Skip to content

Add Cove wallet listing#4759

Open
devdavidejesus wants to merge 5 commits into
bitcoin-dot-org:masterfrom
devdavidejesus:add-cove-wallet
Open

Add Cove wallet listing#4759
devdavidejesus wants to merge 5 commits into
bitcoin-dot-org:masterfrom
devdavidejesus:add-cove-wallet

Conversation

@devdavidejesus

@devdavidejesus devdavidejesus commented May 30, 2026

Copy link
Copy Markdown
Collaborator

Summary

This PR adds Cove (https://covebitcoinwallet.com) to the wallets list. Cove is an open-source, non-custodial, Bitcoin-only mobile wallet for iOS and Android, developed by Praveen Perera (@praveenperera) under InfraOps LLC and backed by an OpenSats grant. The project is hosted at https://github.com/bitcoinppl/cove under the MIT license.

The wallet is built around a shared Rust core (bitcoin 0.32.9, bdk_wallet 3.0.0 stable) with native iOS (Swift) and Android (Kotlin) frontends. Signing relies on BDK's standard wallet.sign() path on top of libsecp256k1 — no custom cryptography. A full grep across rust/, ios/, and android/ for altcoin identifiers (USDT, Tron, Ethereum, ERC-20, etc.) returns zero matches; the project is Bitcoin-only at the code level, and the Terms & Conditions state this explicitly ("Cove supports only Bitcoin (BTC)").

Files changed

  • _wallets/cove.md — new wallet entry
  • _translations/en.yml — new description (walletcove)
  • img/screenshots/coveios.png — 250×350 px iOS screenshot (optimized with optipng -o7)
  • img/screenshots/coveandroid.png — 250×350 px Android screenshot (optimized with optipng -o7)
  • img/wallet/cove.png — 144×144 px icon (optimized with optipng -o7)

Testing

Testing was performed hands-on on both platforms. On iOS, a personal iPhone running the latest App Store release, v1.2.3 (build 7014de36c-67), was used. Confirmations received via email from the project maintainer covered the feature flag decisions (multisig, Lightning, Tor — all "non goals" per the maintainer, none claimed in this listing).

The following was exercised hands-on on iOS:

  • Wallet creation: A new on-device wallet was created using a 12-word BIP39 seed. The wallet creation flow also supports 24-word seeds, hardware wallet import (via QR, file, NFC, and paste), and watch-only via existing descriptors.
  • Network and node settings: Reviewed under Settings → Network and Settings → Node. Cove defaults to Blockstream Esplora (blockstream.info/api/) and offers Mempool.space as a secondary public option, plus Electrum servers (electrum.blockstream.info, electrum.diynodes.com, mempool.space electrum) and full custom Electrum/Esplora configuration. Bitcoin, Testnet, Testnet4, and Signet are all supported.
  • Address generation: A bech32 receive address was generated through the Receive flow. The address format (bc1q…, native SegWit P2WPKH) matches the bech32 feature claim, and BIP44 address rotation is enforced via BDK's standard KeychainKind::External/Internal separation in the Rust core.
  • Receive flow: A small test amount was sent to the new wallet from an external source and successfully received. The transaction was confirmed on-chain and displayed correctly in the transactions list with confirmation count, fiat conversion at receive time, and a link to a block explorer.
  • Coin control: The wallet exposes a full UTXO management screen (Wallet → ⋯ → Manage UTXOs) with selectable UTXOs, search, and sort by date, name, amount, or change status — supporting the checkpassfeecontroloverride and validation choices below.
  • Fee control: The Rust core (rust/src/fee_client.rs) implements dynamic fee estimation from the configured backend (slow/medium/fast tiers refreshed from mempool data), and the iOS UI exposes a custom fee rate input (ios/Cove/.../SendFlowCustomFeeRateView.swift) accepting manual sat/vByte values. The Send flow was reviewed but no outgoing transaction was performed.
  • Security settings: FaceID and PIN protection are available as user-toggleable options under Settings → Security. With a PIN enabled, the Security panel also exposes "Enable Wipe Data PIN" and "Enable Decoy PIN" toggles; these options were observed in the app but are not claimed as features in this listing. The seed never leaves the device; private keys are stored in iOS Keychain backed by Secure Enclave per the project's Privacy Policy.
  • Backup and restore: A fresh wallet was created, its BIP39 recovery phrase written down, the wallet was deleted from the device, and recovery was performed via "Import existing wallet" → 12 Words on a new wallet slot. The restored wallet showed the same balance and transaction history as the original, confirming that the backup and restore flow works end-to-end (a requirement under managing-wallets.md).
  • Source integrity: The repository was cloned and the build environment reviewed. The published SECURITY.md at https://github.com/bitcoinppl/cove/blob/master/SECURITY.md provides a dedicated security@covebitcoinwallet.com address, GitHub private vulnerability reporting, and a PGP key with full fingerprint (72A5 93C0 798F AD2B 9BE3 19DA E134 BCAE A4B7 5DBE).

