James Stanley

How to get your Bitcoins out of Xapo without running their app on your phone

Mon 15 January 2018

Xapo is a company that offered a Bitcoin Visa debit card. You'd top up your account with Bitcoins, and you can then spend them, using the card, anywhere that takes Visa payments. This is super convenient for anyone who earns income in Bitcoin.

Unfortunately, on the 5th of January, and with no notice, all Bitcoin Visa cards were cancelled. WaveCrest Holdings is the company that issued these cards, Xapo is just a customer of WaveCrest. Visa had instructed WaveCrest that they must immediately cancel all of their cryptocurrency-related cards. Bummer.

With no remaining use for the Bitcoin that was in my Xapo wallet, I wanted to withdraw it. I logged into their website and tried to withdraw it but was told that I must approve the withdrawal using the Xapo app.

When I signed up for Xapo there was no Xapo app. I was never made aware that the only way I'd be able to withdraw my money is by running their proprietary code on my phone. I never agreed to run it, and have never used it. I run CopperheadOS on my phone, which uses F-Droid as a software repository instead of Google Play, so I don't even know how I'd install their app (probably "allow installation from untrusted sources" and go and work out how to download the APK from the Google Play website?). At any rate, I refuse to run non-free code on my phone, so that option is out.

I emailed Xapo support 10 days ago to insist that they allow me to withdraw my money, but still haven't heard back.

So today I tried to do it their way. I got hold of an Android phone that was already plugged into the closed-source Google ecosystem, and installed the Xapo app on it. The first thing the app asks for is your phone number. I wasn't sure whether I should put my phone number, or the phone number of the phone. I tried my phone number first and received a verification code via SMS on my own phone, but had no way to type it into the app, as it was expecting to receive the SMS itself. Next I tried the phone number of the Android phone, and the app took me to the next screen, where it asked for my email address. After I entered my email address I was told that it was unfortunately already registered with a different phone number.

My next trick was going to be to swap the SIM cards between my phone and the Android phone, but James suggested manually forwarding the verification code from my phone to the Android phone. So I input my phone number, received the SMS on my phone, and forwarded it to the Android phone. It worked! The app accepted it and I was then able to log in using my email address.

The app then insists on taking a photograph of your face which it sends off to the mothership. I'm not 100% sure why it does this, and not sure if it checks it against anything, or if it even checks that there is a face in the photograph. I gave it a photograph of myself, anyway.

I clicked around the interface and found the part where you can send out your money by scanning a Bitcoin address QR code. I tried this a few times, but every time I scanned the QR code, the app just took me back to its overview screen instead of letting me send any money. I also tried manually typing in the Bitcoin address instead of scanning a QR code, and the app had the same behaviour.

What I had to do was log in to the Xapo website using my laptop, try to withdraw the Bitcoin like I had tried to the first time, and then a notification pops up in the app, which I can use to "approve" the withdrawal. I did this, and a few minutes later the payment showed up on the Bitcoin network, and it is now confirmed.

So now I've got my Bitcoins back, and I haven't had to taint my real phone with code I don't trust. I consider that a decent result. It's a good reminder though: if you don't control the Bitcoin keys, you don't control the Bitcoins.

If you like my blog, please consider subscribing to the RSS feed or the mailing list:

James Stanley - james@incoherency.co.uk | ricochet:it2j3z6t6ksumpzd | jesblogfnk2boep4.onion | /ipns/jes.xxx/ | [rss]