Yik Yak – what security-conscious users need to know

Anonymous local messaging app Yik Yak has gone from being a tiny start-up founded by two American frat house brothers to being described as the ‘hottest messaging app in the world’ in just over a year, according to The Guardian.

The app, which allows users to post and browse a selection of GPS-located, anonymous comments within a few miles of their position, raised $62 million in funding in November – having hit 100,000 users in February 2014, according to GigaOm.

It has rapidly become popular with U.S. high school and college students, and the free Android and iPhone app is now becoming popular with young people in Europe and elsewhere.

Since launch, it has attracted controversy over alleged cyberbullying. The app is anonymous, but hyper-local, and Yaks can be rapidly reposted (ReYaks), and upvoted, which critics allege is ideal for bullying or harassment.

The anonymous app was also recently shown to be vulnerable to de-anonymizing attacks from users on the same Wi-Fi network.

The app was rapidly patched by Yik Yak once the company was notified of the vulnerability.

So how safe are you on Yik Yak? We break down the ins and outs of the new app on Android and iOS below.

yikyak2How Yik Yak works

Yik Yak is like a bulletin board, or a hyper-local version of Twitter, where users post entirely anonymously – you don’t sign up, or have a username.

Instead, the app GPS-locates your device, and you are automatically added to a board of people within a few miles, barring areas where the service is banned, which are ‘geofenced’ off.

Posts are anonymous, and can be upvoted and downvoted – with users scoring ‘Yakarma’ for highly rated posts.

Why schools and campuses don’t like it

In theory, Yik Yak is aimed at students aged 17-plus, but the anonymous nature of the device – no username, no password, no credit card – means this is extremely difficult to police, as reported by Daily Dot.

Huffington Post and CNN have reported instances of cyberbullying using the app – with the Huffington Post describing it as a ‘toilet wall’.

Yik Yak responded proactively by blocking the app within school grounds throughout North America, using GPS ‘geofencing’ to block users from accessing it within 85% of schools.

yikyakupvoteAre you really anonymous?

You are, in theory. Yik Yak stores a User ID, which is a randomized string of digits, based on their device’s ID, and used to identify their posts.

It does not store, or share, your email address or phone number. But the data it does store – device ID, GPS location, IP address – is ample to identify people within a small geographical area, and it is shared with advertisers.

When you Yak (ie post), a small Google Map your approximate location is attached. If you are in a sparsely populated area, you could be identified using this feature.

Could other users identify you from Yaks?

Yik Yak has a zero tolerance policy for posting phone numbers within the app – but other forms of identification, such as mentioning someone’s clothing, or where they are standing, are difficult if not impossible to block, CNN points out.

As with other ‘anonymous’ apps such as Snapchat, you have no control over others screenshotting your Yaks, or over who they appear to.

People can also share Yaks directly from the app with other social networks.

This means that discussions could be traced back by malicious individuals – particularly if you have said something controversial.

Yik YakWho can see my Yaks?

Pretty much anyone with the app can see your Yaks – due to features such as Peek which allow users to see what people in other locations are talking about.

The app also offers streams of conversation on particular topics, so people can search for and read Yaks using key words.

For privacy-conscious students, this means that, yes, your Mom could be reading your Yaks.

It’s also worth noting that the app itself stores a clear record of all your Yaks.

So if you do post controversial content on the site, you are vulnerable to others reading it from your smart device.

How does Yik Yak use my data?

Yik Yak encrypts data, and identifies users only by their User ID, and does not store details such as credit card numbers – however, it relies on advertising to make a profit.

This means that your data is being handled by third-party companies, including location-based adverts.

Yik Yak also makes a point of the fact that while Yaks are anonyous, users can be identified by other means: ‘we cannot prevent others from determining your identify from the content you posts or how you share content through third party sites,’ the site says.

Yik YakShould I worry about being de-anonymized?

The recent security alert over Yik Yak was rapidly patched by the company – but anonymous messaging services such as Snapchat and Secret have been repeatedly targeted by attackers.

As with any internet messaging service, messages are out of your control once you have posted them.

They can be reposted, shared via other networks, or otherwise stored.

Never post anything you would not want your boss, wife, mother or bank manager reading.

Yik Yak recently secured $61m in second-round venture capital funding: as The Guardian notes, this may well be enough to ensure that the company pays attention to privacy issues as it expands.

Author , We Live Security

Follow us

Copyright © 2016 ESET, All Rights Reserved.