As TikTok ‘Spyware’ Rumor Swirls, Crypto Apps Safety in the Spotlight

Published at: July 24, 2020

Over the past few weeks, TikTok has found itself in hot water over security issues. First, it was axed in India along with 58 Chinese apps for “stealing and surreptitiously transmitting users’ data in an unauthorized manner.” Later, it became a major target for Trump’s administration against the backdrop of America’s faltering relationship with China and was even banned for Wells Fargo and Amazon employees, with the latter later retracing the news, saying it did not intend to prohibit using TikTok.

While the censure of TikTok’s data collection habits seems to stem from mostly geopolitical reasons — its harshest critics accuse the app of being spyware for the Communist Party of China — some research suggests that TikTok isn’t much different from Western apps in terms of privacy and security, with the Facebook–Cambridge Analytica data scandal being arguably the clearest example.

It seems safe to say that at this point, user data has become the main commodity for mainstream apps, but how do things stand with popular crypto apps?

Crypto and cybersecurity

Cybersecurity remains a major weak point for the cryptocurrency and blockchain space. Each year, hackers manage to extract increasingly larger sums of money from cryptocurrency exchanges and ignorant investors, while the technology itself and the emergency of privacy coins have allowed criminals to stay relatively anonymous.

Data collection, however, is a slightly different matter. Unlike hacks, it falls into a grayer regulatory area. “Private data” is a rather abstract umbrella term, and normally, users consent to data collection when they download an app and approve its terms and conditions. Nonetheless, they often don’t realize what kind of data they’ve allowed this app to access — and sometimes it’s much more than just their email address and approximate location.

“Mobile apps are generally very ‘thorough’ when it comes to targeted advertising,” Hartej Sawhney, the CEO and co-founder of cybersecurity agency Zokyo Labs, said in an email conversation with Cointelegraph. He went on to say: “Many apps track users even when their mobile app is not in use. In addition, there’s even concern about apps accessing your phone’s microphone.”

Indeed, a somewhat similar story happened with Binance recently. Earlier this month, Twitter user Sherpa posted a screenshot of a certificate issuer in a tweet, showing that the permissions requested by the top cryptocurrency exchange in its Android app include access to the camera and the ability to record audio. At the time, the chief security officer of Binance told Cointelegraph that the camera is used during the KYC verification process, stressing that “the code developed in-house within the Binance app definitely does not use the microphone.”

Later, Binance CEO Changpeng Zhao said that he asked his team to review the code, clarifying to Cointelegraph that Binance chose to remove the audio recording permission and “keep other permissions required to a minimum, for our users’ peace of mind.”

CZ also shared a list of permissions from the updated version of the app, which seemed much more privacy-oriented when compared to the screenshots posted by Sherpa. Furthermore, Zhao stressed that Binance does not sell user data “of any kind, such as packaging KYC data together with blockchain analytics.”

Data collection and poor security ramifications

As CZ previously told Cointelegraph, apps with access to user’s clipboard data pose the greatest threat to users’ safety because they can potentially steal their private keys. “Most crypto applications that ask for your key material can simply steal your funds, and you trust that they don’t,” Harry Halpin, the CEO of privacy mixnet Nym Technologies, confirmed to Cointelegraph, adding: “Any custodial service can obviously steal your cryptocurrency.”

Coin theft is one of the main risks associated with cryptocurrency applications, and wallet apps in particular. Alex Heid, the chief research and development officer at information security company SecurityScorecard, added in a conversation with Cointelegraph:

“Attackers have been known to use malware, compromised developer repositories and social engineering to obtain the wallet and private keys of vulnerable users. Examples of this has taken place in the past, such as with the ongoing plague of rogue applications in mobile app stores, the attack on Copay wallets via a compromised JavaScript library in 2018, and the attack on Electrum node messaging servers in 2019.”

Are crypto apps generally safer?

Are crypto apps any different from mainstream software in terms of data collection? Experts’ opinions are divided. “The nature of crypto apps is very similar to other financial apps in many ways,” Heid argued, elaborating: “Users are often required to provide identification information for KYC/AML compliance. There have been cases in the past where KYC/AML data has been obtained by attackers from successful hacks against cryptocurrency services.”

Matt Senter, a co-founder and the chief technology officer at Bitcoin rewards app Lolli, told Cointelegraph that “the incentive to lie, cheat and steal is much higher in Bitcoin apps than traditional apps” but warned that “users should stay alert for all types of apps.”

Halpin said he would be “shocked” if cryptocurrency applications did not have more malware and surveillance than other applications, given that cryptocurrency has to deal with money. “Sending cryptocurrency to a public ledger allows anyone to spy on your transaction,” he added.

Brian Kerr, the CEO of lending platform Kava Labs, told Cointelegraph he’s “much more concerned about data being shared from fintech apps like Robinhood and business communication apps like Zoom than data from crypto trading apps.”

