June 16, 2017

Why Nimses isn’t safe (so far)

News Privacy

Nimses is a new social app that was developed in Ukraine and is now trending in Russian-speaking app stores. Why should I be interested in yet another social network, you may ask. Well, the idea behind this one is quite catchy: In Nimses, users can monetize the time they spend in the app.

What is Nimses?

For every minute you’re active in Nimses, you earn 1 nim (nims are Nimses’ internal currency; estimated worth is about 1,000 nims to the dollar). You can transfer nims to other users, accept nims, and earn and spend extra nims by performing certain actions such as getting people to like your photos, and liking theirs. The developers stated that it would be possible to use nims to pay for actual goods outside of the app, but for now only a few coffee shops and burger joints accept them, mostly just for the sake of PR.

However, we’ve chosen this topic for a Kaspersky Daily post to talk not about monetization but about privacy and security.

Why Nimses isn't safe (so far)

What privacy?

You can register yourself in Nimses with a mobile phone number. After that, it’s a pretty normal social media sign-up process requiring nickname, real name, date of birth, city, and gender. Also, you can add information about yourself and a profile picture. But here’s the thing: All of that information — real name, age, and so forth — will be visible to all users immediately. The app has no privacy settings.

Nimses – the new social network

Once you’ve registered, you can publish several pictures free. Visitors who would like to get to know you can see those pictures. After that publishing a picture that will be visible to everyone within 2 km (1.2 miles) costs 100 nims. You can check out pictures of users around you and tap on the “Like” button for 10 nims and up.

In essence, Nimses looks like a hybrid of Instagram and a dating app, with the addition of in-app currency incentives — and a troubling lack of privacy controls.

There you are

By default, the application requires continuous access to the user’s location: Wherever you go, you are traceable. That means in addition to all of the information that you willingly enter for everyone to see, the Nimses app also tosses in the extra feature of locating you with ease.

In Nimses, all of your friends can see your location. And any Nimses user in a radius of 2 km can see how far you are from them. If you also add geolocation data to your posts, then tracing your movements becomes even easier.

It bears repeating that you cannot change your privacy settings inside the app — there’s simply no way to do that.

There are no privacy settings in Nimses so far

Nimses will track your location

If you turn off location services for Nimses, the app will not work. You cannot effectively disable location tracking in Nimses.

Nimses is always tracking your location

The closest alternative is to adjust location services permissions for the app in your smartphone settings. For example, in iOS, you can enable location services only when an app is active, which means that the app can trace you only when you’re using it, not when it is running in the background.

Turn of tracking for Nimses

The user picture cannot be changed

The current version of the app does not allow changing, deleting, or editing of user avatars. Therefore, after you have published a picture with your face, you will be unable to replace it with another one or delete it.

You have two options, here. You can either live with the avatar you chose or delete your account. The latter is not that easy.

How to delete your Nimses account

The developers state that at this stage of development, the app has no means to delete an account automatically. To delete your account, you have to contact the support team by e-mail. Then, you can only wait until the account has been deleted. As of the time of publication, we have been waiting for four days, and the account is still there.

In Russian: your account will be deleted soon. Regards, the Nimses team

Instead of deleting your account, you may just delete the app or turn off Nimses’ permissions to access everything you can find in the settings of the operating system.

App settings in iPhone for Nimses

What else?

Besides unpleasant aspects that are related to the privacy settings of the application, there are also exasperating factors such as spam, advertisements, offers of sexual services, and other similar content generated by users and bots. Nimses has quite a number of these.

Text is in Russian, but the picture speaks for itself. Nimses is the new Tinder + Instagram + Bitcoin

We find the following the most confusing aspect of Nimses’ terms: Users must be 12 years or older — yet the app’s content is just like that of common dating applications and websites with ages restricted to 18 and up (Tinder, OKCupid, and similar).

About Nimses

Conclusions

At this stage, the Nimses app is extremely raw and contains many flaws that not only irritate people but also make them feel really uneasy. First and foremost, we are talking about the inability to delete your account and change your avatar.

Nimses seems more like an app for meeting people than a full-fledged social network. Users may be as young as 12, but the content may not be at all appropriate for teens and tweens. The Nimses in-application currency, nims, is still largely useless in the real world and is circulated mostly inside the app. That is just like any mobile game where you can spend your earned in-game gold for in-game bonuses.

The developers may yet iron out the kinks in the app, address user privacy, and implement decent antispam and antibot features. Until they do, Nimses is not safe to use.