Your wallet may not directly connect to a Monero node, but it appears to still connect to a server operated by you or your partner (which then needs access to a Monero node). Whether a wallet directly connects to a “node” or not is irrelevant.
Directly Fetching Decoys
Coin Wallet appears to directly fetch a list of decoys from the API. It fetches 16 and uses 15 of them in a ring when sending (plus the real one). Upon receiving the signed transaction, your server learns exactly which input is truly being spent in the rings; it’s the one that your server didn’t send in the decoy response!
Now, in your case, you already knew what the real spend was in the vast majority of cases, since you can see the incoming transactions (the transaction hash that the user requests data for).
Contrast this to Cake Wallet, or monero-wallet-cli, or the Monero GUI. They use a much more sophisticated system of requesting a histogram of outputs from the remote node. The wallet then selects decoys to use. This process does not reveal to the node which of the ring members are decoys.
References:
I’m not trying to be rude, but it’s clear to me that Coin Wallet is not designed for privacy (at least compared to other common Monero wallets), and thus it doesn’t make much sense to include as a Privacy Guides recommendation. It may be designed for convenience, but I think it’s important for users of your wallet to know that you effectively have an omniscient view of their wallet activity when they are using your app.
It would be a different story if your wallet allowed users to run their own server and manually connect their Coin Space wallet to that server, but that doesn’t appear to be the case.
If you don’t want to deal with syncing and don’t want to set up a lws server, use Edge Wallet. Sure they take your Monero view key, but that’s the same impact to privacy in practice as your approach. Plus you don’t need to manually paste in the transactions you receive, and you don’t need to pay fees of up to $100 for outgoing transactions.
You say it is unfair. but you still have not answered. I asked where in the app you inform the user? You are avoiding the question and providing an answer to something I did not ask. I did not ask where on your website I can find this.
Again there is no misunderstanding about owning the keys. There is a disagreement in how we believe a wallet like yours should operate.
Why hasn’t this been rejected already and their account deleted?
It would be a great contender for the previously discussed anti-recommendations page.
A wallet or miner or whatever taking fees is OK as long as it is a modest amount and it is clearly stated in the documentation and on each transaction.
In this case they bury it in documentation and don’t mention it at all on the transaction screens and the fee amount can also go up to $100 which is absolutely absurd.
It also used to have both Google and Facebook ads embedded which is just over the top:
Your app has 100k+ downloads on Play Store, how many of those users are in the chatroom? 100? 1000? So the other 99,000 aren’t clearly notified? Yes? OK.
Yes, there’s no option to choose your own server. In reality, we canimplement this, but it would require development resources. But then let’s answer the question right away - would that be enough to get listed in the catalog?
I think you do understand the difference: whether the server (node) only knows the user’s transactions or actually holds the view key. That’s a huge difference.
When a user sends a transaction, they see the fee in both the cryptocurrency being sent and the wallet’s currency (dollars, euros). This happens before the transfer, and then they confirm the transfer with their PIN.
That was 6 years ago and 3 years before adding Monero support. As a very small team, we were just trying to survive without external investors. We have no advertising now.
I think our wallet really isn’t a competitor to Monero GUI or CLI - it’s a different user segment. But in the lightweight wallet market, we’re ready to compete, or rather, we’ve been doing so for 3 years already.
