Bisq Easy Mobile

[HenrikJannsen]

Ideas about options for a Bisq 2 mobile app has been discussed in #298 while Bisq 2 was still in development.

This new discussion should focus now on the concrete and more limited scope of providing a minimal version of Bisq Easy as mobile application for both Android and iOS and discuss it more in details.

Feature scope for phase 1

• Create user profile
• Create onion address, also for the clearnet use case as the onion address is needed to trade with desktop users.
• Offers only, no public chat
• Private trade messages
• Taker-only mode for the start to reduce effort on the UI side
• Trade process
• Support for mediation
• Config for own relay node

Feature scope for phase 2

• Optional Tor mode for Android
• Create offer

Relay node

• REST API + websockets mode. This mode is not suited for most home network users as they dont have their network environment setup as server.
• Onionservice mode. Suited for home network usage as Tor does not require a setup as server. If mobile users want to connect to their own relay the tor option is the most feasible.
• Relay nodes with both modes are provided by Bisq contributors (bonded roles).

Network interface

• Cleannet connection to the REST API
• Websockets for getting data pushed (maybe only supported in phase 2)
• Optional Tor support (incl. onion services) for Android (for iOS Tor support is highly problematic) instead of the clearnet options.

Public data

• Offer messages (BisqEasyOfferbookMessage)
• User profile (UserProfile)
• Market price data (AuthorizedMarketPriceData): Alternatively we could ping the price nodes, but it would open an additional privacy leak if clearnet is used, thus delegating it to the relay node seems the better approach.
• Reputation data (AuthorizedProofOfBurnData, AuthorizedBondedReputationData, AuthorizedAccountAgeData, AuthorizedSignedWitnessData): As this data has comes with some complexity how the resulting reputation score is calculated we delegate that probably to the relay which provides aggregated reputation score data.
• Mailbox data: Client receive all mailbox data and filters out their data by the keyId the same way as its done on the desktop app. Drawback is that more data is transferred. Alternative to that would be that the client sends their keyId to the relay node to get only the relevant data. Drawback: Relay learns gets more metadata and need to maintain client state. For now we assume we use option 1.

Private data

• All data is encrypted and signed
• If the mobile user use Tor the same model as on desktop is applied just that he has basically a gossip network with only one node, the relay node).

If the mobile user use clearnet, private messages are delivered as follows:
A private message sent from the mobile client to a desktop user is sent as ConfidentialMessage to the relay. The receiverKeyId is the relevant pointer to the receiver. This is an ID only known to the receiver. The relay sends it to the gossip network as mailbox message not as direct message to the receiver. The relay acts as publisher of that data. The receiver will get the mailbox message if they are online from the gossip network, decrypts and processes it.

A private message sent from a desktop user to the mobile client is sent to the mobile users onion address (even if the mobile user use clearnet). As the mobile user is not using Tor it fails (fast) and the message gets send as mailbox message via the gossip network. The relay node receives that and forwards it to all their mobile clients. The mobile client checks if the mailbox messages has their key ID and if so decrypt and process the message. At some point the mobile client sends the remove message to the relay so that the mailbox message gets removed. We need to add some random delay here to avoid privacy issues.

Privacy implications

If the Tor mode is used, I think the privacy implications for the mobile user are very limited. For http requests to the relay the relay node does not learn about the mobile users onion address. The hidden service connection can be used only for data sent from the relay to the mobile client.

If clearnet is used and the mobile user is not using their own releay node, the relay node learns about the IP address of the user.
Pubic data are sent to all users the same way, thus there is nothing extra the user reveals. For received private messages it is the same ,as mailbox messages are just public data everyone gets delivered.
Only when sending a private message, the relay learns about the communication between the mobile user and some unknown Bisq Easy user with a certain receiverKeyId. The receiverKeyId is not publicly know and associated to any onion address or user profile. But from repeated messages the replay can learn that a trade happens (obvious anyway as that is the use case). With observing different receiverKeyIds the number of trades can be derived. The mobile user could distort that by publishing fake messages with non existing ids, but that would harm the network as mailbox messages without real receiver would stay until the TTL is triggered in the network and need to be loaded by any node.

We could though add a new model to create new IDs after each message (or a pool when communication starts), thus each message will have a new ID and only the 2 parties know how about it. We have to be careful though that a missing message would not fatally interrupt the chain and making further communication impossible. But I guess there are ways how to achieve that with sufficient resilience. With such a solution the issue that the relay can learn about the number of trade is mitigated.

Another issue is the removal of a received mailbox message of the mobile user. The relay node would learn that a certain mailbox message (which contains the receiverKeyId was successfully decrypted by the mobile user and therefor knows their receiverKeyId. To avoid that the mobile user can randomly delay the remove message so that this correlation is broken.

Those mitigations will not provide the same privacy protection as the Tor mode, but beside that the relay learns about the IP address the privacy implications are rather small.

Security

The mobile user need to trust to some extent the relay node.
A malicious relay node could:

• Hold back offers
• Hold back mailbox messages
• Hold back other relevant public data
• If we use aggregated reputation score data provided by the relay node, the reputation could be fake. Maybe a reason to reconsider that approach and use instead the oracle provided data (trust to oracle is then the same issue as in desktop mode).
• If market data is provided by repay node it would be an issue, but we likely use the oracle provided market data and maybe also requests to price providers.

Conclusion

I think Bisq Easy can be implemented as a mobile version even with the clearnet option with a privacy/security to convenience trade-off acceptable for many users. For the more privacy focused users there is the option to run their own relay node (less convenient) or if they are Android users to use the Tor mode. If that is not enough or possible its best to stick with the desktop version.

[HenrikJannsen]

We could also consider an alternative approach:

We support to run both clearnet and tor (or i2p), so the relay node could run both clearnet and tor and will be accessed via clearnet from the mobile clients. The mobile client need to run then the Bisq p2p network code but it is not a "full" node as it does not accept incoming connections. This distinction would require some extra work in the p2p network layer to treat those 2 classes of nodes differently (might be its not needed as any connection to such a non-full node would just fail).

The benefit from such an approach would be that it perfectly matches the existing p2p network design and multiple relays would share the load of the mobile clients. There is still the leaking of IP addresses, but the other concerns should be disarmed to a large extent (still some issues as a small number of full nodes would represent some centralization).

The downside is that it requires to run the network module code (and more), thus require to use bisq2 as dependency to the mobile apps. For Android that should not be a major issue as its JVM based. For iOS we would require Kotlin Multiplatform and then it has to be investigated how much extra effort is required to get all working there. Any OS specific part (like sockets) needs its own implementation for iOS. I still estimate it is not that much of an effort as we don't use much of specialized OS specific stuff, but still an effort to be considered.

The core difference from that model to the REST-API based, is that here the tradeoffs are limited to a smaller number of peers (>=1) and leaking the IP address to all those full-node peers. Furthermore anyone could run such a full node and without added restrictions that would add some risks to the users to end up a spy-agency node.
Beside that the REST-API version would make likely tradeoffs with providing aggregated data to reduce the complexity for the mobile client to process it on its own.

As the trade-offs and potentially required extra effort for clearnet are a concern we also could investigate the options of Tor for iOS. It might turn out to be not much more effort.
Alternatively we could simply ignore iOS and only focus on Android with Tor support.

[rodvar]

I think this is a much better idea.

All in all to add up on this my 2 cents:

• Tor in a close environment like the bitten apple world is the biggest risk to this sub project IMHO. If we want to support iOS we might have no other option but to provide some form of clearnet REST APIs
• Android support should be more straightforward, and given its linux-based OS tor shouldn't be a problem
• To make focused efforts considering all of the above, I would encourage to start with an Android-only POC (done in kotlin MP thinking to add iOS in the future) with a very well defined set of features and minimalistic design we want to support and grow from there.
• for the rest api, we currently have a custom glassfish based http server in the rest-api app. We might want to leverage the power of a framework with good security and performance features given the potential risks implied in opening the HTTP door. Currently I'm investigating Micronaut, Vert.x and Quarkus being the latter the one that looks on the surface the most suitable for us...

[HenrikJannsen]

One area where we might need changes is the way how we manage data. Atm we use our custom file-based persistence framework. We load at startup all data in memory, which is also for desktop already a bit heavy (I guess 80% of the RAM consumption comes from that data) and this will grow over time with more users. We might need to re-consider to use a DB solution and see how we deal with the issue that we don't want to do queries to the DB all the time as it would be too slow for most use cases.
If not changed we have to check out how feasible it is to add that resource load to average mobile devices.

All in all I think efforts in the REST API path would lead in the wrong direction to centralized and trusted services and as no code exist for that yet, it would be considerable effort anyway. Furthermore as it would be an alternative code path not used in the desktop app we add risk for missing updates and changes (Bisq1 is suffering from that as well when new changes are not applied and tested at the API).

Going the P2P path we reuse our existing code base, maybe it needs some improvements (DB, network) which benefits the desktop as well. We know that tor support on Android works, so the privacy trade-offs can be avoided in that case or be left to the user (with tor startup and re-connections will be slower).

For Apple it seems feasible that we can support with KMP and implementation of the required system interfaces like sockets the clearnet p2p version. For Tor it would be some extra effort which need to be considered if worth the costs/risks (no official Tor impl., Apple might block the app at any time and there is no alternative to the App Store).

I would suggest we kickstart a POC where we create an android project adding the main dependencies from Bisq2 (network) and try to get just a network node running on clearnet/localhost as a first milestone.

