Woman using smartphone showing superapp and privacy

The Great Superapp Dilemma: Business Ambitions vs User Privacy

As we get further into 2024, the global race to develop the ultimate superapp continues.

Businesses across the world are fiercely expanding their services to create all-encompassing platforms that cater to diverse user needs.

We’ve seen it In Southeast Asia, with Grab and Gojek having emerged as prominent contenders, rapidly evolving to offer everything from food delivery to digital payments. We’ve seen it in China, where tech giants Tencent and Alibaba have transformed WeChat and Alipay into multifunctional superapps, integrating messaging, social networking, financial services, and e-commerce. And of course, more recently, the US’ very own Elon Musk laid his intentions to expand X into ‘the everything app’ on the table.

But while there’s clearly intense ambitions at work here, where businesses are vying to become the go-to platform for users’ daily activities, what’s not clear is whether superapp development is coming at the expense of our privacy?

Operational challenges of managing vast volumes of accessible data

If we put privacy aside for a moment, the benefits of a possible superapp cannot be denied. We could say goodbye to the hundreds of online accounts that operate as an isolated silo managed by unrelated services and domains and the chore of updating account details across them all, one by one.

And, as well as promising a much simpler user experience through a single application, it would unlock new convenient services using a broader set of data, and allow for increased innovation that adds value for users – such as unified health metrics, consolidated banking services, cohesive government-related accounts, integrated social networks, or unified marketplaces.

However, managing vast volumes of accessible data – which has grown excessively since the era of big data, and will no doubt continue with the advent of AI – is operationally challenging to say the least.

Back to the topic of privacy. Users are likely to feel uneasy about the extent of information a single superapp brand could possess regarding their individual preferences, raising real concerns about privacy and data control, which in turn could affect app uptake.

Technology addressing privacy concerns

With these concerns in mind, companies working on superapp development must address issues including managing and recovering from identity theft, securing data against breaches, and ensuring that data access aligns with the user’s consented sharing policy. Thankfully, there are a host of existing and emerging technologies specifically addressing these concerns, including:

  • Authentication technologies: Multi-factor authentication (MFA) – a technology in common use today – can be used to add an extra layer of protection by requiring users to provide multiple forms of verification before accessing their accounts, thus mitigating the risk of identity theft. Biometric authentication is another advanced and secure method also in use today that utilises unique physical traits such as fingerprints or facial recognition. Additionally, looking ahead, the adoption of federated identity mechanisms, such as FIDO (Fast Identity Online) or OpenID Connect, hold promise. These mechanisms not only enhance security, but also streamline user authentication processes across various platforms, offering a unified and secure approach to identity management within the SuperApp ecosystem.
  • Fully Homomorphic Encryption (FHE): FHE is a type of encryption that supports data processing without requiring decryption and is a game-changer with regards to securing data against breaches. Users manage their own individual private key in a local device, and the superapp backend only collects and processes data that is encrypted. The use of this technology alone makes data breaches and a whole category of cyberattacks completely nullified for both users and service providers alike. With FHE, all the data attached to a user account remains confidential at all times, irrespective of whether it originated from that user in the first place, or is the result of subsequent processing by the superapp service. The user may also publish a public FHE encryption key so that any other user can post additional encrypted data on their account to enrich their data store.
  • Multi-Party Computation (MPC): This technology provides a feature that complements an FHE user’s unique ability to decrypt their encrypted data using FHE. It allows a quorum of designated entities to engage in a collaborative protocol that re-encrypts that data blindly, so that the data becomes decryptable by a second user who was granted read-access by the first. This re-encryption can occur without the user one’s involvement, but under very specific conditions on user two, and a preliminary consensus that these conditions have been met must be reached between the designated entities.
  • Attribute-Based Credentials (ABCs) function as advanced digital signatures, providing entity authentication while preserving the desired level of anonymity for the authenticating entity – in this case, user two. In the superapp framework, user one issues user two an access token that grants access to their data while allowing user two to maintain varying degrees of anonymity, determined by user one. Following issuance, user two can prove ownership of a valid token issued by user one without revealing it, using a zero-knowledge method. This triggers a multi-party re-encryption, and user two can then decrypt the re-encrypted data using their private key.

When it comes securing data access in line with a user’s agreed sharing policy, this is a tough task for service providers – especially doing it in an auditable and legally binding way. Here, we need to consider how much control users have over their shared data and what processes exist for user consent in the superapp. Looking at it from a cryptographer’s viewpoint, cybersecurity countermeasures and so-called security certificates are seen as unreliable and should be completely replaced with stronger cryptography.

While many cryptographic tools are available, they are also often underused in consumer-facing tech. Advanced cryptographic methods like FHE, MPC, and ABCs mean that a superapp can ensure that users have full control over how their data is shared, specifying details like who has access, for how long, and with what permissions. This system stays within legal limits while granting users granular control.

Other guarantees offered by this route include the service itself not having excessive privileges, ensuring all actions come from the explicit consent of users, and it can offer full auditability and legally binding authenticity of all logged events, while supporting various levels of user anonymity to deter mass surveillance.

Superapp’s promising future

While the future of the superapp is admittedly not obstacle-free, advanced cryptographic mechanisms hold great promise in allowing companies to balance superapp functionality without compromising user privacy.

As security threats evolve, staying at the forefront of these emerging technologies will be imperative for Superapp developers to ensure a resilient defence against data threats.