FAQ

Questions, answered honestly.

Does MetroVault ever connect to the internet?

It can’t. The app doesn’t request android.permission.INTERNET, so Android denies it network access at the operating-system level. On top of that, it’s designed to run on a device kept permanently in airplane mode with Wi-Fi, Bluetooth, and NFC disabled.

Which wallets does it work with?

Any watch-only wallet that speaks PSBT over QR codes — BlueWallet, Sparrow, and Electrum are the ones called out in the docs. MetroVault supports standard and animated QR formats (BC-UR v1/v2 and BBQr), so large transactions work too.

Is a phone really as secure as a dedicated hardware wallet?

It’s a different trade-off. A dedicated signer has a secure element with a tiny attack surface; a phone has a bigger OS underneath but gives you a large screen, no bitcoin-linked purchase trail, and hardware-backed key storage via the Android Keystore. A factory-reset phone that never goes online again — set up per the Device Setup Guide — is a serious cold-storage device.

What happens if my phone dies or is lost?

Your bitcoin is safe as long as you have your BIP-39 seed phrase backup. Restore it into MetroVault on another device — or into any standards-compliant wallet — and you’re back. The phone is replaceable; the mnemonic is not.

Can I use it as one key in a multi-sig setup?

Yes. MetroVault imports multi-sig descriptors via QR or text, exports its signer info in BIP-48-compatible form, and signs its share of 2-of-3, 3-of-5, or any other quorum. It pairs well with hardware signers from other vendors for vendor diversity.

What are Silent Payments?

BIP-352 Silent Payments give you a static address (sp1q…) you can publish once and receive to forever, without address reuse being visible on-chain. MetroVault can create dedicated SP wallets, send to sp1q… recipients, and sign spends of received SP outputs — all air-gapped. Only the scan key is exported to your watching wallet; the spend key never leaves the device.

How do I verify what I install?

MetroVault ships on F-Droid with reproducible builds: F-Droid rebuilds the app from public source and verifies the result byte-for-byte before publishing. You can also check the APK’s signing certificate SHA-256 against the fingerprint published on the download section and in the README.

Has MetroVault been audited?

There is no formal third-party audit yet, and the project is honest about being in active development. The entire codebase is GPL-3.0 and open for review, the security model is documented in detail, and the standing advice applies: review or build the code yourself, verify addresses on the device screen, and test with small amounts first.