After that we can add the remaining dependencies needed for Bisq Easy use cases.

If we achieve that, we can extend it to clearnet - remote node running Tor+clearnet and get the real p2p data via that node.

Once that is achieved we can get Tor integrated and get the Tor-remote node model working.

Next would be to transform that into a KMP project (could be also done initially if not too complicate) and adding iOS integration.

After setup is done for iOS we need to get the native implementations for the missing OS specific interfaces (e.g. sockets,...).

Get the network with clearnet/localhost working. Then get the cleanet/remote node working.

If we arrived at that stage the POC can be considered successful and we can start implementing a minimal viable version of Bisq Easy for mobile.

Further tasks:

• Improve resource handling
• Consider a DB solution
• Investigate Tor support for iOS

[rodvar]

Thanks @HenrikJannsen .

I read your comments carefully. I can help with Data management in Bisq as well.
Just to get things started maybe I focus on this first

I would suggest we kickstart a POC where we create an android project adding the main dependencies from Bisq2 (network) and try to get just a network node running on clearnet/localhost as a first milestone.

and we go from there?

[KewbitXMR]

Look no further, I am already 75% done creating a Bisq app.

[rodvar]

Hey @KewbitXMR that's great news, let me know if you want some early review or collaborations more than happy to have a look!

[rodvar]

just leaving it here for anybody following this discussion to review - @KewbitXMR approach is a flutter package --> https://pub.dev/packages/bisq - haven't looked into it yet but will soon

[rodvar]

@KewbitXMR hey Kewbit, thanks again for your proactive approach to kickstart a solution for this initiative.

I took some time yesterday to review your work. Below you have my own logs, but just a headsup, I couldn't find any docs to your work and the repository has no code shared yet (is it the right one? https://github.com/KewbitXMR/flutter_bisq) so it was not an easy job, I used VSC to check the code of the lib as I was testing it.

My question to you is, how did you calculate the 75% done estimation you claimed above? it seems like quite raw yet.
Besides that, I'm inclined to think that the community won't agree using a Google owned framework like Flutter. I hope this helps, let me know your comments.

Initial review for flutter lib bisq: ^0.0.2

• created a out of the box flutter app using Android Studio and VSC
  added the lib
• created a test to check the available BisqClient functionality
  searched for docs on github → failed, project hasn’t been opensourced yet
• cannot find BisqClient cli like functionalities, only connection related.
• Used VSC to inspect the code → OK, the client is a simple gRPC connector in Dart, you need to provide host, port and password.
• the client only has connect functionality using dart grpc lib (it looks like just a grpc mainstream dart lib wrapper at the moment)
• there are a bunch of grpc clients implemented in the proposed lib but couldn’t figure out how to use / test those

[KewbitXMR]

The only reason I downvoted this is because the topic did not start with a problem, if there is no problem what is there to solve? Making a less complex, easier to attack, more manageable to the average developer all sounds like a great bandwagon to ride, and I won’t argue that Bisq 2 looks better and is more intuitive but all that means nothing if the protocol is trash.

So my question is what is wrong with the current Bisq, if there is something wrong, why can’t a solution be implemented fix it rather than rebuild entirely.

I would expect to at least see someone take an attempt to tackle the infamous trilemma on any new developments.

Especially if the community it expected to fund them throughout, sometimes the community are excited about an idea but don’t understand the real technical backing.

If not changed we have to check out how feasible it is to add that resource load to average mobile devices.

It’s feasible, there is not too much data to handle if it’s dealt with appropriately, storing protobuffers (as proto3Json) in an SQLite database indexed only by the important keys will be sufficent, even keeping the file system as is. To address the RAM issues I’m sure that mostly from the wallet syncing as they jump back on again, please let me know if that’s not the case because we were having the same problems on the other side of the playpen.

Improve resource handling

What metrics do you have to support this as being a problem?

Investigate Tor support for iOS

I can give you some feedback on this and it’s not great, but it can work. On iOS you get about 1 APi call every 15 minute max, and no background process can stay open. Additionally, that request is only allowed to last between 15-30 seconds. If we consider that it might take that amount of time to bootstrap to Tor or I2P for that message, then by the time a connection is established we may have enough time to important notifications like new trade offers and chat messages. The alternatively is to implement various ways for the end user to receive notifications, none of this would be centralised, if they wanted to recieve email on a new trade or chat message they’d supply their own SMTP servers as part of their node config, or they could supply a matrix and simplex account to receive the notifications. I will actually update this who are interested in this once I’m confirmed done with the iOS side of things but I’m focusing on the privacy devices / OS currently as requested by the XMR community.

Finally, you say you have a PoC, are you willing to share it?

[HenrikJannsen]

After further discussions I think it is required to lay out more in details the specifics of different models as well as constraints and goals.

Goals

Must have features:

Offer a full trade experience in the most minimal form

This includes:

• Create a user profile (create key pair, generate bot ID, generate icon, do proof or work which is used for the profile icon and bot ID).
• List offers
• Create an offer
• Take an offer
• Execute the trade process

Clearnet connectivity

Even if we have Tor support the fact that establishing a Tor connection can take considerable time it will hurt the user experience. It has to been seen if keeping Tor connections open when the app is in background is feasible from a resource management point of view.

Mobile notifications for relevant trade events

This need to be further investigated but as it is a new feature not present in Desktop yet, it is less relevant to our main objective of the current investigation to see what is the best path to bring Bisq Easy from Desktop to mobile.

Good to have features:

Tor support

Technically feasible on Android. But will require adjustments on our tor code and build infrastructure.
On iOS there is no official Tor available but several 3rd party implementations. It needs to be investigated if those solutions can be used and what would be the risks. Furthermore iOS does not allow to start other processes which would add security risks if a 3rd party tor library would be integrated into the app (opposed to the model used in Desktop where both are separate processes).

iOS support

iOS support would be good to have, though we need to consider the costs and risks and if those pay off.
Apple has banned Bitcoin apps in the past, and there is no guarantee they will not do it again. They deployment model does not allow alternatives. Telegram CEO has mentioned that the Apple/Google duopoly is a main tool for US government to apply pressure on app providers. With Android there are at least alternative deployment options, so Apple represents a higher risk in that regards.
The EU is trying to push for banning E2E encryption. As this is fundamental for Bisq, those risks of censorship are unfortunately more real as we would wish.
I bring up those concerns, as in case we would make compromises in our decision for the most feasible model to enable iOS support just to find out later that we get banned anyway, we would deeply regret it and have lost 2 times.

Support for other mobile OS

We should check out also the distribution rate for alternative systems. Linux based systems or Huawai's mobile OS might become more relevant in future as the US controlled duopoly might have overextended their power position and more users are looking out for less invasive and totalitarian systems. The geopolitical developments require that the Global South develop more of their independent IT infrastructure.

Building up reputation

It would be good that the mobile user can build up reputation using their profile ID. As this use case requires to run Bisq 1 we can assume that those users also have Bisq2 installed. Thus the easiest option would be to add a UI feature to Bisq 2 to use an external profile ID (from the mobile app) in the UI for building reputation. The messaging to the oracle node can be then done inside Bisq 2. On the mobile side we only need to export or copy the profile ID (maybe also the private key if needed for sending the data to the oracle).

Not supported features

At least for a first version we do not plan to support that Desktop users can reuse their profile on mobile and go back and forth between Desktop and mobile. This would require a synchronization mechanism for the private data as well as a lock mechanism to avoid both models are used in parallel. So far I don't see any feasible solution for that beside a server side hosting of the data directory).

Constraints

We have to keep in mind our limited dev resources when selecting the most feasible model. In case the mobile app cannot re-use a large part of the existing code base we have to keep in mind that maintenance costs and risks from compatibility issues when developing parallel implementations of core features.
Beside technical constraints we also have to keep in mind the conceptual constraints for models which require new infrastructure which might lead to a higher degree of centralization, risks and potential liabilities.

Models

Full node model

This model requires that we can re-use most of the existing Java code base. It is driven by a full P2P network node with Tor support at least for Android but with adjusted configurations in terms of number of connections and other network specific metrics.

Using Tor

If the mobile node use Tor the privacy and security model is basically the same as with the Desktop version. The main difference will be the lower number of connections for limiting resource costs.

Using clearnet (we call that model now Light node model)

For clearnet support we need to have some clearnet enabled nodes (any node can run on multiple transports, e.g. clearnet and tor, but for clearnet it must be reachable from outside, which is usually not the case in home environments without manual setup for port-forwarding, but on VPN servers). This requirement will add a bit of burden to Bisq to provide clearnet enabled headless nodes (technically the same as seed nodes). Those have less privacy protection for the operator than Tor-only nodes.

The outbound connection to other clearnet nodes is fully functional, just the inbound connection will not work as the mobile node is not accessible by its IP address. This should not cause any problem. It only requires a custom configuration of the peer management as by default it seeks a balanced level of inbound and outbound connections. If another peer sends a direct message as it is the case in the trade process, the send message attempt will fail, but then the message gets encrypted and distributed as mailbox message and broadcasted to the network. By that it reaches the mobile node via their outbound connections and the message gets decrypted and applied. It is the same model as if the peer is offline (not reachable via direct message).
For removing the mailbox message the receiver sends out a remove-message after successful decryption. This short timing might become an issue in the clearnet model due the smaller number of nodes and can be mitigated by adding some random delay to make it harder to associate the mobile nodes IP to their key ID. This would be a good enhancement as well for the current Desktop/Tor mode.

