> you can trust an active and well reviewed OS project.
You can... you should still review the code or make sure code has been peer reviewed recently, compile it yourself or verify signatures of the binaries you will download. It might sound tedious, but honestly it's the minimum you can do if you plan to store significant amount of money in a wallet.
That and/or buy and use an hardware wallet with the same due diligence done on the company and shop you're going to buy it from (always prefer official outlets and never use pre-configured wallets of course).
so I made this tiny list
* Its code is at least open source with a free license. Better if it is an open source project.
* Check that it is possible for anyone to build the software.
* Check that you are able to verify signatures for releases.
* It has a checksum file. Usually the checksums are in the same file as the signature (the checksums are signed).
* Check that the code has been some time in the wild and that it has a community built around it.
* Check that the latest releases are accompanied by the corresponding updated code.
* Check if the app is well documented.
* It has real life people with real identities maintaining it. Usually the people authorized to update the code at the repository.
* Check if it has a working support team / forum.
* Ask in social media about other users' opinions.
Good list. If you can verify those "signals" it's a great sign that this software wallet is secure enough to use. In any case it would be much safer than any similar but closed source project just because we know for a fact that security through obscurity does not work in this space... it leads to fiascoes like this one with Coinomi.
Someone at google stole $70K? That's probably a bigger part to this story as lots of stuff is sent to google all the time. And this being the only reported case here.. I'm thinking user error, or somehow else compromised PC. Or no funds stolen, just moved to create FUD Google gets so much shit sent to them they are not watching for random word strings to show up.
EDIT: I've read more about it. The alleged victim 1 acted like a duche making demands. 2 seems to know enough to trace web traffic but doesn't have enough clue not to use wallets not listed on bitcoin.org and runs unlisted wallet on Windows. 3 probably scamming.