Show HN: Wealthfolio: Private, open-source investment tracker (wealthfolio.app)
Thank you for your comments, just some context:
- The app is a simple desktop application that works on macOS, Windows, and Ubuntu.
- I developed this app for my own needs. Getting tired of SaaS app subscriptions and privacy concerns.
- For now, the activities are logged manually or imported from a CSV file. No integration with Plaid or other platforms.
- No monetization is planned for now (only a "buy me a coffee" if you use and appreciate the app).
276 comments
[ 2.0 ms ] story [ 283 ms ] threadHow do you get current market prices for investments?
It's gonna take a lot to pry me away from my spreadsheets. They are simple and just work. Ages and ages ago I used MS Money but once they shut down I never migrated to the 'sunset edition,' just switched to excel. I keep trying things, but without local, automatic sync to my accounts, nothing is as simple and effective as a simple spreadsheet, for me.
Adding accounts manually is painful. We used to do it with Open Banking, but since this is open-source, I appreciate that it cannot be done with Open Banking. However, an option to upload a statement (CSV) will simplify the process.
The same goes for adding securities. I believe you can get an eToro statement that shows you everything, and then you can parse it to populate the information.
Good luck!
> Import your statements from your broker or bank.
Exactly what brokers/banks that are supported should be listed somewhere and linked here, as that's a "make or break" feature for a lot of people I bet. Not much point in replacing my homegrown "Banks CSV export -> Data processing > Import into spreadsheet" workflow unless I just replace that last step but the previous ones remain the same.
Unfortunately, depending on an open-source tool to do this is a double edged sword if it had these features, because we would be opening the risk of supply-chain attacks -- malicious actors getting commits into the repository code which cause the program to send your data elsewhere -- or worse, deplete accounts' funds.
I never used it, but didn't that ask you for the username/password in order to do its job? If so, I wouldn't touch it with a ten-foot pole.
> cause the program to send your data elsewhere -- or worse, deplete accounts' funds.
Again, seemingly because their shitty architecture would that even be possible.
There are modern (possibly only European?) standards nowadays that forces the banks to expose proper APIs for doing things like that. Would require a business entity to deploy to production (I think that's one of the requirements?) but otherwise wouldn't be a huge task compared to manually scraping stuff.
I was in the market for a new bank, so I ended up coming up with my short list of banks I’d look at moving to, then went to Every Dollar to try adding accounts to see what kind of prompt I was met with. Anything that required the 3rd party to store my creds was out of the running. I ended up ending a 20+ year relationship with a bank of this. There were other things too, but this was the straw that got me to actually cut ties.
I assume Mint was similar. I used it a long time ago, probably when I was more trusting in my youth.
This is FUD. You’re describing open-commit, which I don’t think anyone does. Open source is not more susceptible to supply chain attacks than closed source software.
(Example of richness: splitting am Amazon CC charge into the multiple expense accounts for the items that went into the order, and also accounting for the CC rewards and the Gift Card balance that contributed.)
I tried taking a break from GnuCash for maybe year, and going to a spreadsheet, and found: (1) it was still substantial work to maintain an accurate view of balances, and (2) I was missing a lot of information I found I needed in practice.
Same purchase from amazon? Difficult, because you have two layers of indirection: checking account > credit card > amazon > it equipment.
Currently testing a new spreadsheet approach to deal with such scenarios, but not easy.
Then again I'd never trust rules to do everything right anyway, so I'm reviewing at least once to reconcile.
Not to mention the second paragraph is "no more worries about SaaS services playing around with your data"
I ended up coding a small exporter[2] since I already had some stack in place that queries SimpleFI[3], which essentially allows querying balance and transaction information for most US-based banks (read only); most similar to plaid but a lot more developer-friendly afaik.
[1] https://actualbudget.com/
[2] https://github.com/eduser25/simplefin-bridge-exporter
[3] https://beta-bridge.simplefin.org/
SimpleFIN on the other hand seems to be pretty good for dev work; plus very responsive in terms of questions and requests. Can only speak good of them.
SimpleFIN looks pretty.. simple, at least from a glance. When I get time, I'll actually give it a shot.
Woob does a great job of providing a good API for automating the web, and sure, not everything works, but it's a good start. Unfortunately, it seems it's not very well known still.
[0] https://woob.tech/
I have also seen some apps use https://www.simplefin.org/
I have in the past switched physical banks purely because their integration was either terrible or not working and I refused to go the "download CSV" route.
Unfortunately some banks are starting to drop support for applications directly connecting to them, and moving to an unacceptable model where intermediaries like Intuit's servers have to do the communication and store your credentials. This has been getting noticeably shittier in the last couple of years.
My #2 requirement (a close second) is that the application must be running on my local PC. I will never accept a cloud-based web-app or something I have to host on a VPS and access through some dinky HTML/JS UI.
