Add Phoenix wallet listing

[devdavidejesus]

Summary

This PR adds Phoenix to the wallet listing — a Lightning-first, non-custodial Bitcoin wallet developed by ACINQ.

Phoenix is available on Android (Google Play) and iOS (App Store), sharing the same phoenix-shared Kotlin Multiplatform business logic. Open-source under Apache 2.0.

• Source: https://github.com/ACINQ/phoenix
• Site: https://phoenix.acinq.co
• Tested version: 2.7.5

Files changed

• _wallets/phoenix.md — wallet entry with scoring, features, and platform links
• img/screenshots/phoenix.png — 250×350, optimized with optipng -o7
• img/wallet/phoenix.png — 144×144 icon, optimized with optipng -o7
• _translations/en.yml — added walletphoenix description (284 characters)

Review process

This listing review was conducted under mentorship from @crwatkins, following the format of prior wallet review PRs (#2808, #3054). A formal review document covering all Basic Requirements (per docs/managing-wallets.md) and score justifications was shared with @crwatkins by email before opening this PR, and approved.

Technical questions about Phoenix's architecture were answered by ACINQ in ACINQ/phoenix#804 (@t-bast, @dpad85), specifically:

• Electrum servers used for on-chain monitoring (random by default, user-configurable)
• RFC 6979 nonces via the chain bitcoin-kmp → secp256k1-kmp → libsecp256k1
• Tor delegated to the OS level (external proxy support such as Orbot)
• Reproducible builds: not currently achievable (acknowledged by ACINQ)

Testing

• iOS (v2.7.5): hands-on testing — wallet creation, on-chain receive, swap-to-Lightning, payment history, settings navigation, seed backup, seed-based restore (full reset → restore cycle, balance recovered correctly), and Electrum server connection (observed connection to different random servers across sessions).
• Android (v2.7.5): validated via Google Play Store review per maintainer guidance — 4.3/5 stars, 848 reviews, 100K+ downloads, ACINQ developer verified, regular release cadence, no systemic UI/UX issues reported in recent reviews.

Scoring

check:
  control: "checkgoodcontrolfull"
  validation: "checkpassvalidationspvservers"
  transparency: "checkpasstransparencyopensource"
  environment: "checkpassenvironmentmobile"
  privacy: "checkpassprivacybasic"
  fees: "checkpassfeecontroloverride"

privacycheck:
  privacyaddressreuse: "checkpassprivacyaddressrotation"
  privacydisclosure: "checkfailprivacydisclosurecentralized"
  privacynetwork: "checkpassprivacynetworksupporttorproxy"

Features: bech32 lightning segwit · Level: 2 · Compat: mobile android ios

Notes

• Description text follows the style of existing entries (no superlatives, factual tone).
• Assets meet the optipng -o7 optimization requirement.
• Numbering of Basic Requirements in the formal review (shared with @crwatkins) was added for organization only and does not correspond to any numbering in docs/managing-wallets.md.

[devdavidejesus]

Phoenix Wallet — Formal Review

Wallet: Phoenix
Developer: ACINQ
Tested version: 2.7.5
iOS: hands-on testing
Android: validated via Google Play Store review (see "Android validation method" section)
Reviewer: Davi de Jesus (@devdavidejesus), under mentorship from @crwatkins

---

Summary

Phoenix is a Lightning-first, non-custodial Bitcoin wallet developed by ACINQ, available on iOS and Android. It uses the Lightning Network as its primary payment layer with on-chain capability via swaps. ACINQ has been a long-standing contributor to the Lightning Network ecosystem (eclair, lightning-kmp, BOLT specifications).

This review is based on hands-on testing of the iOS app v2.7.5. The Android build comes from the same phoenix-shared codebase (Kotlin Multiplatform) but uses a separate native UI (Jetpack Compose); rather than direct hands-on testing, Android was validated through Google Play Store review per maintainer guidance (rating, recent user reviews, release cadence, developer verification — see the "Android validation method" section below).

Recommend listing under Mobile (Android + iOS), Level 2.

---

Platform notes

Phoenix uses Kotlin Multiplatform (KMP):

• phoenix-shared — Kotlin business logic (Lightning, swaps, key management) — shared between Android and iOS
• phoenix-android — Android UI (Jetpack Compose)
• phoenix-ios — iOS UI (SwiftUI)

The crypto, Lightning, and key-handling logic is therefore identical across platforms. UI/UX behavior may differ.

Reviewer tested iOS hands-on; Android validated via Google Play Store review (see "Android validation method" section). The shared phoenix-shared layer guarantees identical crypto, Lightning, and key-handling behavior. Recent Play Store reviews show no systemic UI/UX issues on Android.

