dual licensed as AGPL/Commercial software.
AGPL is a free / open source software license.
This doesn’t mean the software is gratis!
Buying a license is mandatory as soon as you develop commercial activities distributing the iText software inside your product or deploying it on a network without disclosing the source code of your own applications under the AGPL license.
EDIT: Personally I probably wouldn’t bother engaging a lawyer on this. I’d be either investigating licensing costs or removing it.
EDIT 2: I felt the need to 2nd this concern because the last thing I want ZCG funding is lawyers when it could have been prevented.
EDIT 3: If anyone is having trouble following this but wants to learn more I recommend you read up on LGPL (Lesser GPL). It was specifically created to allow scenarios similar to this. Knowing that LGPL was created to allow scenarios like this helps in understanding what GPL (and AGPL) doesn’t allow.