> My #2 requirement (a close second) is that the application must be running on my local PC. I will never accept a cloud-based web-app
You're lucky you don't live in the EU since well then you are straight out of luck since the bank APIs are only available to commercial entities thus the software generally is in the cloud and costs money.
Under the "open banking" scheme, not even massive companies can get API access to their own accounts. It only requires banks to give service providers access that allows their customers to essentially OAuth login into those services with their bank accounts. There is no "I just want my own account" API, only the general one.
And becoming a licensed provider is insanely hard because it's assumed you'll be actively managing millions of euros for tens of thousands of customers, when in reality, all you want is read-only access to one or a few affiliated accounts.
https://www.digiteal.eu/open-banking-apis-all-you-need-to-kn...
Thats why using apps like Outbank, that automatically aggregate all your bank accounts data work like a charm in my experience.
Sure, if you just trust some random Chrome extension from a random individual developer, you're absolutely setting yourself up for trouble when they hack your shit. But to wholesale dismiss all apps when there are actual legal protections in place that permit these businesses?
Also, what a glaring false dichotomy.
So to make "false dichotomy" stick, you going to need to assert that if Quicken were breached and this lead to my Schwab account being accessed by a bad actor, I actually am shit out of luck. Will you do that?
At some point I suspect every person on the planet will have experienced a data exposure event and the question will switch from: have you ever had your info leaked?, when was the last time your info was leaked? It's not a small risk.
And doing so violates the terms of service with many banks:
> You agree that you will not authorize a third party to use the Service or share your credentials with a third party to use the Service on your behalf except in legally authorized situations such as legal guardianship or pursuant to a power of attorney.
* https://www.bankofamerica.com/online-banking/service-agreeme...
The banks are just as to blame. I'd love some basic non-SMS 2FA as a starting point, but sadly my bank is only the #6 largest in the US so they don't have the budget for it.
BofA Login https://www.bankofamerica.com/
1. Log in to your account.
2. Go to "Activity" or "Statements".
3. Select the account and time range.
4. Click "Download" and choose "CSV". Yes
--
# Chase Chase Login
1. Log in to your Chase account.
2. Navigate to "Statements & Documents".
3. Choose the account and statement period.
4. Click "Download" and select "CSV". Yes
--
# Wells Fargo Wells Fargo Login
1. Log in to your account.
2. Go to "Account Activity".
3. Select "Download Account Activity".
4. Choose "CSV" and specify the time period. Yes
# Citibank Citibank Login
1. Log in to your account.
2. Go to "Statements".
3. Choose the time period and format.
4. Select "Download" in "CSV". Yes
# Capital One Capital One Login
1. Log in to your account.
2. Navigate to the "Account Activity".
3. Select the time period and click "Download".
4. Choose "CSV". Yes
You can literally just ask bot for api docs to access info - then gimme a python for such:
https://i.imgur.com/P9UgZ98.png
>>"..evaluate the docs for each API and give me the most straight-forward python to connect which prompts me for which fin inst - with a menu for inputs. define an .env with the reqs fin inst fields i'd need to add.. but use the vars in the script... define in mermaid and swim."..
https://i.imgur.com/SpsyfI5.png
https://i.imgur.com/QzmPZIg.png
--
Basically, the semantic web is near.
Hopefully soon there will be a dictionary and a thesaurus of quippets {AI-Bot-like snippets that you call like legos to walk through a Warren (rabbits hole)
==-->
"Give me a panel that [does complex output] using [random inputs] and [other relationships] and give put that as "oligarchs" and give me relevant tables for relationships between the [elements]
(I like to add in "from this .git repo" and I also like to have them do autistically-obsessive logging.)
The problem is that I have so many logging iterations I get lost...
What I NEED is an AI co-AIHDHD-Pilot -- that watches all mY iterations and birdwalking through a problem, curiosity, muse, failure, success - -and give me a Charlie Day Version of my thought process
https://i.imgur.com/4QBjOCZ.jpeg
An open source project that had import flows for all the major banks & brokers into a well-defined unified format? Tremendous impact.
A graphing tool that only imports a standardized CSV? I can do that in my spreadsheet in minutes.
Although I choose convenience over privacy / no-cloud, Google Sheets FTW.
This is what we need more often from our software, especially from software that works with sensitive data. I do typically want sync options though since I tend to use several different devices and it sucks not being able to reference information on the go from my phone. Sync options can include locally/self hosted options or use something like iCloud that don't depend on a software vendor's running a service though.
Don't most sync options depend on a software vendor running a service? (Your VPS hosting company, your SaaS handling cross-device syncing, your cloud provider, et cetera.)
