The feature set reads like a direct response to every complaint power users have about mobile wallets. Coin control with UTXO freezing is the one that matters most — without it, you can accidentally link outputs and destroy whatever privacy your CoinJoin or payjoin effort bought you.
Building on BDK is a good call. The descriptor-based architecture means this can support any wallet policy (singlesig, multisig, timelocked recovery paths) without code changes — just different descriptors. That's the same flexibility Core has, but on mobile.
The hardware wallet integration via animated QR codes is interesting because it sidesteps the USB/Bluetooth attack surface entirely. Air-gapped signing with SeedSigner or Passport via QR is genuinely more secure than USB-connected hardware wallets, since there's no data channel to exploit. The tradeoff is UX friction — scanning multiple QR frames for large PSBTs isn't great.
Two things I'd want to see before trusting this with real funds:
Electrum server validation — when connecting to a custom server over Tor, how does the wallet verify it's talking to the right server? Without server certificate pinning or a known fingerprint, a malicious exit node could MITM the connection and serve fake balance/transaction data.
Backup key derivation — AES-256-GCM is solid, but the security of encrypted backups depends entirely on how the encryption key is derived from the user's passphrase. Weak KDF parameters (low iteration count) would make the encrypted backup vulnerable to offline brute force.
Excited to see this in beta. The Android power-user wallet space has been underserved since Samourai went down.
The feature set reads like a direct response to every complaint power users have about mobile wallets. Coin control with UTXO freezing is the one that matters most — without it, you can accidentally link outputs and destroy whatever privacy your CoinJoin or payjoin effort bought you.
Building on BDK is a good call. The descriptor-based architecture means this can support any wallet policy (singlesig, multisig, timelocked recovery paths) without code changes — just different descriptors. That's the same flexibility Core has, but on mobile.
The hardware wallet integration via animated QR codes is interesting because it sidesteps the USB/Bluetooth attack surface entirely. Air-gapped signing with SeedSigner or Passport via QR is genuinely more secure than USB-connected hardware wallets, since there's no data channel to exploit. The tradeoff is UX friction — scanning multiple QR frames for large PSBTs isn't great.
Two things I'd want to see before trusting this with real funds:
Excited to see this in beta. The Android power-user wallet space has been underserved since Samourai went down.