Security and privacy risks when using clearnet

A malicious clearnet node could hold back messages to the mobile node, which could lead to failures in the trade process and in the worst case to a ban and loss of investment in reputation in case of a seller. Though, this is unlikely as there are other communication channels where a seller could reach out to support.
Also the clearnet node has no indication about the receivers network address, as that data is encrypted. The only visible data is the key ID. The key ID is a random string generated once to be assigned to an identity and used to optimize the decryption process of received mailbox messages. A node only tries to decrypt messages with the matching key ID, otherwise the costs for trying to decrypt all messages would be high. As long other nodes do not have the association of the profile ID and the key ID there is no privacy risk.
Though a motivated attacker could try to figure out that association by for instance engaging in a trade and then if that node is a clearnet node which is used by the mobile node try to censor messages. The gain on that is only sabotage and the potential loss of the users reputation is very unlikely to happen.
Though such a clearnet node could figure out how many mailbox messages go to that user, and linking the IP address to their key ID and profile ID. In hostile regulatory environments that might pose some risk, but then using the low privacy of a mobile phone and clearnet should be avoided in the first place.

From my POV the privacy and security risks are rather low and do not require a BSQ bond for node operators. Though Bisq need to provide at least the min. number of nodes for sufficient network resilience (I would estimate at least 4 nodes).

Persistence

The persistence model used in Bisq 2 is likely not appropriate to mobile and we need to build some abstractions around that. I don't expect that this is a major roadblock.

Candidates for implementing that model

From preliminary research it seems Gluon is the most promising candidate to make that model feasible.

Kotlin Multiplatform cannot use dependencies in form of jar files, but would require to port the Bisq 2 code base to Kotlin and to use specific libraries (e.g. for networking and concurrency) to enable compilation to the iOS target. There would be for sure more issues on the path with 3rd party libraries we use as well with crypto libraries. The effort and associated risk with such a huge change is from my POV outside our possibilities.

In case we drop iOS support we have more options to go just Android only. In that case a plain Android project might be the most feasible option.

Delegated node model (we used before "Light node model" but that is better suited to the full node model with clearnet)

In that model we would delegate the networking part to a relay node and use a REST API between the mobile client and the relay node.

It still will require to re-implement a considerable part of the code base (crytpography, proof or work, offer domain, trade process, payment methods, persistence). If that model is chosen we cannot just reuse Bisq 2 code for those areas as those will have further dependencies, but rather we need to re-implement a minimal version of all the required features. This is considerable effort and lead to a parallel code base with future costs for maintenance and compatibility risks.

Relay node

A relay node would be a headless Bisq node with a REST API exposed via clearnet and Tor.
For sending out messages the relay node can just publish it to the P2P network as mailbox messages (avoiding direct messages at all for privacy reasons). For receiving messages we could either send all mailbox messages to the mobile node (using web sockets for push or use some long-polling strategies), or the mobile node provides their key ID and by that subscribes only to mailbox messages with that key ID. This obviously leaks their key ID to the relay node.
The feasibility of the former approach depends on the overall network activity. I assume at current state its feasible without causing too much traffic, but we have to be aware that there are scalability limits.

Security and privacy concerns

The public data can be accessed without privacy issues beside that the relay node learns about the mobile node's IP address in case of clearnet.
For trade messages though we have to avoid that the relay node gets all the data in plain text. Thus we need to create a mailbox message on the mobile client (which has encrypted payload). This will require all the dependent code for creating that mailbox message. This should not be a huge problem but has to been investigated further how much re-implementation is required. It will at least require to support the protobuf message hierarchy used for mailbox messages.
The relay node still learns about the receivers key ID and the senders IP address (in case of clearnet).

Similar as in the full node model, I do not see severe security risks and the privacy risk can be lowered by using Tor.

Candidates for implementing that model

KMP might be a good candidate here, as it makes it easier to copy Java code from Bisq 2, convert it to Kotlin and reduce it to the minimal needed as a strategy to re-implement a big part of the code base. As that code base does not contain the P2P network part one hurdle is removed, but still a lot remain and I would assume we only learn by doing it how much effort it really will be. I estimate its considerable effort. For sure there is high risk of uncertainty of the overall effort.

Thin client model

That model consists of a full node with a server offering a REST API (headless or Desktop) and the mobile client as thin UI client.
We already use a similar model for the oracle node, where the Bisq 1 node offers a REST API which is accessed by the Bisq 2 oracle node as client (Bisq 2 oracle node learns about Bisq 1 DAO and network data, to provide that to Bisq 2 network).
For the full node/server part we only need to add the REST API for the required features. The effort for that should be manageable.

Candidates for implementing that model

The mobile client can be implemented in any technology. KMP might be a good candidate here as well. There is no requirement to re-use or re-implement Bisq 2 code.

Use cases

That model could to be used in a "friends and family" context for on-boarding newbies. An experienced Bisq user provides that full node/server and the newbie connects to that, fully trusting that provided node (as its for friends and family that should not be a concern).

The other model would be that users run their own private server and use it for themself, thus rendering the privacy and security issues obsolete (beside the secure connection to the API).

Questions

The main question here is the usefulness and size of potential market (in case of friends and family use case).
We have to keep in mind that users from developing countries often have no access to a desktop computer and using a VPN server might be too much of a financial or technical burden.

So this option seems to me mostly a "nice to have" add-on, without much potential to extend to new markets or users. I would also assume users would be disappointed that Bisq Easy has not brought the full trade experience without the need to run a full node to mobile.
As Bisq Easy does not require that makers have their node running, this is a different context to Bisq 1 where this requirement motivates for user to run a headless API node in the cloud.

Conclusion

My personal conclusion is that the Full node model offers the most benefits with least costs. It is as close we can get to have the same user experience, level of privacy, security and decentralization as the Desktop version. It enables us to reach to new users and markets where Desktop computers are not much used. The main hurdle here is, if there is a feasible technical solution possible. Our first hope for KMP failed unfortunately and it has to be seen if the remaining candidates which allow reuse of java based source code in mobile environment can hold their promise.
In case Gluon (or other alternatives) are not feasible to be used for cross platform support, we should also discuss the option to drop iOS support and go Android-only, in which case I assume the technical hurdles are manageable.

The Light node model, is for me a bad compromise on all levels and to introduce a parallel implementation is for me basically a no-go.

The Thin client model is technically the easiest and most feasible but does not provide the mobile experience one would expect (you dont want to run your Whatsapp Desktop client when using it on mobile). I consider the added value and options to reach new users and markets as rather limited and to me it is questionable if the costs justify the gains in that model.

[cbeams]

Here are a couple resources arguing the case for the "thin-client model" as it's called above.

1. A vision and high-level architecture for Bisq Mobile (1h 11m Loom screencast video; Keynote file available on request)

2. A response to Bisq Easy Mobile discussion #2665 (28m Loom screencast video responding to Bisq Easy Mobile #2665 (comment))

A ChatGPT-generated summary of the transcript of (2) follows. It's not great and is in a couple places wrong or nonsensical, but it does give at least a general impression of the position I'm taking and what topics get covered in the video.

chatgpt transcript summary of video (2)

1. Introduction

The speaker acknowledges being late in responding to Henrik's original post but explains the use of video due to time constraints. They plan to respond to the key points Henrik raised and focus on arguing for the thin client model for Bisq Mobile. The speaker clarifies they won't address every point, only those relevant to their argument.

2. Must-Have Features

The speaker agrees with Henrik's list of must-have features, particularly the importance of modern notifications for trade events on Bisq Mobile. They argue that the Bisq backend should handle notifications efficiently, making them a reasonable assumption for a thin client setup. The speaker takes it for granted that Bisq Mobile will include opt-in and configurable notifications for all relevant trade events.

3. Clear Net Connectivity

The speaker finds clear net connectivity less important due to their confidence in Bisq’s vision for connectivity. They argue that issues like slow Tor times and heavy Tor overhead aren't concerns under the thin client model because Bisq will manage the necessary connectivity in the backend.

4. Good-to-Have Features

Henrik's list of good-to-have features, such as Tor support, is mostly left aside by the speaker, as they don’t see Tor support as necessary for the mobile client. However, the speaker considers iOS support absolutely essential, arguing that excluding iOS would alienate a significant portion of the user base. They also mention that Android and privacy-focused distributions like F-Droid are implicit, given the nature of the mobile platform.

5. Support for Other Mobile Operating Systems

The speaker brushes aside the need for support for operating systems beyond iOS and Android, assuming that privacy-focused Android distributions are already covered.

6. Desktop-to-Mobile Profile Sync

Henrik mentioned that desktop users won’t be able to reuse their profiles on mobile in the first version. The speaker explains that this wouldn’t be an issue under the thin client model since all devices would connect to the same Bisq node, eliminating the need for data replication or synchronization.

7. The Full Node vs. Thin Client Model

Henrik's discussion of a full node model is countered by the speaker’s preference for the thin client approach. They emphasize that with the thin client model, users will remotely connect to a Bisq node (either their own or a trusted node), bypassing the need to run a full node on a mobile device. This is presented as simpler and more feasible than the full node approach, which comes with heavy performance, networking, and synchronization issues on mobile devices.

8. Friends and Family Use Case

The speaker agrees that the thin client model is particularly useful for onboarding new users in a "friends and family" context. Experienced Bisq users could host their own full node and allow less technical users to connect to it. This offers a practical, small-scale centralization approach that enables newcomers to trust a known Bisq node operator.

