1

I was wondering if trading my Eth through a client mobile app such as iPhone's "Polo" client for the Poloniex site is secure. I was wondering this because I see the app is not from the Poloniex team, and it's not opensource. Trading through this app is really much easier than on the mobile version of the site, but if my account could be possibly at risk I would avoid using it anyway. I'm concerned mostly on the security of my credentials and the possibility that the app developer may be able to control my accounts or even see some details of my accounts through any other kind of tracking that may be possible through the coded app.

What do you think about my concerns? Am I paranoid or I'm actually considering something that may be possible?

I don't even know if Apple does any kind of control of what the apps does before they're published. As far as I know they're much more careful than Google on andorid's Play store abou that, but that doesn't represent to me any guarantee about this app's (such kind of app's) security.

Please consider Polo/Poloniex just as an example, the question is if it would be more secure using an unofficial app or the browser as client for such sites.

Marco
  • 113
  • 6

2 Answers2

2

I think your concerns are valid; I'm not familiar with Poloniex's API methodology; they might require you to authorize what actions an external app can perform. But even if your account keys are safe and withdrawals are not possible, a malicious app developer could use your accounts to execute trades that manipulate the market. This, could be done in order to artificially increase the price of a token/currency with low volume, sell it to you at the high price, and then leave you holding something that is worth a lot less than you paid for it. Might as well have drained your account.

Apple does check apps to some extent, but they do not check for the kinds of things that you should worry about in this sort of situation. In the best case, if people started reporting problems, Apple might pull the app from the store (it has pulled applications that contained malware and fake Bitcoin wallets in the past). However, you might be one of the canaries in the coal mine.

lungj
  • 6,680
  • 2
  • 17
  • 45
  • "It has done this in the past". You're talking about trading apps or apps in general? TY very much for your contribution. – Marco Aug 01 '17 at 19:39
  • @Marco Thanks for asking this clarifying question! I don't know of any instances of trading apps, but I've updated my answer to clarify my previous statement. – lungj Aug 01 '17 at 19:44
  • 1
    I definitely removed my app from iPhone, changed credentials for the exchange community and enabled 2FA. – Marco Aug 02 '17 at 16:13
1

In principle you could use a tool like Charles Proxy to monitor the data that the app collects and transmits. That said, it is somewhat arduous to setup, and it is possible that they could transfer the data over an encrypted connection.

In general you should be careful with third party apps. At some point, you usually have to trust someone.. For example you trust your bank (within reason) to look after your money. That said crypto is a fairly new, fairly unregulated development, and has a lot of complex technological consideration behind it. It is very easy for someone with the right information to take your money without leaving a trace. As such I'd recommend being very wary of companies and products that are not open, transparent and well trusted.

Thomas Clowes
  • 4,385
  • 2
  • 19
  • 43