---

Basic Requirements

The numbering below was added by the reviewer for organizational purposes and does not correspond to any numbering in docs/managing-wallets.md (which uses unnumbered bullet points with conditional sub-lists). Items are presented in the order they appear in the source document, including conditional branches that apply to Phoenix (single-signature, software wallet, exclusive private-key access).

#	Requirement	Status	Note
1	Sufficient users/developers feedback without concerning issues, or independent security audit	PASS	ACINQ is a recognized contributor in the Lightning ecosystem; active GitHub repo, public issue tracker. No independent security audit (confirmed by ACINQ in ACINQ/phoenix#804).
2	No indication users have been harmed considerably	PASS	No known incidents.
3	No indication that security issues have been concealed/ignored	PASS	Public security disclosure procedure documented in eclair/SECURITY.md.
4	No indication of unstable/insecure libraries	PASS	Built on bitcoin-kmp + secp256k1-kmp (JNI wrapper around libsecp256k1, same crypto library as Bitcoin Core).
5	No indication that changes are not properly tested	PASS	Public CI on the repo, tagged releases, active commit history.
6	Wallet publicly announced and released ≥ 3 months	PASS	Phoenix Android first released December 2019 (android-legacy-v1.0.1, 10 Dec 2019). Current version android-v2.7.5 published 17 March 2026.
7	No concerning bug found when testing	PASS	Tested wallet creation, on-chain receive, swap-to-Lightning, payment history, settings navigation, seed backup, seed-based restore, and Electrum server connection — all functioned as expected. Phoenix connected to different random Electrum servers across sessions (ecdsa.net:110 initially, electrum.emzy.de:50002 later), confirming the documented random-server behavior.
8	Bug reporting method on website and/or app	PASS	Bug reporting via GitHub issues, as stated in the project README: "We use GitHub for bug tracking. Search the existing issues for your bug and create a new one if needed." For troubleshooting and questions, ACINQ also points users to a support page. Security disclosures via the procedure documented in eclair/SECURITY.md.
9	Website supports HTTPS and 301 redirects HTTP	PASS	phoenix.acinq.co redirects HTTP → HTTPS with 301.
10	SSL certificate passes Qualys SSL Labs test	PASS	phoenix.acinq.co currently scores Grade B on Qualys SSL Labs. The site is purely informational (static, no API, no DB, no executable downloads served from this domain). Per maintainer guidance, Grade B is acceptable here since the main MITM risk would be rogue executable downloads, which do not apply to this static info site.
11	HSTS — new listings: max-age ≥ 1 year + preload + includeSubDomains	PASS	phoenix.acinq.co returns Strict-Transport-Security: max-age=31536000; includeSubDomains; preload.
12	Identity of CEOs and/or developers is public	PASS	ACINQ is a publicly known team. Members active under recognized identities (t-bast, Pierre-Marie / dpad85, sstone).
13	Avoid address reuse by displaying new receiving address per transaction (UI)	PASS	Phoenix's default address format is Taproot (recommended), declared in-app as: "Default format, with better privacy, cheaper fees and address rotation." The alternative Legacy option is explicitly documented as: "A less efficient and less private format that does not rotate addresses." (Receive > Bitcoin Address > edit format.)
14	Avoid address reuse by using new change address per transaction	PASS	Phoenix uses BIP84 derivation (m/84'/0'/0, confirmed via Wallet Info screen). HD wallet design with new change address per transaction is standard for bitcoin-kmp. Not empirically isolated in this review (Phoenix is Lightning-first, on-chain spends are infrequent).
15	Uses deterministic ECDSA nonces (RFC 6979)	PASS	Phoenix signs through bitcoin-kmp, which (per its README) requires an external Secp256k1 implementation; ACINQ provides this via secp256k1-kmp, a JNI wrapper around Bitcoin Core's libsecp256k1. libsecp256k1 uses RFC 6979 by default. Confirmed by t-bast in ACINQ/phoenix#804. Not empirically tested — Phoenix does not expose PSBT signing for end-user verification. (Same evidence pattern as Eclair PR #2808.)
16	User has access to private keys for all major components	PASS	Phoenix is fully self-custodial. The user holds the 12-word seed. ACINQ states this explicitly in the project README: "This wallet is self-custodial. It means that, when creating a new wallet, a 12-words recovery phrase is generated. Only you have it. It is your responsibility to make a backup of that recovery phrase."
17	If keys stored online — refuses weak passwords / lock-out	N/A	Phoenix does not store keys online. The seed remains on-device. (Optional encrypted iCloud backup of payment history is decryptable only with the seed.)
18	Backup of wallet allowed	PASS	Recovery phrase (12-word seed) accessible via Settings > Recovery Phrase > Display Seed. Tested in this review.
19	Restoring wallet from backup works	PASS	Tested empirically in this review: backed up seed phrase → reset wallet (Settings > Reset Wallet) → restored using 12-word seed → balance restored correctly (11,213 sat recovered). Standard BIP39 implementation via bitcoin-kmp.
20	Source code public, version-controlled, up to date	PASS	https://github.com/ACINQ/phoenix — Apache 2.0, active commits, tagged releases, public history preserved.
21	Multi-sig with non-self-controlled keys (2FA, session, etc.)	N/A	Phoenix is single-signature self-custodial.
22	Hardware wallet requirements	N/A	Phoenix is a software wallet.
23	App-level access control (additional, beyond OS)	PASS	Phoenix offers configurable app-level access controls under Settings > App Access. Opening the app: Face ID ("Pass iOS biometrics to open the app"), iOS passcode fallback ("If Face ID fails, you can enter your iOS passcode to open the app"), and custom Lock PIN ("Enter custom PIN to open the app"). Spending Control: dedicated Spending PIN ("Enter a PIN code to be able to spend funds") — independent from the open-the-app lock. This provides defense in depth on top of OS-level isolation.