9. Market Size and Potential

Henrik raised concerns about the limited potential market for the friends and family use case. The speaker responds by admitting that while they don’t have hard data, their intuition suggests a solid opportunity. They argue that users often don’t know what they want until they see it in action, so clearly articulating and demonstrating the value of this model could sway opinions.

10. Managing User Expectations

Henrik expressed concerns that users might be disappointed by the thin client model, expecting a full trading experience without needing to run a node. The speaker acknowledges that if Bisq marketed the app to general users, it might indeed be disappointing. However, they clarify that the intended audience for Bisq Mobile is existing users and experienced Bitcoiners, who understand the need for a backend node and won’t be deterred by this requirement.

11. Privacy and Security in a Thin Client Setup

Henrik highlighted privacy and security concerns if users rely on trusted third-party nodes. The speaker counters that this is a reasonable trade-off in the friends and family context, where trust is inherent. They also argue that users who value privacy and security could run their own nodes on a VPS, personal server, or other setup, maintaining full control over their Bisq environment.

12. Technical Challenges of the Full Node Model

Henrik argued that the full node model provides the most benefits with the least costs. The speaker disagrees, arguing that building a full node mobile experience is fraught with technical challenges—especially when trying to make it cross-platform and performant. They predict that pursuing the full node model would be a "fool’s errand," resulting in numerous hurdles with little return, based on their own experience.

13. Benefits of the Thin Client Model

The speaker reiterates the advantages of the thin client model, highlighting its simplicity and practicality. With this model, Bisq would work similarly to Bitcoin wallets, where mobile users connect to a backend server. They compare this to well-known wallet apps like BlueWallet or Sparrow, where users connect to a server rather than running a full node on their phone.

14. API Development for Bisq

The speaker stresses the importance of building out a robust API for Bisq, which would open up new possibilities, such as bots, web UIs, and better desktop and mobile integration. They acknowledge that this is a significant technical effort but argue that it’s worth the investment to make Bisq more versatile and accessible across platforms.

15. Final Thoughts on the WhatsApp Analogy

Henrik used the analogy that people wouldn’t want to run WhatsApp Desktop to use WhatsApp Mobile, hinting that requiring a full node for Bisq Mobile could disappoint users. The speaker pushes back on this, pointing out that the better comparison is with Bitcoin wallets or Lightning clients, which also require backend infrastructure. They argue that the need to connect to a node isn’t a deal-breaker for the intended Bisq audience, as long as the communication and expectations are managed properly.

Conclusion

The speaker concludes by reinforcing their stance that the thin client model is the best approach for Bisq Mobile. While it might not meet the expectations of non-technical users or those unfamiliar with Bitcoin infrastructure, it serves the needs of Bisq’s current users and aligns with the broader Bitcoin ecosystem. They caution against wasting too much time pursuing the full node model, which they see as impractical, and advocate for investing in the thin client approach, including the necessary API development, to unlock Bisq’s full potential.

[cbeams]

Following up further on this point:

The Thin client model is technically the easiest and most feasible but does not provide the mobile experience one would expect [...]

I addressed it originally in the video here, but failed to mention perhaps the most important counterpoint.

I agree that the thin client model risks entirely-new-to-Bisq users being disappointed when they download the app, open it and realize it won't be functional unless and until they have a backend Bisq node to connect to. That's what I already discussed in the video. What I didn't say is that I think the far greater risk is that actual and longtime Bisq users will be disappointed when they open Bisq Mobile for the first time and realize that it creates a completely separate node with no way to connect to and control their existing node. I (as a Bisq user) do not want to set up a separate Bisq client on my phone. I want to access my existing node remotely.

Which is to say that we run the risk of disappointing users either way we go. I'd rather make sure that our existing user base regards Bisq Mobile as immediately useful to them and as a way to get more value out of their existing Bisq node. I'd rather get them in a place where they're using Bisq Mobile all the time as a more convenient way to do all the stuff they would have had to be sitting at their laptop for in the past. If they're actually using the app on a regular basis and loving it, then we'll have the opportunity of taking them on a journey of using the app for new and different use cases, like "becoming uncle jim" for their friends and family. If they dismiss the app out of the gate as "not useful for me because I don't want to run a second node", we'll have lost that opportunity.

[HenrikJannsen]

Yes, to not be able to switch between desktop and mobile would be not great. But other as initially assumed it is actually not that difficult to solve.

Here an idea how it could work:

When shutting down the app we zip the relevant data, encrypt it, assign a version and pub key and send it to one or more storage services. This happens after the p2p network has been shut down, so it is guaranteed that no new data would alter the persisted data. The version gets incremented with each shutdown and is persisted locally.

This storage services could be a dedicated node operated by Bisq, could be an extension of existing nodes (seed, oracle, monitor,...) or just a small headless node running on the users computer if he can assure that the computer is always online.

The storage node is a very simple http server behind tor with a simple API for accepting a storage request, pruning outdated data and removing data (if signature is valid). Very similar as network storage nodes. But more simple as not a p2p node but just a http server.

When the mobile app starts up, it requests from the storage node(s) the latest version and compare it to its local to see if sync is needed. If so, it decrypts it using its private key and send a remove request (with the signature attached to proof ownership). It updates the local version and replace the local storage files with those from the server. Only after that is completed it continues to bootstrap to the network. This ensures that no network messages would interfere with the sync process.

At shutdown it follows the same process as above.

If there are repeated shutdown/start at the same platform, it sees that the local version is the same, thus no need to sync, but it sends the remove request to the server to prune the unneeded file.

It is not supported though to run both in parallel.
When the app has started up it sends a lock message to the server. This lock gets removed at shutdown.
If the other app tries to start up as well, it looks up at the server for a pending lock and if there is one, the user get notified.
As such locks might be not 100% reliable, we might allow the user to override the warning if they are sure that the other app is not running.

If both are running, both apps would use the same onion service, which would lead to indeterministic behavior (I guess tor acts like a random load balancer in that case, some messages might arrive at one node and others on the other node).

Details would need to be worked out, but I think that's a feasible solution and not overly complicate and requires only a very light weight infrastructure node (or additional feature to existing nodes).
The relevant data is relative small (about 100 kb, depending on the number of open trades). All data would have a max TTL (maybe 2 weeks). If needed it could be a paid service, but I guess that would add too much friction.

[rodvar]

@HenrikJannsen thanks for summarizing the options discussed so deeply, bringing also the knowledge from Bisq infrastructure in.

I'm still digesting this big post, for now I'm just gonna drop some small contribs:

• if we were to go full node -> I would just drop the KMP R&D in full and go full Android Native (hassles deeply outweights benefits - and benefits are potentials given the well describes issues we have bringing something like Bisq into the Apple privative world)
• For thin clients, I would 100% go full on KMP (more with full Compose KMP), but if we can't securely provide an "open API" from bisq relays I agree with your comments in regards to this defeating the purpose of Bisq 2 which idea is to make it easy to trade even for BTC newbies.
• Finally, the middle-ground solution (more like an "almost" full node.. right?) -> I need more time to be able to give an opinion, I want to play a bit with Gluom and CodenameOne and will post again here afterwards

[HenrikJannsen]

If it turns out Gluom or CodenameOne is a feasible option it can be used for the full node options and brings back support for iOS.

For the Light node model, my main concern is the re-implementation of large parts. Its hard to me estimate how much that is but a very rough guts estimation might be 40% network code and 60% rest (using lines of code might give more insight but we need to consider that mobile would not impl. all of Bisq 2 code). So we do not gain that much by outsourcing the P2P network part.

[rodvar]

I'm not sure how feasible they are yet, people that used it say depending on what you are trying to port to mobile from Java the build times can become a nightmare, and the result very poor performance why. But definitely worth a POC

Gluon

• has a productive open sourced event organiser app → devoxx/MyDevoxxGluon
• has small/no community
• big pricing tiers, no trials, feels corporative
• has a bunch of middleground rated Android ERP apps on the store
• feels quite corporative...

CodenameOne

• more reasonable pricing with generous free tier
• a reasonable community and support
• backed by Ex Sun Ex Oracle Java dev
• has extensive knowledge sources, youtube videos, tutorials, a book on amazon wrote by the founder
• has demo apps like this one
• has a code initializer tool to get you a project

[HenrikJannsen]

hi @cbeams,

thanks for your feedback and videos.

Here my response:

Multiple aspects

I think we are dealing with multiple aspect and best to tackle them separately.

• API
• Full node model
• Thin client model
• Onboarding friends and family

API

The benefit and need for an API is undisputed. The only question is the priority and when it really is needed. So far we had not sufficient use cases for it beside the existing API for oracle node and monitoring.
We started a Webclient POC but discontinued it as for Bisq Easy there is no need to run a headless node as the maker does not need to be online (in contrast to Bisq 1). For MuSig that will change...
As said priorities matter here. Should we put all effort to an API or should we build MuSig and Mobile first? Of course things can and do happen in parallel, as much as our dev force allows.
Work on the API is a perfect candidate for a single dev or small team to work independently on that and does not require too much domain expertise on Bisq 2 and the underlying concepts.

Full node model

@Rodave got some results with CodenameOne but it would require Java 11 (now we use Java 22), which is probably a prohibitive requirement.
I agree that the cross-platform candidates do not look promising. If we should continue for some limited time to investigate that space is open for discussion, but my arguments as I will lay out soon, are rather to stop that efforts.
Specially as the cross-platform problem is only one for making iOS support feasible. Tor on iOS is another hard challenge.

