December 9, 2022

TON: Wallets Privacy and Security

This is a very important topic, please be prepared for a little bit of a long read!

🇷🇺 Русский перевод здесь. (Russian translation is here).

🇨🇺 La traducción al español está aquí. (Spanish translation is here).

First, let's address some basic principles, such as open source vs closed source, and independent assessment by qualified experts.

Until now there has been absolutely no independent assessment by qualified security and privacy experts of any of the TON wallets.

Yes, the TON Foundation themselves claim to have done so, however, this is not independent: TON Foundation and Tonkeeper are one and the same thing.

Thus, Tonkeeper has had no independent privacy and security assessment to date.

TON Foundation on the other hand, has also reviewed the Tonhub API — and found it to be secure. This is an assessment we can at least on the face of it, give some credence to, because the TON Foundation and Tonhub Whales aren't exactly friends.

If TON Foundation has also reviewed the Tonhub wallet, then it isn't clear what exactly they have reviewed and how it relates to past or current versions of the Tonhub wallet.

Tonhub wallet is open source, and Tonkeeper was closed source for an entire year, until recently. So, let us now address the issue of open source vs closed source and how the publishing of code relates to security and privacy issues.

Open Source, in this context, we take to mean that the code is available for anyone to inspect. Thanks to Tonhub having open source code, we can, for example, check the code and see that they spy on all their users and also associate them to addresses.

This is fine for the geeks who can look at such code and make sense of it but it is meaningless for the general public, which is why independent certifications mean something, provided they are from reputable independent professionals.

The TON blockchain itself was recently reviewed by Certik and some issues that were not paramount to security were found and fixed, and this report was openly published by the TON Foundation. Therefore, we can have confidence in the open source TON.

Thus, as TonSafe is using the open source "The Open Network" we can have confidence on the blockchain itself, which TonSafe has no input or control over.

So, what about the API which TonSafe uses to connect to the blockchain? As there are existing open source API that can be used and which are already developed by experts in the TON blockchain, we chose to use one of those, rather than create it ourselves.

To create such an API by ourselves would introduce an additional responsibility which we were not ready to take on given the resources available, and we chose the Tonhub API precisely because it is not part of TON Foundation but has been approved by it.

As we stated earlier, the TON Foundation's own API would need to be independently reviewed, and at the time it had not been. On the basis of what was explained earlier, it therefore makes sense to use the Tonhub API which contains MIT license.

Therefore, TonSafe, is not responsible for the TON blockchain nor the interface between the wallet and blockchain, namely the API. Both these can be presumed secure given the amount of qualified blockchain technicians that have access to them.

Our responsibility then lies exclusively with the wallet app itself: to ensure maximum safety, security and privacy for TonSafe wallet users. So, let us now address wallets.

As you will have understood, the wallet is like a front end that you interact with, to perform actions on the blockchain which could be considered a back end, or data base, and the invisible interface between the two is the API.

Before we move on to then look at the privacy, safety and security of wallet front end apps, in general, let us first address some security philosophy around open source versus closed source.

As we said earlier, open source is a good thing because it allows those of us who can make sense of it, to inspect code for any back doors or vulnerabilities. From this we can see that Tonhub collect all sorts of privacy-invasive data on their wallet users.

While this can serve to assist in development, especially user experience (UX) and user interface (UI) both of which whales team are very weak on, because they can analyze everything you tap on and everything you do in the wallet, but do you really want this?

As a wallet user, do you want to trust a team that has a dubious history around mining, all visible in their chat, and covered elsewhere, or indeed, anyone including TonSafe, when you do not know us personally, with such privacy-invasive information?

Do you want to have every interaction with your wallet tracked almost as if, or even more accurately than as if, someone is looking over your shoulder? Yes, they can't get your 24 secret words from Mixpanel tracking, but pretty much everything else.

They get your wallet address and exactly what you have done throughout the app, when and where you tapped, which window you opened, and what you did in that window. TonSafe absolutely does no such thing, and you need to check if Tonkeeper do, as we haven't looked at their code, we're more concerned with our own code.

So open source is a good thing in that sense that we can see that Tonhub is not a wallet anyone who does not want to be spied on should use. As if that isn't bad enough, tonhub also have an address book where all your contacts names and wallet addresses are stored on the tonhub server, so they can merge all of this data.

