How do I know if a new app like Bondee is safe to use?

Viral Singapore-based social networking app Bondee was hit with allegations in late January that its users’ credit card information had been leaked, leading to concerns about whether the app is safe to use.

The disquiet soon settled down when many netizens determined that the evidence of data mishandling circulating online was unreliable. Bondee, which allows players to interact in a virtual space with a customised avatar, also clarified that it does not currently collect financial details.

Downloads of the app have continued to surge, crossing five million on the Google Play Store.

The Straits Times speaks to cyber-security experts on some safe practices for consumers when installing new apps.

Is Bondee safe to use after all?

Cyber-security professionals interviewed said that Bondee appears to be safe.

The co-founder of local cyber-security firm Privacy Ninja, Mr Andy Prakash, said a good sign of a reliable developer is one that has a professional website with frequently updated information and a privacy policy.

Bondee does not appear to ask for permissions that are beyond its scope, he said, adding that consumers should watch out for apps that ask for credit card details when there is nothing to spend on.

Mr Prakash said: “By this standard, Bondee passes this preliminary test.”

Screenshots of unauthorised bank transactions that were said to have occurred after downloading the Bondee app made the rounds on social media, but soon faded as users questioned the legitimacy of the evidence.

A Google spokesman said in reply to ST that when a user pays for an app through Google Play, their payment information is securely stored in their Google account and is not shared with app developers.

Field cyber-security officer Ian Lim from cyber-security firm Palo Alto Networks said it is unlikely for an app to gain access to a user’s bank account if it has access to only the camera and media folder. But bank accounts can be left vulnerable if users have financial information stored in images on their photo albums, he added.

Bondee developer Metadream said in its privacy statement that it collects only content generated on the app, including text and footage uploaded to the platform.

Metadream is a Singapore-based company that purchased the rights to a similar social networking app in China in 2022 called Zheli, which is being developed by Metadream separately from Bondee.

How do I ensure an app by an unfamiliar developer is safe to use?

Consumers should opt for apps made by reputable firms, said Mr Prakash. But in the case of a relatively new developer – like Metadream – users can look up details about the developer on its website to detect if there is anything suspicious about it.

Screenshots of the app uploaded on app stores do not prove if it is reliable, he added.

“The website should not be a static page, but one that has updated information that is properly written,” he said, referring to a site’s newsroom, privacy policy and other details for customers that are typically found on a website.

Ms Joanne Wong, vice-president of international marketing at cyber-security firm LogRhythm, said that users can also look at a developer’s track record with apps to check if it is reputable, and scan reviews to see if others have flagged issues.

Can an app access my microphone and photos without my knowledge?

Users should be cautious about the permissions requested, experts said. Apps can trawl through a user’s entire photo album if they are given full access, although most apps today provide options, such as to allow access only while the app is open or to request permission each time.

Depending on the level of access granted by the user, apps can turn on a device’s microphone or access photos at any time, said Mr Nick Biasini, head of outreach for threat intelligence organisation Cisco Talos.

He urges users to activate and pay attention to signals on a phone that indicate when a mic or camera is active. He said: “Regardless, the best practice for users is to allow access only while the app is open, if possible.”

Views were split on whether apps listened to users’ conversations using a device’s microphone.

Mr Biasini argued that this was a common misconception, adding: “While it’s true that some app permissions can grant always-on access to the microphones and record audio, recorded audio is rarely used for targeted advertising. The accuracy of targeting may seem like they’re listening, but advertisers have more than enough data associated with your online presence.”

But those concerned should restrict access to a device’s microphone to when the apps are open, regularly close the apps on their mobile devices and review the app’s privacy policy, he added.

Mr Prakash said online advertisements for products have popped up shortly after he had talked about them near his phone. He added: “I believe this has happened to me at least twice. For this reason, I turn off location tracking for WhatsApp in the background and I only leave the mic on for calling apps that I absolutely need.”

What are some practices I should adopt to ensure my device is safe?

Users should install updates as soon as they are available, as “zero-day attacks” that exploit vulnerabilities in a system before developers can find a fix are common, said Mr Prakash. Consumers can also set their devices to install updates automatically to ensure patches are not delayed, which would put their devices at risk.

Unique passwords for each app, coupled with two-factor authentication, will also go a long way to protect users, he added, warning users not to use the same password across multiple accounts.

If leaked, identical passwords can provide hackers the means to access multiple accounts, and this information can be sold on the Dark Web, said Mr Prakash.

Users may be familiar with single sign-on services provided by Google, Facebook and Twitter that allow users to quickly register and access an app or website conveniently via a third-party platform without having to remember individual passwords.

Single sign-on services protect a user’s credentials in case the app that it is linked to is hacked.

Mr Biasini said: “If an app that uses third-party logins is compromised, the user’s password isn’t compromised because third-party login services do not share the user’s actual password.”

Ms Wong of LogRhythm said that this option is generally safe as it is tied to major online platforms that have a lot at stake should a breach occur. But she warned users to use the single sign-on option only with reliable services, as it would not be a surprise to see phishing links masquerading as a login page for Google or Facebook, given the proliferation of phishing scams.

And while convenient, using a third-party login also usually grants permissions for social media giants to harvest more data from users, said Ms Wong.

She added: “The question is, do you trust the service provider? If you’re okay with that, that’s the price to pay for convenience.”