Released in early 2020, Koo, an app co-founded by Indian entrepreneurs Aprameya Radhakrishna and Mayank Bidwatka, has quickly risen to fame amid the #BanTwitterInIndia motion. What appears to many to be a yellow version of Twitter, Koo — the winner of the Indian government’s Aatmanirbhar Bharat app challenge from 2020 — seems to have gained over 3 million users over the past couple of weeks during the spat between the Centre and Twitter.
While various ministers and celebrities have already made a public move onto this platform, certain experts from the cybersecurity industry have begun to question the security of the Koo app vs Twitter app.
Is Koo Really a Security Threat?
French cybersecurity researcher Baptiste (commonly known as Elliot Anderson), who also highlighted vulnerabilities in the Aadhaar system, tweeted earlier this week, saying:
“You asked so I did it. I spent 30 min on this new Koo app. The app is leaking personal data of its users: email, dob, name, marital status, gender”
However, soon after claims that the app was “leaking personal data” and “is funded by the Chinese,” Koo stepped forward to address these claims:
Addressing Security Risk Claim 1: Leaking Personal Data
According to Koo, only that information which is filled in on the public profile page is available to the public. This information is shared by the users themselves when they join the app.
Addressing Security Risk Claim 2: Linked to China
Koo released a statement saying that Koo is an Indian company with Indian founders. It is registered in India as well. Recent investments that were made in Koo’s parent company, Bombinate Technologies, were by an Indian investor, Mohandas Pai of 3one4 Capital. However, there is one single-digital shareholder in another startup by the parent company, Shunwei, who will be exiting fully.
Koo app is exposing users’ personal data, claims a French cybersecurity researcher. NDTV’s Roobina Mongia with the latest updates pic.Twitter.com/HrwZDrvcLg
— NDTV (@ndtv) February 11, 2021
In addition to this, International Business Times has also conducted their own research stating that the available resources show that the app is secure. Furthermore, users can skip providing information and sign up with just their phone number.
Is Twitter as Secure as We Think It Is?
In July 2020, Twitter released a statement that 130 high-profile accounts appeared to have been hacked. The breach saw the profiles of U.S. President Joe Biden, former U.S. President Barack Obama, Elon Musk, Bill Gates, Kanye West, and many others tweet a Bitcoin scam to millions of their followers.
We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.
— Twitter Support (@TwitterSupport) July 15, 2020
The attack has been traced back to the fact that “too many people had access to too many things” and the possibility that some of their employees were victims of a phishing attack.
Are Koo and Twitter Our Only Choices?
While Koo has been the latest app to rise to fame as an alternative to Twitter, it is certainly not the only one. We have previously witnessed the Tooter app (from India) that gained popularity in November 2020 by presenting itself as a “swadeshi” alternative. Many ministers quickly jumped onto the app, but didn’t stick around for long.
Another app that gained popularity in November 2019 was the Mastodon app. However, seeing as it was an open-source and distributed or federated social network, where anyone could host their own server, people quickly started switching back to Twitter.
Our years of experience in the industry has taught us that no app can ensure 100% security. Vulnerabilities are constantly emerging, even as you read this, and our only solution is to ensure that we stay one step ahead. However, application vulnerabilities can be reduced if application security is ensured at all levels of the SDLC.
Also, seeing how the major Twitter hack of 2020 that put thousands of verified profiles on hold came to be through a few phishing scams, ensuring cybersecurity awareness is a must. Regular phishing simulations and cybersecurity training can help reduce cyber risk in an organization.