Over the past few weeks, TikTok has found itself in hot water over security issues. First, it was axed in India along with 58 Chinese apps for “stealing and surreptitiously transmitting users’ data in an unauthorized manner.” Later, it became a major target for Trump’s administration against the backdrop of America’s faltering relationship with China and was even banned for Wells Fargo and Amazon employees, with the latter later retracing the news, saying it did not intend to prohibit using TikTok.
While the censure of TikTok’s data collection habits seems to stem from mostly geopolitical reasons — its harshest critics accuse the app of being spyware for the Communist Party of China — some research suggests that TikTok isn’t much different from Western apps in terms of privacy and security, with the Facebook–Cambridge Analytica data scandal being arguably the clearest example.
It seems safe to say that at this point, user data has become the main commodity for mainstream apps, but how do things stand with popular crypto apps?
Crypto and cybersecurity
Cybersecurity remains a major weak point for the cryptocurrency and blockchain space. Each year, hackers manage to extract increasingly larger sums of money from cryptocurrency exchanges and ignorant investors, while the technology itself and the emergency of privacy coins have allowed criminals to stay relatively anonymous.
Data collection, however, is a slightly different matter. Unlike hacks, it falls into a grayer regulatory area. “Private data” is a rather abstract umbrella term, and normally, users consent to data collection when they download an app and approve its terms and conditions. Nonetheless, they often don’t realize what kind of data they’ve allowed this app to access — and sometimes it’s much more than just their email address and approximate location.
“Mobile apps are generally very ‘thorough’ when it comes to targeted advertising,” Hartej Sawhney, the CEO and co-founder of cybersecurity agency Zokyo Labs, said in an email conversation with Cryptox. He went on to say: “Many apps track users even when their mobile app is not in use. In addition, there’s even concern about apps accessing your phone’s microphone.”
Indeed, a somewhat similar story happened with Binance recently. Earlier this month, Twitter user Sherpa posted a screenshot of a certificate issuer in a tweet, showing that the permissions requested by the top cryptocurrency exchange in its Android app include access to the camera and the ability to record audio. At the time, the chief security officer of Binance told Cryptox that the camera is used during the KYC verification process, stressing that “the code developed in-house within the Binance app definitely does not use the microphone.”
Later, Binance CEO Changpeng Zhao said that he asked his team to review the code, clarifying to Cryptox that Binance chose to remove the audio recording permission and “keep other permissions required to a minimum, for our users’ peace of mind.”
CZ also shared a list of permissions from the updated version of the app, which seemed much more privacy-oriented when compared to the screenshots posted by Sherpa. Furthermore, Zhao stressed that Binance does not sell user data “of any kind, such as packaging KYC data together with blockchain analytics.”
Data collection and poor security ramifications
As CZ previously told Cryptox, apps with access to user’s clipboard data pose the greatest threat to users’ safety because they can potentially steal their private keys. “Most crypto applications that ask for your key material can simply steal your funds, and you trust that they don’t,” Harry Halpin, the CEO of privacy mixnet Nym Technologies, confirmed to Cryptox, adding: “Any custodial service can obviously steal your cryptocurrency.”
Coin theft is one of the main risks associated with cryptocurrency applications, and wallet apps in particular. Alex Heid, the chief research and development officer at information security company SecurityScorecard, added in a conversation with Cryptox:
“Attackers have been known to use malware, compromised developer repositories and social engineering to obtain the wallet and private keys of vulnerable users. Examples of this has taken place in the past, such as with the ongoing plague of rogue applications in mobile app stores, the attack on Copay wallets via a compromised JavaScript library in 2018, and the attack on Electrum node messaging servers in 2019.”
Are crypto apps generally safer?
Are crypto apps any different from mainstream software in terms of data collection? Experts’ opinions are divided. “The nature of crypto apps is very similar to other financial apps in many ways,” Heid argued, elaborating: “Users are often required to provide identification information for KYC/AML compliance. There have been cases in the past where KYC/AML data has been obtained by attackers from successful hacks against cryptocurrency services.”
Matt Senter, a co-founder and the chief technology officer at Bitcoin rewards app Lolli, told Cryptox that “the incentive to lie, cheat and steal is much higher in Bitcoin apps than traditional apps” but warned that “users should stay alert for all types of apps.”
Halpin said he would be “shocked” if cryptocurrency applications did not have more malware and surveillance than other applications, given that cryptocurrency has to deal with money. “Sending cryptocurrency to a public ledger allows anyone to spy on your transaction,” he added.
Brian Kerr, the CEO of lending platform Kava Labs, told Cryptox he’s “much more concerned about data being shared from fintech apps like Robinhood and business communication apps like Zoom than data from crypto trading apps.”
How to stay safe?
But how can one stay safe when using crypto apps? Senter believes that knowing the basics of cryptocurrencies is a must when it comes to using industry apps or dealing with digital assets in general. Senter referenced the recent Twitter hack as an example:
“Users who don’t understand how Bitcoin works are in danger of outright losing all of it. We saw an attack on Twitter recently where people were duped into handing over their funds to a random address. While not a Bitcoin app, the Twitter attack does highlight a lack of understanding.”
According to Senter, crypto apps that don’t have a user-friendly interface to guide their customers through transaction verification “leave the uninitiated wondering if their funds are safe.” There are also app lookalikes, he warned, noting that these are threats “easily mitigated by education on Bitcoin and good opsec.”
However, “it is nearly impossible for a user to review the privacy and security of an application,” Halpin of NYM Technologies argued, adding: “Even developers often build technology that they believe is secure and private, and screw it up.” He is also largely skeptical about the assumption that decentralized apps offer more security when compared to solutions developed by centralized companies, at least in their current state:
“Is it more safe to trust a random group of people with your app than a single third party? For decentralization to work, we need stronger accountability and actual decentralization. Most of what I see in the blockchain space is decentralization theatre.”
As a result, Halpin concluded that it’s better to take advice from “reputable third parties” like academics or industry companies that have a good track record of finding and fixing vulnerabilities before their users’ funds or personal data get compromised.