Some people may think the API dangerous, which is completely understandable but not necessary. Let's have some detailed understandings to the security of importing from exchange:
1. API key
An API key is some confidential information used to programmatically manipulate your exchange account, including viewing information, transactions, withdraws and deposits. Getting your API will not result in the theft of assets, because you can set "read-only" permission for the API key. In addition, no one can get your private information through the API, such as email, phone number(with minor exceptions, BitMEX API provides email address) , etc., which means nobody knows who you are.
Except for a handful of exchanges, most exchanges support read-only permissions. If you have set read-only permission, the worst thing someone can do with the API key is to view the balances of your assets and records only (can't know who you are).
3. API key is only stored on your phone
In order to protect your API key further, we will not upload it to our server. Of course, it is not absolutely safe to put it on your own mobile phone, which is recommended that you'd better not use a rooted phone to reduce the possibility of being hacked with the key. If you have set read-only permission, no damage will be incurred even if someone else gets your API key.
Because the API key is only stored on your phone, you may need to recreate a new exchange connection when you recover your backup.
4. Safety Precautions
In general, importing from exchange is very safe with following security measures:
a. Set read-only permission by tutorial
This is the most important point, you don't have to worry about any problems when you use the read-only API.
b. Don’t save non-read-only API key
Don’t save keys in mailboxes, notebooks, memos. Don't worry about losing it, you can recreate it after.
c. Don't root your mobile phone
Use a not-rooted phone with the latest system is safe enough that you don't have to worry too much about API theft. A rooted phone makes it easy to read API keys by attackers, which results in more risky of the non-read-only permission.