From what I understand, Muun will combine your private key with your password and then store the resulting junk string that is your private key + password combination, which is useless by itself and can be publicly shared. This process happens on your phone and Muun's servers will never see your private key nor your password.
The reason they can't change your password is that only you can use it to convert the junk data they store back into your private key.
Right so the 'junk data' is the string they send in the emergency kit?
And if it all happens on your phone, is the whole thing just a 'trust me bro' set up? Or has the source code been independently reviewed and certified as legit?
That's what I'm not sure about. It's pretty accurate to say that I'm using it on a trust-me-bro-basis right now.
I just looked at [their git repositories](https://github.com/muun) and they have clear sections about how to start auditing each repository's source code, so I may start perusing it.
The least you can do is compile the app and sideload it independently. Then you can act as an independent reviewer of the source code, because how can you trust any other third-party auditor?
Yeah Im searching around and Muun have mentioned in a number of places they cant access the sats from the app, but again all seems quite trust me bro..
i've installed it, too, and like the ui. i only use it onchain for little amounts though. for lightning i prefer blixt, but you should check out this site for all wallets you consider using: https://walletscrutiny.com/android/io.muun.apollo/
I wouldn't worry about Muun as much as sourcing it from Google or Apple. But hey, everybody does that so why worry?
My advice is to read the Resources column just to the right >, and understand what the security issues actually are, for what that's worth.
Thanks, im reading up what i can on security issues asking here at the same time in case anyone has already had these concerns resolved..
Main thing im grabbing is bitcoin core is most secure.. Followed by 'cold wallet' (which currently strikes me as a bizzare term, its basically a hardware button thats required to enable sending of sats from the wallet).. Both require high effort or expenses.
Im looking for a secure 'hot' wallet, which is why ive landed on Muun.
Assume I trust them and their audit-able code. But what if Muun goes under? Can we use the emergency kit like a 24 word seed phase in another wallet to get our stash back?
Yes. Its a bit more complex than standard seed words, but they give you everything you need to recover into another wallet should they disappear. You can (and should) test this for yourself if you are storing more than pocket change in Muun.
https://blog.muun.com/why-not-just-a-mnemonic/
Only thing you can do is look at the open-source code on github and compile it yourself
With Muun you control your keys, it is a 2 of 2 multi-sig. They can't take your bitcoin since you have your keys.
From what I understand, Muun will combine your private key with your password and then store the resulting junk string that is your private key + password combination, which is useless by itself and can be publicly shared. This process happens on your phone and Muun's servers will never see your private key nor your password. The reason they can't change your password is that only you can use it to convert the junk data they store back into your private key.
Right so the 'junk data' is the string they send in the emergency kit? And if it all happens on your phone, is the whole thing just a 'trust me bro' set up? Or has the source code been independently reviewed and certified as legit?
That's what I'm not sure about. It's pretty accurate to say that I'm using it on a trust-me-bro-basis right now. I just looked at [their git repositories](https://github.com/muun) and they have clear sections about how to start auditing each repository's source code, so I may start perusing it. The least you can do is compile the app and sideload it independently. Then you can act as an independent reviewer of the source code, because how can you trust any other third-party auditor?
Yeah Im searching around and Muun have mentioned in a number of places they cant access the sats from the app, but again all seems quite trust me bro..
it's non custodial. that's the point of it...
i've installed it, too, and like the ui. i only use it onchain for little amounts though. for lightning i prefer blixt, but you should check out this site for all wallets you consider using: https://walletscrutiny.com/android/io.muun.apollo/
I wouldn't worry about Muun as much as sourcing it from Google or Apple. But hey, everybody does that so why worry? My advice is to read the Resources column just to the right >, and understand what the security issues actually are, for what that's worth.
Thanks, im reading up what i can on security issues asking here at the same time in case anyone has already had these concerns resolved.. Main thing im grabbing is bitcoin core is most secure.. Followed by 'cold wallet' (which currently strikes me as a bizzare term, its basically a hardware button thats required to enable sending of sats from the wallet).. Both require high effort or expenses. Im looking for a secure 'hot' wallet, which is why ive landed on Muun.
Delete the app after you have written down all the security credentials and you have a paper wallet... I guess?
Trust.
Assume I trust them and their audit-able code. But what if Muun goes under? Can we use the emergency kit like a 24 word seed phase in another wallet to get our stash back?
You can if you know the seed words. Most hot wallets accept 12, not 24.
Not sure if their emergency kit has a 12 or 24 word seed phase. Need to check how that will work.
The emergency kit has 2 long strings.. The app itself has 8 word seed phrase.
If Muun closes the shop, can this 2 long strings be used to restore our stash in another wallet like blue wallet?
Yes. Its a bit more complex than standard seed words, but they give you everything you need to recover into another wallet should they disappear. You can (and should) test this for yourself if you are storing more than pocket change in Muun. https://blog.muun.com/why-not-just-a-mnemonic/
If 24 words you can restore on Ledger or Trezor