So, I have some funds in a cold wallet, and I want to protect the public keys as much as possible (until I spend from an address). But I have put the xpub in the following wallets at various stages for address generation and monitoring at some points.
- Blue wallet (Android)
- Blockstream Green (Android and Flatpak)
- Sparrow (Ubuntu)
My question is, do any of those applications send the XPUB to their servers at any point? Or do they always keep the XPUB (and derive the Bech32 addresses) strictly locally? How big of a threat is exposing the XPUB?
Use Bitcoin Safe wallet https://bitcoin-safe.org/ that uses block filters (neutrino) to sync.
And forget about Electrum servers and you can connect to any random neutrino server and no need for any bitcoin node to run. If you are on the go and you do not have access to your own home bitcoin node, this is an excellent solution.
Same as Zeus and Blixt.
Read more here:
So, you're saying that for this scenario, Bitcoin Safe is more private than Sparrow?
Sparrow with your own electrum server is same safe as bitcoin safe with neutrino.
Sparrow without your own electrum or bitcoin node, connecting to random nodes is also OK, if you know how to do it and what you are doing.
Is a matter of knowledge, not the safety of an app and we are talking about 2 different types of connections.
Thanks, you are awesome!
Some weeks ago, I was setting up an old laptop with bitcoin core (in pruned mode because of disk space) to start learning-by-doing. After the initial set up, I created a sparrow wallet, I hit the wall of privacy/xpub sharing you mentioned, I got frustrated because I couldn't easily find a work around, and I turned off the laptop demoralised.
Then, I find your post, and @DarthCoin's reply, and I discovered block filters, so that I can happily start falling into a new rabbit hole.
Thaks Spidey ;-)
Each of those allows you to connect to your own electrum server. But if you're not doing that, then some random server knows your addresses up to the gap limit plus what you've used already. If you're not using a VPN then your addresses are tied to your IP address.
The threat vector I am concerned about in this question is exposure of public keys to outside parties, not exposing the address or tie to my IP address.
Probably you know the address is the SHA256+RIPMED160 version of the public key, i.e. the public key is not recoverable from the address. The question is whether putting the xpub in the app exposes the public keys to the app builders or the xpub (and public keys) stay locally in the device.
You generally only want to put xpubs in software that either you wrote, or completely reviewed, including dependencies, and re-review with every release. This is because 1 derived privkey leak + xpub = full access.