The same flows were then exercised hands-on on a physical Android device using the latest Google Play release, v1.2.5 (build 5373060cf-20):

  • Wallet creation: A new on-device wallet was created on Android. The flow mirrors iOS — "How do you want to secure your Bitcoin?" (Hardware Wallet / On This Device), "Create new wallet" / "Import existing wallet", and a 12/24-word seed selection. The Terms & Conditions screen explicitly states that Cove is non-custodial and "does not store or recover wallet information."
  • Receive and address generation: A bech32 receive address was generated (bc1q…) with the derivation path 84'/0'/0'/0/1 shown in the UI, confirming BIP84 Native SegWit.
  • Receive flow: A real test amount (15,054 sats) was sent to the Android wallet from an external source. The transaction moved from "Transaction Pending" to "Transaction Received" with 6 confirmations, showing the amount, fiat value at receive time, confirmation count, block number, and the wallet's own receive address. The received-transaction detail screen does not display any sender ("received from") address, consistent with the basic requirement under managing-wallets.md.
  • Network and node settings: Settings → Network (Bitcoin / Testnet / Testnet4 / Signet) and Settings → Node (electrum.blockstream.info, mempool.space electrum, electrum.diynodes.com, blockstream.info, mempool.space, Custom Electrum, Custom Esplora) match the iOS build.
  • Hardware wallet import: The Import Hardware Wallet sheet exposes the same four methods — QR Code, File, NFC, and Paste.
  • Security settings: With a PIN enabled, the Android Security panel exposes Change PIN along with the same "Enable Wipe Data PIN" and "Enable Decoy PIN" toggles observed on iOS. As above, these options were observed in the app but are not claimed as features in this listing.
  • Wallet info: Wallet type is shown as "Hot", with the master fingerprint, a "View secret words" backup path, and wallet deletion under a "Danger zone" section.

Both the iOS and Android frontends share the same Rust core (via uniffi bindings), so the cryptographic surface is identical across platforms.

Scoring

The scoring follows the criteria documented in docs/managing-wallets.md.

  • Control — checkgoodcontrolfull: The user has full exclusive control over private keys. No custodial component. The seed is generated and stored locally; no cosigner is required for spending.
  • Validation — checkpassvalidationservers: The wallet uses a pre-populated list of public servers (Blockstream Esplora and Mempool.space by default) with first-class support for pointing at user-operated Electrum or Esplora endpoints. This places it firmly in the "passing" tier for validation per the documented criteria.
  • Transparency — checkpasstransparencyopensource: Source code is public under MIT, hosted on GitHub under version control, with tagged releases (latest tag at time of writing: v1.2.5; the App Store build used for hands-on testing was v1.2.3). The codebase has been public for over six months. Reproducible builds are not yet documented, so a "good" rating is not claimed.
  • Environment — checkpassenvironmentmobile: Runs in iOS and Android sandboxes with platform-level app isolation.
  • Privacy — checkpassprivacybasic: BIP44 change-address rotation is enforced via BDK's KeychainKind separation. The wallet does not collect analytics or telemetry per the Privacy Policy. A "good" rating is not claimed because the wallet currently lacks native Tor routing.
  • Fees — checkpassfeecontroloverride: Dynamic fee estimates (slow/medium/fast) with full manual override via the custom fee rate screen.

Privacy sub-criteria

  • Address rotation — checkpassprivacyaddressrotation: Confirmed in code (BDK KeychainKind::External/Internal) and exercised in the wallet UI during testing.
  • Disclosure — checkfailprivacydisclosurecentralized: The default Esplora/Electrum servers see address queries. This is consistent with the classification used for other listed mobile wallets that rely on remote indexers.
  • Network — checkfailprivacynetworknosupporttor: Tor is not natively supported in the current release. The maintainer has confirmed that a Tor PR is open upstream and is expected to be merged and released in the near future; once shipped in a stable App Store / Play Store version, this flag can be updated in a follow-up PR.