Storing sensitive data in local storage makes you vulnerable to XSS attacks and Man-in-the-Browser attacks. You're exposing your sensitive data to an attacker that injects a script to the website and to malicious browser extensions. All sensitive data stored in local storage must be encrypted using a key stored in the server or somewhere on your hard disk. Otherwise, you're not reducing your risk, but substituting one type of information disclosure vulnerability with another.
The app in question runs locally and only with trusted code. How is the attacker supposed to get in there to place the XSS or even do a MITM attack when there is no exposed website at all? Neither are there browser extensions involved here.
> All sensitive data stored in local storage must be encrypted using a key stored in the server
Huh? Please don't do this, especially not for "local first" applications, would defeat the entire purpose.
That's a big assumption. Have you read all the code, and the dependencies of the dependencies of your code? If you haven't, how do you know it can be trusted? What if there is a backdoor in an obscure dependency that can inject a script into your website to steal your sensitive data? Don't laugh it off. When there is money on the line, someone is going to try it.
> Neither are there browser extensions involved here.
What about the extensions you installed in your browser? What about the user scripts (if you use them)?
> Huh? Please don't do this, especially not for "local first" applications, would defeat the entire purpose.
Why not? Why do you want a local first app in the first place? What's the purpose of a local first app, if not security?
It's not a website, it doesn't run in your normal browser. It runs as a standalone application.
> Why not? Why do you want a local first app in the first place? What's the purpose of a local first app, if not security?
Because as soon as those keys aren't available (either because the endpoint no longer exists, or you cannot connect to the endpoint for whatever reason (like being offline)), you can no longer access your data.
That isn't "local first" at all, it's something else entirely.
The encryption key doesn't have to be stored in the cloud. It just has to be stored somewhere else -- it could be in the file system.
> It's not a website, it doesn't run in your normal browser. It runs as a standalone application.
Even if it's a standalone application, it doesn't mean the code can be entirely trusted. I wouldn't take that risk.
Right, makes sense. I was saying to not store it in the cloud, specifically. Encrypt local data at rest, makes sense. Storing encryption keys for said content somewhere where you need internet access to get, doesn't make much sense.
> Even if it's a standalone application, it doesn't mean the code can be entirely trusted. I wouldn't take that risk.
"Trusted" here refers to "not user provided inputs" that SaaS/website usually does somewhere. Obviously, there is code somewhere that you haven't read and verified, that's true for literally everyone using a computer today, no one has read and verified all the code they've run, we'd get nothing done if that was common practice.
Just for curiosities sake, what OS you use and how much of your software you use daily have you read through the source code of?
Very few. It depends on the data I need to store in the program. I don't store sensitive data in Figma or VSCode, so I don't really care if they don't encrypt my data in local storage. But if I'm in the market for something that offers to manage my sensitive financial data, then yes, I want to dig into its dependencies and security strategy first.
Does this work for the international market, like Brazil for example? Does it track fixed-income types of investments like government bonds, etc?
Speaking as a Boglehead, checking on your investments frequently is usually a bad thing.
First mentioned and most prominent feature is "Accounts Aggregation" on the landing page. If you don't have multiple accounts, it makes sense you don't see any need for this. But you should also realize that it's fairly common to have multiple accounts, for various of reasons.
Now, those external accounts are second-class citizens and don't get portfolio analysis and stuff like that, so there is room for improvement, but the ease of use and cost (free) is hard to beat.
[1] https://www.canada.ca/en/department-finance/programs/financi...
It would be great to turn this into a hosted service that I can deploy onto a homelab and access everywhere?
> Import your statements from your broker or bank.
I think I got it right after doing a "deposit" of the exact value of my account, then try to work out what was the correct "buy" price for each stock without the P/L, it roughly works but the numbers don't exactly match those that I have in my account, perhaps because you're not using the same data source as my account
Every app I've tried this is painful or unsupported.
I must be missing something in your requirements.
Here's an example of what I'm talking about: suppose you and a housemate decide that an equitable split for the electric bill is 65/35 based on usage habits. One person pays the electric bill every month. All of these finance apps will download the transaction, categorize the electric bill for me, and maybe apply a custom tag. But I have to manually calculate the amount owed to me, and manually reconcile that with the fact that the other person pays the water bill.
I'd love to find an accounting app for shared arrangements, but it seems like most are targeted to solo or completely joint finances. Monarch listed elsewhere in these comments is the closest I've seen, but it also doesn't support reconciling split transactions.
I'm pretty sure I could write a custom importer for Beancount but the breakeven point on time would be years.
I think modifying the CSV importer for Beancount to split certain transactions to certain percentages would be fairly easy--switching to Beancount itself (or other Plain Text Accounting software) would of course be monumental. But it is the ultimate in flexibility.
But any tech may be overkill. In a e.g. roommate situation, a paper record per month (plus receipts, if lower trust) works fine.