---

Score decisions

check:
  control: "checkgoodcontrolfull"
  validation: "checkpassvalidationspvservers"
  transparency: "checkpasstransparencyopensource"
  environment: "checkpassenvironmentmobile"
  privacy: "checkpassprivacybasic"
  fees: "checkpassfeecontroloverride"

privacycheck:
  privacyaddressreuse: "checkpassprivacyaddressrotation"
  privacydisclosure: "checkfailprivacydisclosurecentralized"
  privacynetwork: "checkpassprivacynetworksupporttorproxy"

Justifications

control: checkgoodcontrolfull — Phoenix is non-custodial; user holds the 12-word seed. No third party can freeze or move funds.

validation: checkpassvalidationspvservers — Phoenix monitors the Bitcoin blockchain through Electrum servers. Declared in-app: "To secure your payment channels Phoenix monitors the Bitcoin blockchain through Electrum servers. By default, random servers are used. You can also configure Phoenix to connect only to your own server." The reviewer empirically observed Phoenix connecting to different random servers across sessions (ecdsa.net:110 and electrum.emzy.de:50002), confirming the documented behavior. Same pattern as Eclair (PR #2808).

transparency: checkpasstransparencyopensource — Apache 2.0, source public on GitHub. Builds are not deterministic (confirmed by Pierre-Marie in #804: walletscrutiny was unable to reproduce). Same call as Eclair (PR #2808).

environment: checkpassenvironmentmobile — iOS and Android, both with OS-level app isolation. Phoenix additionally offers configurable in-app access controls (Face ID, iOS passcode fallback, custom Lock PIN) and a separate Spending PIN — see item 23. The combination of OS app isolation + optional spending-time authentication is consistent with the passing criterion ("app isolation, or require two-factor authentication for spending").

privacy: checkpassprivacybasic — Address rotation OK, but discloses to Electrum servers. Same level as Eclair.

fees: checkpassfeecontroloverride — Channel management screen exposes mempool fee estimate, configurable maximum fee for incoming payments, and ability to override defaults. RBF/CPFP are not exposed (Lightning-first wallet design), so not checkgoodfeecontrolfull.

privacyaddressreuse: checkpassprivacyaddressrotation — Phoenix's Taproot format (default, recommended) is declared in-app as providing address rotation. The alternative Legacy format is explicitly described as "A less efficient and less private format that does not rotate addresses" — making the privacy difference between the two options unambiguous to the user.

privacydisclosure: checkfailprivacydisclosurecentralized — Phoenix uses Electrum servers for on-chain monitoring (confirmed by Pierre-Marie in #804). Same precedent as Eclair (PR #2808).

privacynetwork: checkpassprivacynetworksupporttorproxy — Phoenix exposes a "Use Tor" toggle in the iOS app's Settings, with a confirmation dialog stating: "This requires installing a third-party Tor Proxy VPN app such as Orbot." Tor is not embedded in Phoenix; routing is delegated to the OS-level proxy (per Pierre-Marie in #804: "Tor is not embedded inside Phoenix anymore... Now, it's delegated to the OS level."). Per maintainer guidance, this score was specifically written to recognize wallets that can use (support) an external proxy — Phoenix qualifies under that interpretation.