Features

bech32 hardware_wallet legacy_addresses segwit

  • bech32 — Native SegWit (bc1q…) receive addresses confirmed in the receive flow and the Google Play description ("Native Segwit").
  • segwit — SegWit transactions supported (prerequisite for bech32).
  • legacy_addresses — Native Segwit, Wrapped Segwit, and Legacy address types all supported per the Play Store listing and verifiable in the receive flow.
  • hardware_wallet — Per the App Store description in the project's own repository (ios/metadata/en-US/description.txt): Coldcard, TAPSIGNER, Krux, Jade, SeedSigner, and Foundation Passport are supported. The Import Hardware Wallet flow (verified in app) exposes four PSBT and descriptor exchange methods: QR Code (BBQr & UR), File, NFC, and Paste.

Features explicitly not claimed:

  • multisig — Cove does not currently support native multisig wallet creation. Per the maintainer, watch-only multisig descriptor import is planned within the next six months; even then, the resulting wallet would not delegate spending authority across parties and would not qualify for this flag.
  • lightning — Cove is on-chain only. The maintainer confirmed that Lightning is a "non goal" for the project.
  • taproot — Cove does not currently support Taproot. The Rust core implements BIP84 (Native SegWit), BIP49 (Wrapped SegWit), and BIP44 (Legacy) only; there is no BIP86 derivation path, and the code explicitly rejects Taproot-only descriptors ("Taproot wallets are not supported yet"). Bech32m (bc1p) addresses are therefore not generated.
  • 2fa — PIN and FaceID guard the app but do not qualify as a second authentication factor for spending in the sense defined by managing-wallets.md.
  • full_node — Cove does not maintain a local representation of the blockchain.

Notes

  • The site is served via CloudFlare. HSTS configuration: strict-transport-security: max-age=31536000; includeSubDomains; preload, meeting the 1-year minimum required for new listings and eligible for the Chrome HSTS preload list.
  • Security headers: the site scores grade A on securityheaders.com, with Content-Security-Policy, Permissions-Policy, Referrer-Policy, Strict-Transport-Security, X-Content-Type-Options, and X-Frame-Options all set.
  • SSL/TLS: the site serves a valid Let's Encrypt certificate via CloudFlare and passes the Qualys SSL Labs test with grade B on all four endpoints tested (two IPv4 and two IPv6). Certificate scores 100/100, Key Exchange 90/100, Cipher Strength 90/100. TLS 1.3 and Post-Quantum Cryptography key exchange are supported. DNS CAA policy is configured.
  • A full Cargo.lock audit against the RustSec advisory database (497 unique locked dependencies) returned two findings, both classified as "unmaintained" (paste 1.0.15, bincode 1.3.3) — no CVEs.
  • The project is funded via an OpenSats grant and developed primarily by Praveen Perera (over 99% of repository commits, public team identity).
  • Maintainer contact: confirmation of feature flag scope (multisig, Lightning, Tor) was obtained via email from the project maintainer prior to opening this PR.

@devdavidejesus devdavidejesus changed the title Add Cove Bitcoin Wallet to the wallets list Add Cove wallet listing May 30, 2026
@devdavidejesus

Copy link
Copy Markdown
Collaborator Author

Update (2026-06-17) — SSL/TLS re-verified

Re-checked the TLS setup today; two corrections to the SSL/TLS note above:

  • SSL Labs grade is A+ (not B) — re-verified today on all four endpoints (172.67.181.19, 104.21.64.98, and both IPv6), status READY.
  • Certificate issuer is Google Trust Services (CN=WE1), valid Jun 13 – Sep 11 2026, served via Cloudflare — not Let's Encrypt as stated above.

HSTS (max-age=31536000; includeSubDomains; preload) and the grade-A security headers are unchanged. Everything else in the listing stands.

@devdavidejesus

Copy link
Copy Markdown
Collaborator Author

Status update: pausing this PR until the next stable Cove release.

I opened this PR and evaluated Cove against managing-wallets.md (iOS 1.2.x / Android 1.2.x). @crwatkins has been doing an in-depth review on top of that. With v1.3.0 currently in beta, bringing a new onboarding flow plus other improvements, and a v1.4.0 following shortly after, it doesn't make sense to finalize the listing against a version that's about to be replaced.

Plan: hold this PR as-is until @praveenperera confirms a stable release that's been fully tested, then re-test the key flows on that version and complete the review (including a Pass/Fail table against the Basic Requirements) before moving toward recommendation.

Flagging the status here so it's clear the PR is intentionally paused, not stalled.

cc @crwatkins @praveenperera

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants