As TikTok â€˜Spywareâ€™ Rumor Swirls, Crypto Apps Safety in the Spotlight
As data becomes the main commodity for social media giants, can you trust crypto apps with your personal info?
Over the past few weeks, TikTok has found itself in hot water over security issues. First, it was axed in India along with 58 Chinese apps for â€œstealing and surreptitiously transmitting usersâ€™ data in an unauthorized manner.â€� Later, it became a major target for Trumpâ€™s administration against the backdrop of Americaâ€™s faltering relationship with China and was even banned for Wells Fargo and Amazon employees, with the latter later retracing the news, saying it did not intend to prohibit using TikTok.
While the censure of TikTokâ€™s data collection habits seems to stem from mostly geopolitical reasons â€” its harshest critics accuse the app of being spyware for the Communist Party of China â€” some research suggests that TikTok isnâ€™t much different from Western apps in terms of privacy and security, with the Facebookâ€“Cambridge Analytica data scandal being arguably the clearest example.
It seems safe to say that at this point, user data has become the main commodity for mainstream apps, but how do things stand with popular crypto apps?
Crypto and cybersecurity
Cybersecurity remains a major weak point for the cryptocurrency and blockchain space. Each year, hackers manage to extract increasingly larger sums of money from cryptocurrency exchanges and ignorant investors, while the technology itself and the emergency of privacy coins have allowed criminals to stay relatively anonymous.
Data collection, however, is a slightly different matter. Unlike hacks, it falls into a grayer regulatory area. â€œPrivate dataâ€� is a rather abstract umbrella term, and normally, users consent to data collection when they download an app and approve its terms and conditions. Nonetheless, they often donâ€™t realize what kind of data theyâ€™ve allowed this app to access â€” and sometimes itâ€™s much more than just their email address and approximate location.
â€œMobile apps are generally very â€˜thoroughâ€™ when it comes to targeted advertising,â€� Hartej Sawhney, the CEO and co-founder of cybersecurity agency Zokyo Labs, said in an email conversation with Cointelegraph. He went on to say: â€œMany apps track users even when their mobile app is not in use. In addition, thereâ€™s even concern about apps accessing your phoneâ€™s microphone.â€�
Indeed, a somewhat similar story happened with Binance recently. Earlier this month, Twitter user Sherpa posted a screenshot of a certificate issuer in a tweet, showing that the permissions requested by the top cryptocurrency exchange in its Android app include access to the camera and the ability to record audio. At the time, the chief security officer of Binance told Cointelegraph that the camera is used during the KYC verification process, stressing that â€œthe code developed in-house within the Binance app definitely does not use the microphone.â€�
Later, Binance CEO Changpeng Zhao said that he asked his team to review the code, clarifying to Cointelegraph that Binance chose to remove the audio recording permission and â€œkeep other permissions required to a minimum, for our usersâ€™ peace of mind.â€�
CZ also shared a list of permissions from the updated version of the app, which seemed much more privacy-oriented when compared to the screenshots posted by Sherpa. Furthermore, Zhao stressed that Binance does not sell user data â€œof any kind, such as packaging KYC data together with blockchain analytics.â€�
Data collection and poor security ramifications
As CZ previously told Cointelegraph, apps with access to userâ€™s clipboard data pose the greatest threat to usersâ€™ safety because they can potentially steal their private keys. â€œMost crypto applications that ask for your key material can simply steal your funds, and you trust that they donâ€™t,â€� Harry Halpin, the CEO of privacy mixnet Nym Technologies, confirmed to Cointelegraph, adding: â€œAny custodial service can obviously steal your cryptocurrency.â€�
Coin theft is one of the main risks associated with cryptocurrency applications, and wallet apps in particular. Alex Heid, the chief research and development officer at information security company SecurityScorecard, added in a conversation with Cointelegraph:
Are crypto apps generally safer?
Are crypto apps any different from mainstream software in terms of data collection? Expertsâ€™ opinions are divided. â€œThe nature of crypto apps is very similar to other financial apps in many ways,â€� Heid argued, elaborating: â€œUsers are often required to provide identification information for KYC/AML compliance. There have been cases in the past where KYC/AML data has been obtained by attackers from successful hacks against cryptocurrency services.â€�
Matt Senter, a co-founder and the chief technology officer at Bitcoin rewards app Lolli, told Cointelegraph that â€œthe incentive to lie, cheat and steal is much higher in Bitcoin apps than traditional appsâ€� but warned that â€œusers should stay alert for all types of apps.â€�
Halpin said he would be â€œshockedâ€� if cryptocurrency applications did not have more malware and surveillance than other applications, given that cryptocurrency has to deal with money. â€œSending cryptocurrency to a public ledger allows anyone to spy on your transaction,â€� he added.
Brian Kerr, the CEO of lending platform Kava Labs, told Cointelegraph heâ€™s â€œmuch more concerned about data being shared from fintech apps like Robinhood and business communication apps like Zoom than data from crypto trading apps.â€�
How to stay safe?
But how can one stay safe when using crypto apps? Senter believes that knowing the basics of cryptocurrencies is a must when it comes to using industry apps or dealing with digital assets in general. Senter referenced the recent Twitter hack as an example:
â€œUsers who donâ€™t understand how Bitcoin works are in danger of outright losing all of it. We saw an attack on Twitter recently where people were duped into handing over their funds to a random address. While not a Bitcoin app, the Twitter attack does highlight a lack of understanding.â€�
According to Senter, crypto apps that donâ€™t have a user-friendly interface to guide their customers through transaction verification â€œleave the uninitiated wondering if their funds are safe.â€� There are also app lookalikes, he warned, noting that these are threats â€œeasily mitigated by education on Bitcoin and good opsec.â€�
However, â€œit is nearly impossible for a user to review the privacy and security of an application,â€� Halpin of NYM Technologies argued, adding: â€œEven developers often build technology that they believe is secure and private, and screw it up.â€� He is also largely skeptical about the assumption that decentralized apps offer more security when compared to solutions developed by centralized companies, at least in their current state:
â€œIs it more safe to trust a random group of people with your app than a single third party? For decentralization to work, we need stronger accountability and actual decentralization. Most of what I see in the blockchain space is decentralization theatre.â€�
As a result, Halpin concluded that itâ€™s better to take advice from â€œreputable third partiesâ€� like academics or industry companies that have a good track record of finding and fixing vulnerabilities before their usersâ€™ funds or personal data get compromised.
Powered by WPeMatico