Mobile dating apps come with hidden hazards
By Fahmida Y. Rashid, ThirdCertainty
With Valentine’s Day on the horizon, online dating services are flourishing. A recent study by IBM Security shows the mobile app versions are rife with security flaws.
In an analysis of 41 popular dating apps available on Google Play, more than half—63 percent—had medium- to high-severity security vulnerabilities, the study shows.
Mobile apps are often free or low-cost. However, they typically seek permission to access key components of the device hardware, as well as tap deeply into user data stored on the device. This sets up a perfect scenario for hackers.
Infographic: The hazards of digital dating
“Many consumers use and trust their mobile phones for a variety of applications,” says Caleb Barlow, vice president of IBM Security. “It is this trust that gives hackers the opportunity to exploit vulnerabilities like the ones we found in these dating apps.”
Many of the security issues IBM observed are related to granting excessive permissions. This includes the app gaining access to the camera, microphone, storage, GPS location, and even information saved in the mobile wallet. Many developers don’t think through which permissions the apps really need.
There have been reports of flashlight apps which request access to call logs, for example. For the most part, it is sloppy coding and not malicious intent, but excessive permissions can be abused.
Consider the attacker who gets a toehold on a victim’s device by luring the user to download a malicious app, or by conducting a man-in-middle-attack over an insecure WiFi connection. In such an attack, the hacker intercepts trusted communications between two parties and slips in malicious code.
This hacker would now be able to view everything the vulnerable apps in this study could see.
IBM Security found that nearly three-quarters of the analyzed apps could access current and past GPS data, which means attackers would know where the user lives, works, and spends time. Just under half of the apps exposed billing information saved on the device’s mobile wallet. The information can be used to make unauthorized purchases, IBM Security warns.
Other vulnerabilities included cross site scripting flaws, debug flags left in production code, and weak random number generators, according to the researchers. Attackers could intercept the dating app’s cookies over an insecure WiFi connection or a rogue wireless access point, and tap into device hardware such as cameras.
Nearly half of the companies surveyed in this study had employees who used dating apps on the same devices they use for work-related purposes. So a person with control of the user’s microphone or camera could potentially eavesdrop on confidential business meetings or private conversations.
The man-in-the-middle attack can also be used to display a fake alert to trick users into downloading additional malware or a fake login screen to phish account credentials from users. Exposing account credentials for a dating app seems like a small risk compared to losing account credentials for an online banking app.
However, an attacker who can intercept that information can login to the dating site and hijack the user’s profile to harm the user’s reputation, or to use as part of a social engineering campaign against other individuals.
While IBM Security researchers focused on dating apps, users need to think about how they interact with mobile apps on a broader level. When installing apps, it is important to review permissions the app requests and assess whether the list makes sense. If the permissions requested feel egregious (like the earlier flashlight example), it may be worth looking for a less intrusive app. This check needs to happen whenever the app is updated because many apps reset permissions as part of the process.
While honesty may be the best policy, when it comes to social media and dating apps, users should hold back some information, such as where they work, where they live, and their birthday. Other security best practices apply, such as having unique passwords for every online account and using only trusted Wi-Fi connections.
“Some users may be engaged in a dangerous tradeoff – with increased sharing resulting in decreased personal security and privacy,” says Barlow.
More on emerging best practices