---

Proposed _wallets/phoenix.md

---
# This file is licensed under the MIT License (MIT) available on
# http://opensource.org/licenses/MIT.

id: phoenix
title: "Phoenix"
titleshort: "Phoenix"
compat: "mobile android ios"
user: beginner
level: 2
platform:
  - mobile:
    name: mobile
    default: &DEFAULT
      text: "walletphoenix"
      source: "https://github.com/ACINQ/phoenix"
      screenshot: "phoenix.png"
      features: "bech32 lightning segwit"
      check: &DEFAULT-CHECK
        control: "checkgoodcontrolfull"
        validation: "checkpassvalidationspvservers"
        transparency: "checkpasstransparencyopensource"
        environment: "checkpassenvironmentmobile"
        privacy: "checkpassprivacybasic"
        fees: "checkpassfeecontroloverride"
      privacycheck:
        privacyaddressreuse: "checkpassprivacyaddressrotation"
        privacydisclosure: "checkfailprivacydisclosurecentralized"
        privacynetwork: "checkpassprivacynetworksupporttorproxy"
    os:
      - name: android
        link: "https://play.google.com/store/apps/details?id=fr.acinq.phoenix.mainnet"
        <<: *DEFAULT
      - name: ios
        link: "https://apps.apple.com/app/phoenix-wallet/id1544097028"
        <<: *DEFAULT
---

---

Description (walletphoenix in _translations/en.yml)

Phoenix is a Lightning-first, non-custodial Bitcoin wallet developed by ACINQ. Sends and receives payments primarily over the Lightning Network, with on-chain support via swaps. Channel liquidity is managed automatically. Available for Android and iOS. Open-source under Apache 2.0.

(284 characters)

---

Assets (attached)

• phoenix.png — 250×350, 17,751 bytes, optimized with optipng -o7
• phoenix_icon_144.png — 144×144, 4,969 bytes, optimized with optipng -o7

---

Android validation method

Direct hands-on testing of the Android app was not possible by this reviewer (no Android device available). Per maintainer guidance, Android UI/UX was validated through Google Play Store review:

• Rating: 4.3 / 5 stars
• Total reviews: 848
• Downloads: 100,000+
• Last updated: 25 February 2026 (corresponds to v2.7.5, published 17 March 2026)
• Developer verification: ACINQ, with publicly listed business address (10 RUE DE PENTHIEVRE, 75008 PARIS, France) and verified contact email (phoenix@acinq.co)
• Privacy posture: developer declares no data collection
• Recent reviews: sample of recent reviews (March 2026 and earlier) shows generally positive sentiment. The most common critical theme is user confusion around channel-management UX (automatic channel opening / fees), which is a known trade-off of self-custodial Lightning wallets rather than an Android-specific UI bug. No systemic UI/UX issues reported in recent reviews.
• Release cadence: consistent updates over the past 12 months (v2.5.3 → v2.6.0 → v2.6.2 → v2.6.4 → v2.7.1 → v2.7.5), with changelogs documenting bug fixes and incremental improvements.

This is consistent with the criterion of no concerning UI/UX problems on Android. The shared phoenix-shared Kotlin Multiplatform layer guarantees identical crypto, Lightning, and key-handling behavior between iOS and Android.

---

Items not verified in this review

For full transparency:

• RFC 6979 nonce derivation, empirical bit-level — Confirmed via architectural chain (Phoenix → bitcoin-kmp → secp256k1-kmp → libsecp256k1) and via t-bast's confirmation in AML Compliance Bootcamp for Digital Currency #804. Phoenix does not expose PSBT signing for end-user verification, so empirical bit-level verification was not viable. Same evidence pattern accepted in PR Add Eclair Mobile #2808 (Eclair).

---

Calibration items resolved with @crwatkins

Three calibration questions were raised in the email-stage of the review and resolved before this PR was opened:

1. Tor scoring — privacynetwork set to checkpassprivacynetworksupporttorproxy. Phoenix supports connecting through an external Tor proxy, which qualifies under the score's intent (per maintainer guidance: the score was specifically written to recognize wallets that can use external proxies).
2. Android listing — Both Android and iOS listed. Android validated via the Play Store review method documented above (per maintainer suggestion).
3. SSL Labs Grade B — Accepted; the site does not serve executable downloads, so the principal MITM concern does not apply.

---

This document covers the Basic Requirements (per docs/managing-wallets.md) and score decisions for the Phoenix listing.

Davi

[crwatkins]

@devdavidejesus This is excellent work. Thanks much for the PR and the detailed review. Just a couple clarifications

Android listing — Both Android and iOS listed. Android validated via the Play Store review method documented above (per maintainer suggestion).

As noted above this is because: "...business logic (Lightning, swaps, key management) — shared between Android and iOS." and that part was reviewed on iOS.

SSL Labs Grade B — Accepted; the site does not serve executable downloads, so the principal MITM concern does not apply.

The site does link to executable downloads in the Google and Apple stores, so the MITM concern actually does apply (sorry if I implied otherwise), but the B rating is definitely "passing."

I recommend Phoenix wallet for listing.

LGTM.

[devdavidejesus]

Thank you @crwatkins