Mobile dating apps come with hidden hazards

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Fah­mi­da Y. Rashid, ThirdCertainty

With Valentine’s Day on the hori­zon, online dat­ing ser­vices are flour­ish­ing. A recent study by IBM Secu­ri­ty shows the mobile app ver­sions are rife with secu­ri­ty flaws.

In an analy­sis of 41 pop­u­lar dat­ing apps avail­able on Google Play, more than half—63 percent—had medi­um- to high-sever­i­ty secu­ri­ty vul­ner­a­bil­i­ties, the study shows.

Mobile apps are often free or low-cost. How­ev­er, they typ­i­cal­ly seek per­mis­sion to access key com­po­nents of the device hard­ware, as well as tap deeply into user data stored on the device. This sets up a per­fect sce­nario for hackers.

Info­graph­ic: The haz­ards of dig­i­tal dating

Many con­sumers use and trust their mobile phones for a vari­ety of appli­ca­tions,” says Caleb Bar­low, vice pres­i­dent of IBM Secu­ri­ty. “It is this trust that gives hack­ers the oppor­tu­ni­ty to exploit vul­ner­a­bil­i­ties like the ones we found in these dat­ing apps.”

Many of the secu­ri­ty issues IBM observed are relat­ed to grant­i­ng exces­sive per­mis­sions. This includes the app gain­ing access to the cam­era, micro­phone, stor­age, GPS loca­tion, and even infor­ma­tion saved in the mobile wal­let. Many devel­op­ers don’t think through which per­mis­sions the apps real­ly need.

There have been reports of flash­light apps which request access to call logs, for exam­ple. For the most part, it is slop­py cod­ing and not mali­cious intent, but exces­sive per­mis­sions can be abused.

Con­sid­er the attack­er who gets a toe­hold on a victim’s device by lur­ing the user to down­load a mali­cious app, or by con­duct­ing a man-in-mid­dle-attack over an inse­cure WiFi con­nec­tion. In such an attack, the hack­er inter­cepts trust­ed com­mu­ni­ca­tions between two par­ties and slips in mali­cious code.

This hack­er would now be able to view every­thing the vul­ner­a­ble apps in this study could see.

Deep access

IBM Secu­ri­ty found that near­ly three-quar­ters of the ana­lyzed apps could access cur­rent and past GPS data, which means attack­ers would know where the user lives, works, and spends time. Just under half of the apps exposed billing infor­ma­tion saved on the device’s mobile wal­let. The infor­ma­tion can be used to make unau­tho­rized pur­chas­es, IBM Secu­ri­ty warns.

Oth­er vul­ner­a­bil­i­ties includ­ed cross site script­ing flaws, debug flags left in pro­duc­tion code, and weak ran­dom num­ber gen­er­a­tors, accord­ing to the researchers. Attack­ers could inter­cept the dat­ing app’s cook­ies over an inse­cure WiFi con­nec­tion or a rogue wire­less access point, and tap into device hard­ware such as cameras.

Near­ly half of the com­pa­nies sur­veyed in this study had employ­ees who used dat­ing apps on the same devices they use for work-relat­ed pur­pos­es. So a per­son with con­trol of the user’s micro­phone or cam­era could poten­tial­ly eaves­drop on con­fi­den­tial busi­ness meet­ings or pri­vate conversations.

The man-in-the-mid­dle attack can also be used to dis­play a fake alert to trick users into down­load­ing addi­tion­al mal­ware or a fake login screen to phish account cre­den­tials from users. Expos­ing account cre­den­tials for a dat­ing app seems like a small risk com­pared to los­ing account cre­den­tials for an online bank­ing app.

How­ev­er, an attack­er who can inter­cept that infor­ma­tion can login to the dat­ing site and hijack the user’s pro­file to harm the user’s rep­u­ta­tion, or to use as part of a social engi­neer­ing cam­paign against oth­er individuals.

Choose care­ful­ly

While IBM Secu­ri­ty researchers focused on dat­ing apps, users need to think about how they inter­act with mobile apps on a broad­er lev­el. When installing apps, it is impor­tant to review per­mis­sions the app requests and assess whether the list makes sense. If the per­mis­sions request­ed feel egre­gious (like the ear­li­er flash­light exam­ple), it may be worth look­ing for a less intru­sive app. This check needs to hap­pen when­ev­er the app is updat­ed because many apps reset per­mis­sions as part of the process.

While hon­esty may be the best pol­i­cy, when it comes to social media and dat­ing apps, users should hold back some infor­ma­tion, such as where they work, where they live, and their birth­day. Oth­er secu­ri­ty best prac­tices apply, such as hav­ing unique pass­words for every online account and using only trust­ed Wi-Fi connections.

Some users may be engaged in a dan­ger­ous trade­off – with increased shar­ing result­ing in decreased per­son­al secu­ri­ty and pri­va­cy,” says Barlow.

More on emerg­ing best practices

5 data pro­tec­tion tips for SMBs
What SMBs need to know about CISOs
Pro­tect­ing your dig­i­tal foot­print in the post pri­va­cy era

Posted in Data Privacy, Data Security, News & Analysis