How to stay safe?

But how can one stay safe when using crypto apps? Senter believes that knowing the basics of cryptocurrencies is a must when it comes to using industry apps or dealing with digital assets in general. Senter referenced the recent Twitter hack as an example:

“Users who don’t understand how Bitcoin works are in danger of outright losing all of it. We saw an attack on Twitter recently where people were duped into handing over their funds to a random address. While not a Bitcoin app, the Twitter attack does highlight a lack of understanding.”

According to Senter, crypto apps that don’t have a user-friendly interface to guide their customers through transaction verification “leave the uninitiated wondering if their funds are safe.” There are also app lookalikes, he warned, noting that these are threats “easily mitigated by education on Bitcoin and good opsec.”

However, “it is nearly impossible for a user to review the privacy and security of an application,” Halpin of NYM Technologies argued, adding: “Even developers often build technology that they believe is secure and private, and screw it up.” He is also largely skeptical about the assumption that decentralized apps offer more security when compared to solutions developed by centralized companies, at least in their current state:

“Is it more safe to trust a random group of people with your app than a single third party? For decentralization to work, we need stronger accountability and actual decentralization. Most of what I see in the blockchain space is decentralization theatre.”

As a result, Halpin concluded that it’s better to take advice from “reputable third parties” like academics or industry companies that have a good track record of finding and fixing vulnerabilities before their users’ funds or personal data get compromised.

Tags
Related Posts
ConsenSys partners with China’s Blockchain-based Service Network
ConsenSys, one of the world’s largest blockchain software companies, has partnered with the Blockchain-based Service Network, a Chinese government-backed nationwide blockchain project, As part of the partnership, ConsenSys’ Ethereum-based distributed ledger protocol, ConsenSys Quorum, will be featured in the BSN ecosystem, the firm announced on Monday. The protocol will be available in 80 different cities through the BSN’s public city nodes across mainland China. ConsenSys director Charles d’Haussy told Cointelegraph that ConsenSys Quorum will be available in all major cities and provinces, including Beijing, Xiong’an and Hangzhou. ConsenSys’ GoQuorum — an open-source Ethereum client and part of ConsenSys Quorum — …
Blockchain / Jan. 25, 2021
Blockchain Firm’s DApp for Ads Now Available on Facebook and Twitter
A company that aims to change advertising through blockchain announced its decentralized application is now functional across several social networks, including Facebook, Instagram, Twitter and YouTube. The Atayen-owned Smart Advertising Transaction Token, known as SaTT, claims it upgrades the advertising transaction process thanks to blockchain while removing the high costs associated with launching a campaign, reducing payment delays for publishers that rely on ad revenue, and injecting some much-needed transparency into the industry with performance-based payments. At the same time, this helps remove from the process third parties that inflate costs for everyone, achieves automation and allows brands to assess …
Blockchain / April 16, 2020
Steemit to Shift Its Proprietary Blockchain and Token to Tron Network
The Tron Foundation, a cryptocurrency firm that is known for hyping its long ledger of partnerships, appears to have entered a particularly important one today. The maintainer of major cryptocurrency Tron (TRX) has just partnered with Steemit, a major blockchain-based blogging and social networking website to provide its network for Steemit services. Steemit old token STEEM to move to the Tron blockchain, too As part of the strategic partnership, the Tron Foundation will work with the firm to move Steemit and other Steem blockchain-based decentralized applications (DApps) to the Tron blockchain, the firms said in an announcement shared with Cointelegraph …
Adoption / Feb. 14, 2020
Can the Metaverse exist without blockchain?
So, is blockchain ready to take on the Metaverse journey? In essence, the ideal metaverse must be on blockchain rails, which mandates inclusive incentives centered around creators and users while still offering immersive and seamless virtual experiences. The Metaverse is not just about the experiential elements; it is also about the economic aspects. The financial incentives must be centered around the real value creators. Those who create content, and regularly interact and transact on the platform are the ones who are creating value. While the economic model possibilities are exciting, and several hopeful glimpses of these possibilities have emerged, there …
Blockchain / Sept. 20, 2022
Ripple wants to bring Ethereum smart contracts to the XRP Ledger
Ripple users may be able to interact with Ethereum-compatible decentralized applications (DApps) in the future following the launch of a test phase of Ripple’s new XRP Ledger sidechain. The launch of the sidechain was shared in a Tweet by blockchain development firm Peersyst Technologies on Oct. 17, noting that the new sidechain is compatible with Ethereum Virtual Machine (EVM). This means that Ripple users could eventually have access to decentralized applications like Uniswap (should it port over) and Web3 wallets such as Metamask and XUMM Wallet. The new sidechain also comes with a cross-chain bridge built to transfer XRP and …
Adoption / Oct. 18, 2022