To limit the full node model to Android is a very feasible option. It requires Java 17 which was until recently the target version for Bisq 2. To revert the Java 22 feature changes is not that much work (I assume a couple of hours). There will be for sure some more issues (persistence for instance) but I think those are all feasible to resolve and I do not see any real critical showstopper so far.

Note, that this model allows the user to use tor or clearnet. The clearnet option requires that Bisq (or the user) runs a headless node with clearnet + tor enabled. This should be a minor dev effort and also an acceptable cost for providing that infrastructure. Details need to be worked out but my estimation is that this does not cause any showstopper.
With the cleannet model, the app-in-background and slow connectivity issues are sufficiently resolved.

Thin client model

As it seems that for iOS the full node model is unfeasible, the only 2 options are to either drop iOS or to use the thin client model.
As the API is anyway needed at some point and as the mobile UI can be developed with KMM the extra work for the thin client on iOS seems relatively low.

The Thin client model can be then also added as optional mode for Android, giving the user more flexibility.

Onboarding friends and family

I would consider that as a new product based on Bisq Easy and the mobile Thin client model as well as some additional features (relay/proxy node, hierarchical user management, xPub key support,...).
I see the benefits of that and it merges perfectly with the goals of Bisq Easy. Once we have the Thin client model in place the extra required features seem to be not that much of an effort, thus the risk that there is not sufficient demand for it, is limited.

Bisq Easy was itself an experiment and for some features like the Learn section the market-fit test is still pending.
I agree that sometimes it is not enough to just ask users as users might not be able to fully envision things which do not yet exist.
If Steve Jobs would have make a survey about what users want, there would be no iPhone.

Mobile UI

For sharing code we could use KMM. I am not familiar enough to estimate the extra effort/complexity to enable KMM UI for a pure Android project as well as on the iOS side. I suspect that make things and build process at least more complex.
As Kotlin and Swift are very similar, and as some tools/AI support exist for converting code, I am wondering if 2 native UI code bases are that much more of an effort.
But I guess best we leave that for later and let the relevant devs working on it to experiment whats the best trade-off here. Either way, it should not be any big problem.

Potential next steps

I think first we should figure out if we want to continue to investigate the feasibility of the cross platform options. Maybe @rodvar could give his conclusion from what he learned so far.

In case we drop that effort, I think next thing is to verify the assumption that a pure Android project is feasible for re-using Bisq 2 code base in a time-boxed POC trial.

Once (and if) that is confirmed, we can look into the best solution for the UI code (KMM or native or other).

For the Thin client model the precondition is the API. So we should start to find a dev/team who are committed to that task.
I fear from the existing devs all are busy with either Bisq Easy, MuSig or mobile. So I think we have to reach out to new devs who are interested and qualified for that task.

Once the API is sufficiently implemented for some mobile use cases one of the mobile devs could take on the integration.

Once the Thin client model is in place we can move towards the Onboarding friends and family product.

Of course we can do stuff in parallel as far we can afford it.

[rodvar]

My 2 satoshis in all of this:

TL/DR;

• Re my conclusions so far, Henrik already anticipated some of the stuff I've been sharing. For CN1 core porting we need to downgrade the code to Java 11 and not only that (might even have to go down to 1.8 in some cases..), do code copy/pasting since jars bytecode couldn't be transpiled by there PaparVM system. I decided to drop that effort and start POCing Gluon (we'll update on this later).
• Full/Light node on mobile -> feasible only for Android but impractical to develop as already discussed before and pointed out by @cbeams once again. My opinion is , if we go this way we need to drop iOS (at least for the "full node" mobile product) and just build a pure Android Native solution, importing downgraded Java 17 jars from whatever code we want to reuse from Bisq core.
• Thin client -> as I stated in the matrix before, this is the way to go if we manage to put together a secure set of APIs. In which case it makes total sense to build it in KMP using Composite UI.
• As @HenrikJannsen pointed out above, there could be parallel work on this if we have the capacity.

Some other notes worth mentioning

It is not correct that Marketshare for iOS its 50/50 with Android. That was the case many years ago but in recent years the Android has eaten the apple in 70%+. However, its worth mentioning that in developed countries it's still 50/50 or slightly inclined towards Apple. (more data on this)

Once again I would like to back @cbeams in terms of his overall idea and big picture of why, for whom and what are we building. His videos are full of a lot of spot on phrases too long to write down.

At the same time, I would like to back @HenrikJannsen in the sense that compromising the security & privacy of Bisq is a no-go by all means

So it all beg the question, can we build a secure API/infra that allows us to just focus on thin shared code mobile solution which is obviously the most cost-efficient/effective solution in terms of time and money?

If the answer is yes which looks like it is from recent convs that it is, then I would just focus on:

• API Dev (& whatever is needed to accomplish the "relay" nodes discussed in the video)
• KMP Compose Dev (iOS & Android thin clients)

And leave the full node Android project out of the "Bisq Easy Mobile" discussion if that makes sense? And then see if we can do both in parallel or if we need to choose, then I would definitely solve "Bisq Easy Mobile" first in words of @cbeams (hope I remember properly from the video) like it or not, we are contributing to build the next Global Financial System infrastructure

Cheers!

[cbeams]

@rodvar wrote:

So it all begs the question, can we build a secure API/infra that allows us to just focus on thin shared code mobile solution which is obviously the most cost-efficient/effective solution in terms of time and money? If the answer is yes which looks like it is from recent convs that it is, then I would just focus on: [API Dev, Relay Dev, KMP Compose Dev] and leave the full node Android project out of the "Bisq Easy Mobile" discussion if that makes sense?

Yes, that makes sense to me, and here's what I would roughly suggest in terms of order of operations:

• A dedicated effort to stand up the simplest possible pure-KMM cross-platform mobile app that communicates via HTTP with a Bisq node to complete the simplest possible use case, e.g. adding a new identity.
• to do this will require getting the KMM app repo and build infrastructure in place, and will require making decisions about the technology stack for and code architecture of the API itself, i.e. how it is integrated into / implemented within the existing Bisq 2 codebase.
• It will also require really understanding and using OpenAPI Generator Tools to generate the KMM-friendly API client libraries.
• Everything will happen naively over clearnet / on the same local network at this point, with no concern for security / authentication etc.
• Once this first and simplest-possible end-to-end use case works, we move on to:
• Securing the API connection and communication, i.e. choosing an auth approach
• Implementing an initial cut of the Bisq (clearnet-to-Tor) Relay
• At this point we can exercise our end-to-end use case of adding a new profile in a real-world environment, e.g. Bisq Mobile app on a cell network, Bisq Relay running on a VPS, Bisq (desktop) node running behind a home router.
• At this point, the only API calls we'll have needed to make will have been normal http calls (probably just GET and POST against an e.g. /identities resource). As mentioned, getting this far will have forced making key decisions about the tech stack we'll use to support those calls. We'd now want to turn our attention to a websockets use case and make sure we've got a sane approach there, ideally one that can be implemented at a code architecture level in a similar way and that can generate client libraries against a spec in a similar way as we're doing on the HTTP side. This will require evaluating, e.g. AsyncAPI and its code generation tools to see if we can use it in the same way we would use OpenAPI for the HTTP side. It may be that the websockets side has to be more of a bespoke implementation, as the ecosystem isn't as mature around websocket APIs it as it is around RESTful APIs. A good example to refer to here is Kraken's API docs at https://docs.kraken.com/api/. You'll see there that they have two separate and separately documented REST and WS APIs, and it's presumable that they are also implemented using different tech stacks under the hood. This is just kind of "the state of things" right now. I'm not sure whether AsyncAPI has legs by the way; it looks promising but I didn't get to the point of trying it in the bisq-x PoC.
• That more ambitious websocket use case could be paging through the offerbook or (better yet) paging through trade history. The offerbook is small enough, especially on Bisq Mobile, to GET in one go or to otherwise page through RESTfully. Trade history isn't a thing in Bisq 2, but it would be the ideal example of something where there's a ton of data and you'd want a websocket to get just as much of it as you're interested in, infinite scroll through it, etc. I'm not sure what other candidates would be good for a websocket use case, but I recommend implementing one early on in the process like this, so that it's not a freakish after-the-fact bolt-on hack when we finally do need it down the road. both http and ws should have first-class treatment all the way, so prioritize making tech stack / implementation decisions about them early in the process.
• At this point, we could just take it step by step, working through all the use cases necessary to get a brand new user up and running with Bisq Mobile, connected to a backend Bisq node, taking and completing a trade. i.e. implement the simplest possible end-to-end trading scenario. There will be tons of design and UX decisions to be made along the way, but at this stage, I would let function rule over form and just get the basic interactions we know for sure need to be implemented into place. Once we've gotten that end-to-end workflow implemented in however ugly and rudimentary a way necessary, we'll know that we finally have the API infrastructure we need to implement additional use cases and further refine this one.

I believe the work described above is a significant, substantial effort and deserves full focus by the mobile dev team. I think trying to also implement a full node client on android at the same time, or in parallel, or with top priority and giving the effort I've described above lower priority are all recipes for failure. I believe the effort required to port Bisq 2's core to an Android (and only Android) environment is a massive distraction from the effort described above and will end up bastardizing the Bisq 2 codebase in the process. I can't emphasize enough how much I think attempting to do this is the wrong direction.

