Why Nimses isn’t safe (so far)

The trendy Nimses social network has a ways to go in terms of security and privacy.

Why Nimses isn’t safe (so far)

Post updated on September 25, 2018, with updated parts in italic.

Nimses is a new social app that was developed in Ukraine and is now trending in Russian-language app stores. Why should I be interested in yet another social network, you may ask. Well, the idea behind this one is quite catchy: In Nimses, users can monetize the time they spend in the app.

What is Nimses?

For every minute you’re active in Nimses, you earn 1 nim (nims are Nimses’ internal currency; estimated worth is about 1,000 nims to the dollar). You can transfer nims to other users, accept nims, and earn and spend extra nims by performing certain actions such as getting people to like your photos, and liking theirs. The developers stated that it would be possible to use nims to pay for actual goods outside of the app, but for now only a few coffee shops and burger joints accept them, mostly just for the sake of PR.

However, we’ve chosen this topic for a Kaspersky Daily post to talk not about monetization but about privacy and security.

Updated: At present, after registering with a mobile phone, you are invisible by default. To become visible to other users, you must add more information about yourself: photo, gender, date of birth. Additionally, when registering, you can give an alias instead of your real name. Your real name can be specified in the “Private data” section of the account settings.

What privacy?

You can register yourself in Nimses with a mobile phone number. After that, it’s a pretty normal social media sign-up process requiring nickname, real name, date of birth, city, and gender. Also, you can add information about yourself and a profile picture. But here’s the thing: All of that information — real name, age, and so forth — will be visible to all users immediately. The app has no privacy settings.

Updated: The first post costs 100 nims. They are easy to earn — just spend a short amount of time in the app, for example, looking at other people’s accounts or tinkering with the privacy settings.

Nimses – the new social network

Once you’ve registered, you can publish several pictures free. Visitors who would like to get to know you can see those pictures. After that publishing a picture that will be visible to everyone within 2 km (1.2 miles) costs 100 nims. You can check out pictures of users around you and tap on the “Like” button for 10 nims and up.

In essence, Nimses looks like a hybrid of Instagram and a dating app, with the addition of in-app currency incentives — and a troubling lack of privacy controls.

There you are

By default, the application requires continuous access to the user’s location: Wherever you go, you are traceable. That means in addition to all of the information that you willingly enter for everyone to see, the Nimses app also tosses in the extra feature of locating you with ease.

In Nimses, all of your friends can see your location. And any Nimses user in a radius of 2 km can see how far you are from them. If you also add geolocation data to your posts, then tracing your movements becomes even easier.

Updated: Currently, your location can be determined from the most recent photo you posted, which is displayed on the map for all users. There is no geolocation data for previous photos in the account.

It bears repeating that you cannot change your privacy settings inside the app — there’s simply no way to do that.

There are no privacy settings in Nimses so far

Updated: The Nimses development team has reworked the privacy settings and added many useful options.

First, it is possible now to allow or block sensitive options such as searching for you by phone number and accessing your contacts. You can also allow or block the use of your photo by face-recognition technology to confirm that your account is real. Therefore, you need to upload a real photo to be able to make full use of all app features.

Second, users can choose whether the app is allowed to use their personal data for market research and mass mailings.

Third, and this is quite important, users can request a copy of all data stored on the Nimses servers. For security reasons, the developers send the data archive by e-mail, and the archive password is sent in an app message.

Another option is “Delete active sessions.” This protects users against unauthorized account access from devices on which they forgot to sign out of their account.

Nimses will track your location

If you turn off location services for Nimses, the app will not work. You cannot effectively disable location tracking in Nimses.

Nimses is always tracking your location

The closest alternative is to adjust location services permissions for the app in your smartphone settings. For example, in iOS, you can enable location services only when an app is active, which means that the app can trace you only when you’re using it, not when it is running in the background.

Turn of tracking for Nimses

The user picture cannot be changed

The current version of the app does not allow changing, deleting, or editing of user avatars. Therefore, after you have published a picture with your face, you will be unable to replace it with another one or delete it.

Updated: Nimses now lets you change your userpic. To do so, add a new photo and delete the previous one.

You have two options, here. You can either live with the avatar you chose or delete your account. The latter is not that easy.

How to delete your Nimses account

The developers state that at this stage of development, the app has no means to delete an account automatically. To delete your account, you have to contact the support team by e-mail. Then, you can only wait until the account has been deleted. As of the time of publication, we have been waiting for four days, and the account is still there.

In Russian: your account will be deleted soon. Regards, the Nimses team

Updated: The developers added an account deletion function to the app settings. If the user has second thoughts, a deleted account can be restored within 7 days.

Instead of deleting your account, you may just delete the app or turn off Nimses’ permissions to access everything you can find in the settings of the operating system.

App settings in iPhone for Nimses

What else?

Besides unpleasant aspects that are related to the privacy settings of the application, there are also exasperating factors such as spam, advertisements, offers of sexual services, and other similar content generated by users and bots. Nimses has quite a number of these.

Text is in Russian, but the picture speaks for itself. Nimses is the new Tinder + Instagram + Bitcoin

Updated: Nimses now contains noticeably less blatant spam and annoying content. When viewing post feeds in different regions and cities, everything basically looks the same. Lots of photos of beautiful girls, post requests for account verification (confirmation that you’re a human), and a few ads for goods and services.

We find the following the most confusing aspect of Nimses’ terms: Users must be 12 years or older — yet the app’s content is just like that of common dating applications and websites with ages restricted to 18 and up (Tinder, OKCupid, and similar).

About Nimses

Conclusions

At this stage, the Nimses app is extremely raw and contains many flaws that not only irritate people but also make them feel really uneasy. First and foremost, we are talking about the inability to delete your account and change your avatar.

Updated: The developers have been working hard on the app for more than a year. Almost all of the privacy issues that existed at initial launch have been fixed. The app is more user-friendly, the privacy settings have been expanded, and users’ personal data is now handled in a more transparent way.

Nimses seems more like an app for meeting people than a full-fledged social network. Users may be as young as 12, but the content may not be at all appropriate for teens and tweens. The Nimses in-application currency, nims, is still largely useless in the real world and is circulated mostly inside the app. That is just like any mobile game where you can spend your earned in-game gold for in-game bonuses.

Updated: Note that publicity and activity remain the twin aims of the social network. Unlike with Instagram, for example, there is no option to share photos with 10 friends just like that. That’s not what the Nimses app is about. It’s about public activity for which you get paid in nims, and you decide for yourself how to spend them.

The developers may yet iron out the kinks in the app, address user privacy, and implement decent antispam and antibot features. Until they do, Nimses is not safe to use.

Updated: The developers have done a great job making the app more secure and enjoyable to use, more than justifying our hopes. It’s now much safer to use Nimses. However, users must be careful anyway, and never forget that oversharing online can harm them offline.


Tips