Overview
This document explains what XMR-Miner does and does not do, the permissions it requires, and the risks you should understand before using it.
Android Permissions
XMR-Miner requests the following permissions:
| Permission | Purpose | Required? |
|---|---|---|
INTERNET |
Connect to mining pools | Yes |
FOREGROUND_SERVICE |
Keep mining when app is in background | Yes |
WAKE_LOCK |
Prevent CPU from sleeping during mining | Yes |
RECEIVE_BOOT_COMPLETED |
Optional: auto-start mining on device boot | No |
Permissions NOT Requested
XMR-Miner does NOT request:
READ_CONTACTS- No access to your contactsREAD_SMS- No access to your messagesCAMERA- No camera accessRECORD_AUDIO- No microphone accessACCESS_FINE_LOCATION- No location trackingREAD_EXTERNAL_STORAGE- No access to your files
What the App Does
- Performs RandomX cryptographic computations on your CPU
- Connects to mining pool servers over TCP
- Sends computed hashes (shares) to the pool
- Monitors device temperature and battery
- Displays statistics (hashrate, shares, etc.)
What the App Does NOT Do
- Does not collect personal information
- Does not send analytics or telemetry
- Does not access files, contacts, or messages
- Does not contain advertisements
- Does not make network connections except to configured pools
- Does not store your wallet's private keys (only the public address)
Risks and Considerations
Hardware Risks
CPU and Battery Stress:
- Mining causes sustained high CPU usage
- Generates significant heat
- May accelerate battery degradation over time
- Could potentially reduce device lifespan
Mitigation
- Use temperature limits (recommended: 70°C max)
- Mine only when plugged in
- Use fewer threads for less heat
- Don't mine on devices with poor cooling
Financial Risks
- Electricity cost will exceed mining revenue
- XMR price is volatile
- Mining difficulty increases over time
- Do not expect profit from mobile mining
Network Privacy
- Pool operator sees your IP address
- Pool operator sees your wallet address
- Using Tor/VPN can mitigate IP exposure
Threat Model
Threats We Protect Against
- Malicious APK modification: GPG signatures and checksums verify authenticity
- Pool impersonation: SSL/TLS encryption for pool connections (when supported)
- Local data theft: No sensitive data stored on device
Threats We Do NOT Protect Against
- Compromised device: If your device has malware, all bets are off
- Pool operator logging: Pools can log your IP and wallet
- Network surveillance: ISP can see you're connecting to mining pools
- Physical device access: Anyone with your device can see your wallet address
Verifying the Application
To ensure you have an authentic, unmodified copy of XMR-Miner:
- Download only from this official website
- Verify the SHA256 checksum matches
- Verify the GPG signature
- Optionally: build from source yourself
See How to Verify for detailed instructions.
Source Code Audit
The source code is available for review:
- GitHub: github.com/user/xmr-miner
- All releases are tagged and signed
- Community review welcomed
Reporting Security Issues
If you discover a security vulnerability:
- Do NOT open a public GitHub issue
- Email details to: [email protected]
- Include steps to reproduce
- Allow reasonable time for a fix before disclosure