If we want to (try to) support a full-node mode on Android, why not do that after we've implemented the API as described above, and after we've built out a Mobile GUI that can talk to it? Then "all we'd need to do" would be to actually run a headless node in-process with the Android Bisq Mobile app and have that local node serve as the backend Bisq node. I still imagine this won't work well, but if it does, then we'd have the best of both worlds, and we'd only have needed to implement one GUI that always talks to a Bisq node via its API client libraries—even if that Bisq node is running locally right there on the phone. In any case, this would imo clearly be a risky experiment to try after we've gotten the stuff we know we can do done with regard to building out the API and implementing some MVP use cases.

---

@rodvar wrote:

It is not correct that Marketshare for iOS its 50/50 with Android. That was the case many years ago but in recent years the Android has eaten the apple in 70%+. However, its worth mentioning that in developed countries it's still 50/50 or slightly inclined towards Apple.

Thanks, @rodvar, for the fact check. I was very interested to look into the resource you shared. This is what I found there:

Worldwide, you're right, it's a dramatic difference with Android at 72% and iOS at just 28%, but indeed the picture can be quite different in different regions:

Region	Android	iOS
Worldwide	71.85%	27.60%
Africa	85.87%	12.83%
South America	83.45%	16.33%
Asia	81.18%	18.25%
Europe	65.50%	34.02%
North America	55.85%	43.87%
Oceania	51.97%	47.22%

In Europe and especially in North America, it's much closer to parity between the two platforms. And while we might have aspirations of reaching the whole world with Bisq, I think it's roughly correct to say that most of our users today are in the European and North American regions. (A marked exception to this would be Brazil). In any case, this just emphasizes the importance of being clear about who we're (at least initially) building this for. I believe that across Bisq's user base of experienced bitcoiners in the "developed world", a great many of them would report that their friends and families overwhelmingly use iOS devices over Android devices. I know in my own circle of friends and family—the people I would want to onboard to Bisq—it's at least a 10:1 ratio of iOS to Android users. And furthermore, it's the less-technical among them—the ones who'd benefit most from assisted onboarding—that are the iOS users. I don't think I'm alone in this experience. I think many, and perhaps a majority of Bisq's most engaged users would report something similar in their own lives, and that's why I think we should build tools for them first.

[rodvar]

@rodvar For the Android only version: What would you expect are the biggest hurdles? Reverting our code base to Java 17 features is not a big issue, I did those changes a few weeks ago and I can do the revert of those, will not take too much of an effort.

@HenrikJannsen I enlarged on this on matrix, but just to leave a public note on it. I'm referring to what @cbeams described as “practically/pragmatically not doable.”

Even if we manage to overcome the technical hurdles of adapting the Java 22-based Bisq2 core, which was originally built for a desktop app, to fit within the constraints of an Android APK (limited to Java 17), we then face a whole new set of challenges that are specific to mobile runtime environments. These include:

• Battery Usage: Mobile devices are highly sensitive to power consumption, and running processes designed for a desktop environment could severely impact battery life.
• Foreground/Background Process Management: Unlike desktops, mobile apps have to manage transitions between the foreground and background efficiently. Any processes running in the background can be suspended or terminated by the OS at any time.
• OS Process Killing: Mobile operating systems are much more aggressive in managing resources, meaning our app could be killed when memory or CPU resources are constrained.
• Storage Limitations: Storage management is another critical issue. Mobile devices often have limited storage, and managing local data efficiently without exhausting available space is a different challenge compared to desktop.
• Android Fragmentation: Our app is a purpose specific app, security and networking intensive and Android is a wild wild west. Any vendor can install Android and sell it which is an asset of the linux based OS, but also brings challenges for development. Something that works perfectly in Pixel phones might crash in Samsung phones just to give the typical example. I'm afraid the final result would be that the requirements for this full dao app will be high, leaving a small subset of Android devices to be useful

These runtime challenges introduce new complexities that make it a very difficult and resource-intensive project to undertake. Makes sense?

[rodvar]

@rodvar wrote:

So it all begs the question, can we build a secure API/infra that allows us to just focus on thin shared code mobile solution which is obviously the most cost-efficient/effective solution in terms of time and money? If the answer is yes which looks like it is from recent convs that it is, then I would just focus on: [API Dev, Relay Dev, KMP Compose Dev] and leave the full node Android project out of the "Bisq Easy Mobile" discussion if that makes sense?

Yes, that makes sense to me, and here's what I would roughly suggest in terms of order of operations:

• A dedicated effort to stand up the simplest possible pure-KMM cross-platform mobile app that communicates via HTTP with a Bisq node to complete the simplest possible use case, e.g. adding a new identity.
• to do this will require getting the KMM app repo and build infrastructure in place, and will require making decisions about the technology stack for and code architecture of the API itself, i.e. how it is integrated into / implemented within the existing Bisq 2 codebase.
• It will also require really understanding and using OpenAPI Generator Tools to generate the KMM-friendly API client libraries.
• Everything will happen naively over clearnet / on the same local network at this point, with no concern for security / authentication etc.
• Once this first and simplest-possible end-to-end use case works, we move on to:
• Securing the API connection and communication, i.e. choosing an auth approach
• Implementing an initial cut of the Bisq (clearnet-to-Tor) Relay
• At this point we can exercise our end-to-end use case of adding a new profile in a real-world environment, e.g. Bisq Mobile app on a cell network, Bisq Relay running on a VPS, Bisq (desktop) node running behind a home router.
• At this point, the only API calls we'll have needed to make will have been normal http calls (probably just GET and POST against an e.g. /identities resource). As mentioned, getting this far will have forced making key decisions about the tech stack we'll use to support those calls. We'd now want to turn our attention to a websockets use case and make sure we've got a sane approach there, ideally one that can be implemented at a code architecture level in a similar way and that can generate client libraries against a spec in a similar way as we're doing on the HTTP side. This will require evaluating, e.g. AsyncAPI and its code generation tools to see if we can use it in the same way we would use OpenAPI for the HTTP side. It may be that the websockets side has to be more of a bespoke implementation, as the ecosystem isn't as mature around websocket APIs it as it is around RESTful APIs. A good example to refer to here is Kraken's API docs at https://docs.kraken.com/api/. You'll see there that they have two separate and separately documented REST and WS APIs, and it's presumable that they are also implemented using different tech stacks under the hood. This is just kind of "the state of things" right now. I'm not sure whether AsyncAPI has legs by the way; it looks promising but I didn't get to the point of trying it in the bisq-x PoC.
• That more ambitious websocket use case could be paging through the offerbook or (better yet) paging through trade history. The offerbook is small enough, especially on Bisq Mobile, to GET in one go or to otherwise page through RESTfully. Trade history isn't a thing in Bisq 2, but it would be the ideal example of something where there's a ton of data and you'd want a websocket to get just as much of it as you're interested in, infinite scroll through it, etc. I'm not sure what other candidates would be good for a websocket use case, but I recommend implementing one early on in the process like this, so that it's not a freakish after-the-fact bolt-on hack when we finally do need it down the road. both http and ws should have first-class treatment all the way, so prioritize making tech stack / implementation decisions about them early in the process.
• At this point, we could just take it step by step, working through all the use cases necessary to get a brand new user up and running with Bisq Mobile, connected to a backend Bisq node, taking and completing a trade. i.e. implement the simplest possible end-to-end trading scenario. There will be tons of design and UX decisions to be made along the way, but at this stage, I would let function rule over form and just get the basic interactions we know for sure need to be implemented into place. Once we've gotten that end-to-end workflow implemented in however ugly and rudimentary a way necessary, we'll know that we finally have the API infrastructure we need to implement additional use cases and further refine this one.

I believe the work described above is a significant, substantial effort and deserves full focus by the mobile dev team. I think trying to also implement a full node client on android at the same time, or in parallel, or with top priority and giving the effort I've described above lower priority are all recipes for failure. I believe the effort required to port Bisq 2's core to an Android (and only Android) environment is a massive distraction from the effort described above and will end up bastardizing the Bisq 2 codebase in the process. I can't emphasize enough how much I think attempting to do this is the wrong direction.

If we want to (try to) support a full-node mode on Android, why not do that after we've implemented the API as described above, and after we've built out a Mobile GUI that can talk to it? Then "all we'd need to do" would be to actually run a headless node in-process with the Android Bisq Mobile app and have that local node serve as the backend Bisq node. I still imagine this won't work well, but if it does, then we'd have the best of both worlds, and we'd only have needed to implement one GUI that always talks to a Bisq node via its API client libraries—even if that Bisq node is running locally right there on the phone. In any case, this would imo clearly be a risky experiment to try after we've gotten the stuff we know we can do done with regard to building out the API and implementing some MVP use cases.

@rodvar wrote:

It is not correct that Marketshare for iOS its 50/50 with Android. That was the case many years ago but in recent years the Android has eaten the apple in 70%+. However, its worth mentioning that in developed countries it's still 50/50 or slightly inclined towards Apple.