Tonkeeper, until fairly recently, and for more than six months, connected to all manner of privacy violating big tech companies including Google. This was even easily visible to iPhone users who could use the Privacy feature to check where Tonkeeper was connecting. Thus both Tonkeeper and Tonhub are extremely cavalier with privacy!

But are there downsides to open source code? Certainly. A bad actor can review code which they otherwise would not have access to, and find a vulnerability that no one else had noticed. Even the "top programmers in the world" made mistakes:

Remember, Certik identified several issues that the "top programmers in the world" (those of Telegram/TON Foundation) had missed. And they quickly patched them. But what if this review had not taken place, and what if there was a more serious undiscovered vulnerability?

"Andrew Python" another top capable programmer on the Tegro team, had found such a vulnerability and managed to empty the wallet of a TON gambling site. If he had been a bad actor, he could have simply kept all the money, and stayed quiet about it all.

So the downside of open source, is that you are relying on capable and qualified people to actually check, and then to report it quietly and have it fixed, before it goes public. There was a recent open source contest many months ago which found a number of bugs in the wallets, and some of these bugs still haven't been fixed!

Has anyone made any noise about any of these issues? No. So bad actors could manipulate weaknesses in the code, or even in the security strategy, so use other forms of engineering to take advantage. Not publishing code, stops such problems.

And let us not forget the the TON Foundation which claims to be all about supporting open source projects only, and not closed source, was all along supporting, and in fact owning, the Tonkeeper closed source wallet. So let us not fall for that argument.

So, what about the three main competing wallets as front ends?

Firstly, Tonkeeper, as we said, has never been independently reviewed. We are unaware of any funds ever having been lost other than as a result of poor UI lack of safety features, one such vulnerability was even mentioned in the support chat by a distraught user who send his coins to the wrong address.

Instead of fixing this issue, many months later with many updates since then, Tonkeeper have not bothered. Instead, they shut down their public support chat and now all the support requests go directly to the poor hapless Denis directly.

Again, shutting down a public support chat is not necessarily a bad thing, at least others who lose their coins with Tonkeeper in at least two common ways that I know of, won't have an audience made aware of these weeknesses. Including bad actors.

And with TON-Telegram itself heavily centralized around the ton.org website and owning and promoting Tonkeeper and its various other projects such as fragment, there is no need to worry about promoting a wallet that lacks in UI/UX quality.

Secondly, Tonhub, as we mentioned above, openly tracks everything and even saves your contacts, should you add them, to their own web server. The idea of most users of cryptocurrency is that while the blockchain itself is open, they guard their privacy and ownership or association with a particular wallet address.

This is of course completely destroyed when they two are linked, and gives Tonhub Whales a wealth of information about who exactly their users are, which IP addresses they are located at, and what exactly they do with their wallets, in fine detail.

But never mind, it is all open source, right? Including your personal privacy. And that could even be related to your personal security. And never mind the glaring lack of safety features, and the ability to "send all" your balance, something you won't find in any banking app nor in TonSafe.

And never mind that both Tonkeeper and Tonhub deceive their users, and Apple, by creating a fake delete account button (and in Tonhub case even encouraging users to send all their remaining balance to Whales themselves), while TonSafe again does no such thing, we clearly inform users that account cannot be deleted from blockchain.

Thirdly TonSafe, conceived for the very reason that there wasn't any TON Wallet that understands UI/UX and Safety issues as well as features required for professional and business use, has always taken care of privacy as a priority.

TonSafe has long before the other wallets been planning an address book or contact list. However, as always, TonSafe never releases anything still in beta, without adequate testing. So when this is released, you will see that it is far superior to the competition but also fully takes care of your privacy, everything stays on your phone.

And as if, after reading this, you would still want to trust the other wallets more, simply because they have been around longer: TonSafe has been in development since April this year, after several months or research into the lack of required safety features of the other wallets, and only after months of testing was released into the app stores.

And, not released as beta: the other wallets still label themselves as beta, to protect themselves against any liabilities and responsibilities for loss of your coins. TonSafe is not open source code, and certainly is not Beta. We have confidence in our front end, which is developed with great care and attention to detail and your safety.


Ref: https://developer.mixpanel.com/docs

Ref: https://github.com/tonwhales/wallet