Thanks, @rodvar, for the fact check. I was very interested to look into the resource you shared. This is what I found there:

Worldwide, you're right, it's a dramatic difference with Android at 72% and iOS at just 28%, but indeed the picture can be quite different in different regions:

Region Android iOS
Worldwide 71.85% 27.60%
Africa 85.87% 12.83%
South America 83.45% 16.33%
Asia 81.18% 18.25%
Europe 65.50% 34.02%
North America 55.85% 43.87%
Oceania 51.97% 47.22%
In Europe and especially in North America, it's much closer to parity between the two platforms. And while we might have aspirations of reaching the whole world with Bisq, I think it's roughly correct to say that most of our users today are in the European and North American regions. (A marked exception to this would be Brazil). In any case, this just emphasizes the importance of being clear about who we're (at least initially) building this for. I believe that across Bisq's user base of experienced bitcoiners in the "developed world", a great many of them would report that their friends and families overwhelmingly use iOS devices over Android devices. I know in my own circle of friends and family—the people I would want to onboard to Bisq—it's at least a 10:1 ratio of iOS to Android users. And furthermore, it's the less-technical among them—the ones who'd benefit most from assisted onboarding—that are the iOS users. I don't think I'm alone in this experience. I think many, and perhaps a majority of Bisq's most engaged users would report something similar in their own lives, and that's why I think we should build tools for them first.

I agree with this generally speaking for the reasons stated in my previous comment.

When I said before "leave full-node project out of Bisq Mobile discussion" I meant exactly that, create a new discussion and see how many people engage with it. If we have a lot of enthusiasts on the idea jumping in then great, we might be able to do it in parallel. If we don't, then it will have to wait (at least for us to jump in :) ) till we get at least the core of Bisq Mobile to a beta phase.

Maybe we should bring this to a more general matrix discussion to see what involved Bisq people think about it? Henrik suggested doing a poll above. We obviously want the people involved in the our DAO to support us with whatever path we end up taking.

[HenrikJannsen]

Even if we manage to overcome the technical hurdles of adapting the Java 22-based Bisq2 core, which was originally built for a desktop app, to fit within the constraints of an Android APK (limited to Java 17), we then face a whole new set of challenges that are specific to mobile runtime environments. These include:

Battery Usage: Mobile devices are highly sensitive to power consumption, and running processes designed for a desktop environment could severely impact battery life.
Foreground/Background Process Management: Unlike desktops, mobile apps have to manage transitions between the foreground and background efficiently. Any processes running in the background can be suspended or terminated by the OS at any time.
OS Process Killing: Mobile operating systems are much more aggressive in managing resources, meaning our app could be killed when memory or CPU resources are constrained.
Storage Limitations: Storage management is another critical issue. Mobile devices often have limited storage, and managing local data efficiently without exhausting available space is a different challenge compared to desktop.
Android Fragmentation: Our app is a purpose specific app, security and networking intensive and Android is a wild wild west. Any vendor can install Android and sell it which is an asset of the linux based OS, but also brings challenges for development. Something that works perfectly in Pixel phones might crash in Samsung phones just to give the typical example. I'm afraid the final result would be that the requirements for this full dao app will be high, leaving a small subset of Android devices to be useful

These runtime challenges introduce new complexities that make it a very difficult and resource-intensive project to undertake.

There are several options between 100% full node and reduced p2p node.I think we can even leave it to the user how far they want to go:

• Use Tor or clearnet. With clearnet we dont need to run tor in the background and there are no latency issues
• Number of peers: can be between 1 and 12 (as Desktop). I guess 4 is sufficient for replicating a P2P environment. But even with one it would work. I doubt 4 connections, are any really CPU drain concerns. Videos consume for sure more.
• Storage: Its not much data we need to store. The only dev issue here is to use a diff. persistence system (the default db model Android supports).
• Java 17: As said thats a minor effort and we just recently updated to Java 22.
• Android Fragmentation: I cannot say much to that as I am an iOS user. But it will effect both types of apps, so if its that terrible as you describe we should re-think if any investment is worth it. Sure a more complex app might come with more troubles. But there are plenty of other complex and large apps out and the managed to get that working.

[rodvar]

@HenrikJannsen with those simplifications it place it becomes much more appealing. I guess I'm concerned about the performance of our current Bisq2 modules in the app.

But with those things in mind we could definitely kickstart a pure Android POC, I would be happy to take that, Maybe I could be the first line for it and do tech barrier removal and support for Buddha to kickstart the KMP thin client.

[HenrikJannsen]

It is a bit frustrating to me how quickly the model which mirrors best the essence of Bisq gets dropped. Bisq never went the easy or proven/industry way. And managed to invent new solutions and overcome challenges. I don't think that the mobile app is as challenging as many other things we achieved like the DAO,...

I suggest we make a survey to learn more about our users and contributors preferences.

And just to make clear, those 2 models are not exclusive but a matter of priorities and cost/benefit ratio. I totally support that we do both. But I totally disagree to drop the full node model before we have even tried.

I think I have explained sufficiently about technical backgrounds and laid out my arguments. I leave if from here and log off from that discussion and focus on other areas or if I find time give myself a shot for the Android full node model.

[HenrikJannsen]

Getting the headless node running is the same as getting the complete app running.
E.g. to use a REST API or Java API does not make much difference from dev effort but adds only unneeded friction and indeed cause more effort. In fact if I would work on it, it would be for a long time only core-stuff (network, domains) and the UI would happen very late when the hard problems are solved.

[rodvar]

Hey guys @cbeams @HenrikJannsen , I'm hoping that we can try to arrive to some consensus here so that we start focusing our efforts collaboratively cause at the end of the day we are all trying to contribute to get Bisq in mobile.

Things we can say we all agree

Full / Light node mobile

1. full node bisq mobile is not possible for iOS and practically impossible for Android
2. light node bisq on mobile is something we all agree we want as part of Bisq decentralized p2p network.
3. light node solution should contain as much curated Bisq core code as possible
4. (3) is completely feasible on Android though some performance worries, with enough simplications it should work and work can start now
5. light node bisq on iOS needs some sort of transpilation solution to get Bisq core in, efforts on testing this have proven it not possible at the moment

Conclusion/next lines of dev: Make an Android Native POC incorporating bisq core modules till we can get clearnet p2p bisq connectivity

Node-less Thin client + Bisq API (bisqd)

1. We all agree a secure API is desirable to be able to extend Bisq usage to many platforms as long as it doesn't compromise current Bisq security & privacy models.
2. We all agree that this seems like the only solution feasible for iOS, and that is fundamental at the moment (at least for developed countries) to have this as part of Bisq Mobile project
3. KMP Compose seems the perfect candidate for a thin client iOS and Android apps dev
4. Significant work has started on the project called bisq-x to expose an API, we could leverage that effort and follow the path cbeams described above to get a POC. This can start now.

And finally, some of us only are ok with working with one but no the other option and that's ok. It all contributes to the same good cause. As of myself, I would like to contribute in both options with the simplifications we have decided in this conversations starting today.

Do you guys subscribe to this?

[HenrikJannsen]

Thanks for summarizing and helping to find consensus.

practically impossible for Android

I dont agree on that. Even the 8 connections over Tor model is possible. But the options to reduce connections (4 is sufficient) and to use clearnet makes it even more feasible to run on mobile. Bisq 2 is quite lightweight and the main CPU consumer is the JavaFX UI. We also do not need lot of stuff from desktop like the normal chat rooms which contains much more messages as the offerbook.

light node bisq on mobile ...

I think you mean with "light node" that full mode with reduced options, not the "Light node model" I described in the model overview ("In that model we would delegate the networking part to a relay node and use a REST API between the mobile client and the relay node.").
The terms might be a bit arbitrary but better to stick to them so that we talk about the same...

I refer to the downgraded full model as full model as it still follows the same p2p architecture and the user can scale up as he wish.
The reduction of connections is just a parameter and a reliability downgrade nothing conceptually different. It could happen even to a normal Desktop client if they get bad connections.

The clearnet option adds a bit for differences as described in the model overview. But I still consider that a full P2P model and multi-network support (clearnet+tor) is a core-feature in Bisq2 and was mainly intended for seed nodes to syn among them via clearnet. For normal users tor+i2p will be the default once we have i2p running. For mobile clearnet only can work as well in the constraints described in the overview.

some of us only are ok with working with one but no the other option and that's ok

If you refer to me by that, I don't mean that we should work only on one model. To work in parallel on the API+thin client model and on the Android only full model is what I have in mind. Priorities can be set by devs and if some devs to prefer to work only on one model, that's ok.

The only think I am strictly opposed to is to drop the full model without having found evidence that it cannot work.

[HenrikJannsen]

Actually to avoid the confusion with Full-node model, clearnet-based full node and light node, maybe we should rename the earlier light node model to something like Delegated node model (p2p got delegated to a node and accessed via rest api).
Light node is then a suitable description... i will rename the term used in the overview...

[rodvar]

Just posting here what we just chatted on matrix that clarifies the above.

I found that we could have one codebase to rule them all, in KMP. The structure would look something like this:

- root
  - shared                  // KMP shared module (UI + business logic)
    - src
      - commonMain          // Common shared code (UI + logic) -> we expect this to have 90+% of the UI code of the 3 the apps and probably the Client app networking and domain impls
      - androidMain         // Android-specific implementations for shared code
      - iosMain             // iOS-specific implementations for shared code
  - androidNodeApp          // This is basically Bisq Android Implementation. We'll try to get in as much of Bisq core as makes sense
  - androidClientApp          // Called "Thin" above. Android App. We expect this to have <10% UI specific code 
  - iosClientApp              // Our only Bisq Mobile iOS App. Should use the KMP Compose UI code except specific cases, and will have native specific code when its needed (typical example is storage, we'll see)

** please note that the last 3 folders correspond one to each of the apps this project can generate. One codebase, 3 apps.**

re the practically impossible for Android, let's build it brick by brick and see how far we can go!

[HenrikJannsen]

I just tried out to get Bisq 2 common code base (copy/paste src code, not as jars yet) complied in Android Studio. Was not hard.

There have been few classes which use not supported APIs and 2 where we used features not supported in Java 17.

I also got all gradle dependencies and protobuf compilation running. Of course nothing tested for functionality but just wanted to see how difficult it is to get stuff compiled. Sure lot more stuff to do (e.g. proto lite,...), but I am confident I can get up to the network module in the next days.

For the not supported classes we can move those to a new module in Bisq 2 which will not be used.

Not supported SDK classes:
java.lang.management.ManagementFactory in JvmUtils
com.sun.nio.file.SensitivityWatchEventModifier in FileCreationWatcher
java.lang.management.ManagementFactory, java.lang.management.ThreadMXBean in ThreadProfiler


Not supported language features for Java 17:
CompletableFutureUtils
MemoryReport

[rodvar]

That's great @HenrikJannsen , would you like to upload it here , maybe in a light-android folder? :)

[HenrikJannsen]

Once I have something reaonsable I will share...

[HenrikJannsen]

Here my WIP POC...

https://github.com/HenrikJannsen/bisq2/tree/adjustments-for-andorid-support
https://github.com/HenrikJannsen/andorid_only_poc

Current state:

• added new internal module and moved classes there which are not supported by the Android SDK or use features not supported in Java 17 (those could be downgraded later and moved back to common).
• Add protobuf source to be included in jar
• publish common lib to local maven repo
• Resolve common lib in Android and use Version to display the version string.
• Protobuf compilation works in Android using the protobuf file included in the jar.

TODO on Java side:

• move group = "bisq" to root properties
• move version = project.version into publishing task
• make publishing generic

TODO on Android side:

• Use proto lite instead default protobuf
• Clean up protobuf dependencies

[nis-ship-it]

Hi everyone, new here!! Well I read some bits of the convo above, and I could agree on using KMP either with composeUI or combine swiftUI + ComposeUI accordingly.

I don't have much clue on running full node so wouldn't know about it.

If everything has been decided, could we make issues?

[rodvar]

hey @nis-ship-it thanks for joining the conversation!

That's great to hear, we can't wait to start full-on dev on this.

Issues will start to be created at some point this week along with completing a bit more on the README docs aiming to help people joining the project as much as possible to contribute valuable work, so stay tuned!

The Issue creation (or Work Breakdown) will be useful to have a rough estimation of how much time is needed to get to a beta stage for the 3 apps, we want to make sure to run this through the DAO voting so that the most staked in people in Bisq validate the general idea.

What can you do at this stage? Please check the project README, download the bisqapps KMP code and follow the get started guide and let us know of any issues that you 'll find (along with the details of the hardware you are using).

Stay tuned! 💪

[rodvar]

@nis-ship-it as you probably seen, we ended up scheming a rough WBS on the MVP proposal and creating the bare minimum tasks we need for now. Just reaching out to you since you've shown interest, would you be up for taking some work?

maybe starting up with something small like adding Koin for DI to the project? or please just reply to this comment with your views on how you see yourself participating, or reach out to me directly on matrix. Thanks!

[nis-ship-it]

@rodvar thanks for reaching out, don't mind taking tasks

[HenrikJannsen]

Update for the work on the full node model:

Completed:

• Downgrade to Java 17 features and Android compatible code base merged into Bisq 2 main.
• Branch for Android POC using that Bisq 2 code base is created here: https://github.com/HenrikJannsen/andorid_only_poc/tree/use-code-from-production-pr
• As mobile node does not accept inbound connections, we get the messages delivered by the outbound connections from the gossip network. Sending a direct message fails and then the message gets wrapped into a mailbox message and broadcast to the network, thus reaching the mobile app.
• Implemented use cases with log-messages on screen output:
  • Display application state
  • Read persisted data
  • Display default key ID
  • Display language (from settings)
  • Create new user identity if none is present and publish user profile to network
  • Display network node state
  • Display number of connections
  • Display market price
  • Publish a random message to discussion chat (commented out to not spam the live chat if used with tor)
  • Delete messages (auto delete past messages older than 30 sec)
  • Listen on discussion chat messages
  • Listen on private messages
• Setup with a local relay node (Bisq2 node configured to use clearnet+tor) allows bridging into the tor network (Bisq 2 live network)

Next steps:

• Add gradle tasks for publishing jars (was working for normal modules but not for complex modules like network)
• Use those jars as dependencies (atm. we copy/pasted the Bisq 2 code)
• Integrate it into the Bisq-mobile project (more complex project structure)
• Get tor running (might not be missing that much to get there)

Open discussion:

• Define concept for native mobile notifications
• How to support the build-up reputation use cases for sellers (can be delegated largely to Bisq 2)
• Discuss concept for data directory sync with desktop (based on Bisq Easy Mobile #2665 (reply in thread)
• Investigate privacy risks and mitigation options
• Discuss if the required relay nodes (clearnet+tor) should be done by seed nodes or if we introduce new nodes/bonded roles?

[HenrikJannsen]

Potential future protocol support

The scope for Bisq Mobile is currently limited to Bisq Easy. As we saw in recent discussions this was not obvious to others and the question about support for potential future trade protocols should be discussed here more in details.

To make clear why Bisq Easy is "easy" to support on mobile there are the 2 main factors:

• No need for a wallet integration
• Maker do not need to stay online

Those factors are not present with other protocols. As details about other protocols beside MuSig are less clear at that stage, lets focus on MuSig only. Though it can be expected that other protocols like Bisq Lightning come with even more challenging requirements.

MuSig (conceptually similar to Bisq 1 multiSig)

The trade protocol requires integration of a wallet, and due requirements for MuSig a custom wallet implementation which will likely be done in Rust. For the blockchain date retrieval it can be that we use a Java based implementation and it might even utilize our P2P network.
Conceptually the maker needs to be online as the protocol is interactive and requires the maker to sign transactions at take-offer time.

Full node mode on Android

For a standalone mobile app those requirements come with severe challenges.

• Implement the wallet for mobile and integrate it into the app
• Maker use case is unfeasible for most users as they do not want to run the app in background and drain battery. So it would be only useful for takers or a very small subset of users, thus limiting a lot the usefulness.

From my POV the cost/benefit ratio is not justified to implement that.

Thin client mode

Here we have to separate between the self-hosted model and the "Uncle Jim" model.

Thin client mode connected to self-hosted full node

In that model the mobile app is a pure remote control to the full node. Thus the Bitcoin wallet is part of the full node and the requirements for the mobile app are just UI and API calls, thus not representing any technical or conceptual challenge. The only challenge is on the UX side, as the MuSig protocol is much more complex and comes with extra required features like arbitration and payment account management. But I consider those as solvable challenges. Thus I consider for that model it would be feasible to support other future protocols.

Thin client mode connected to full node hosted by a trusted party ("Uncle Jim")

In that model it is assumed that the wallet is on the mobile app side for limiting security risks and liability to the full node provider.
With that, we inherit the technical challenges for the wallet integration as well as the conceptual requirement that the maker need to be always online. As the model is designed for on-boarding newbies that limitation might be less problematic, though.

As the thin client model is intended for both Android and iOS the integration effort for the wallet would be required for both the Android and iOS environment, which pose a significant effort and challenge. From my POV bases on assumptions for the wallet tech stack I consider that a prohibitive cost for the gained results.

Reconsider the mobile deployment options

So far we had in mind that one mobile app will come on Android with the option to run as full node or as thin client. For iOS only as thin client.
Though even if we limit the scope to Bisq Easy the thin client model has already 2 different variants which come with different requirements.

The thin client mode connected to full node hosted by a trusted party ("Uncle Jim") requires 2 extra features:

• Hierarchical account management (e.g. Uncle Jim is the "root" user and can create new "users" with limited rights, this is different to the current multi-identity concept)
• Managing of client side Bitcoin addresses (current idea is to share the xPub key with Uncle Jim if Bitcoin is used. For LN there is no suggestion yet made how to solve that issue). As for Bisq Easy no transaction signing is needed but only the Bitcoin address this is a feasible requirement with the current constraints.

The thin client mode connected to self-hosted full node does not need those features.

Considering the different scopes we could see the mobile apps as 3 different apps in fact:

• Bisq Easy mobile: Android only full node
• Bisq remote: iOS+Android; thin client mode connected to self-hosted full node; will support MuSig and other future protocols
• Bisq Easy friends&family: iOS+Android; thin client mode connected to full node hosted by a trusted party ("Uncle Jim")

This does not mean that we should deploy 3 apps, but to be aware that those are kind of 3 different apps and we might model it in the app, so the user can switch between those 3 flavors.

[cbeams]

Appreciate this thinking and believe it's headed in the right direction. I think the key here is how we are framing Bisq Mobile, even if only in our own minds for right now. There's a world of difference between flatly saying "Bisq Mobile is only about Bisq Easy" and saying that "while Bisq Mobile's initial release / MVP is scoped only to Bisq Easy for the good reasons detailed above, that we see it as the vehicle through which we can bring most or all Bisq trading protocols to mobile in the future, along with the several node access models discussed (local, remote, uncle jim / friends & family), and that we're going to do it step by well-scoped step". The former framing is imo a downer; the latter ambitious and exciting. I think it's important we keep the latter's "bigger future" in mind, even as we intentionally build out something more modest in the near term. First, because it is imo just way more motivating; second because it actually makes us think differently and make better decisions now that can facilitate that bigger future actually getting realized.