For those of you who are “heavy” users of dating apps, here’s a note of caution. A new study by IBM noted that many of those applications also have access to additional features on mobile devices such as the camera, microphone, storage, GPS location & mobile wallet billing information, which, in combination with the vulnerabilities that already exist, may make them highly prone to hacking.
IBM also found that nearly 50% of organizations analyzed had at least 1 of these popular dating apps installed on mobile devices used to access business information.
IBM said in today’s “connected” culture, it was now common for people to use dating apps. In fact, a Pew Research study had revealed that 1 in 10 Americans, or about 31 million people, had used a dating site or app. The number of people who dated someone they met Online had gone up to 66%.
“Many consumers use and trust their mobile phones for a variety of applications. It is this trust that gives hackers the opportunity to exploit vulnerabilities like the ones we found in these dating apps,” said Caleb Barlow, Vice President, IBM Security, in a written statement. “Consumers need to be careful not to reveal too much personal information on these sites as they look to build a relationship. Our research demonstrates that some users may be engaged in a dangerous tradeoff – with increased sharing resulting in decreased personal security and privacy.”
Security researchers from IBM Security had identified that 26 of the 41 dating apps they had analyzed on the Android mobile platform had either medium or high severity vulnerabilities. The analysis was done based on apps available in the Google Play app store in October 2014.
The vulnerabilities discovered by IBM Security make it possible for a hacker to gather valuable personal information about a user.
While some apps have privacy measures in place, IBM found many were vulnerable to attacks that could lead to the following scenarios:
- Dating App Used to Download Malware: Users let their guard down when they anticipate receiving interest from a potential date. That’s just the sort of moment that hackers thrive on. Some of the vulnerable apps could be reprogrammed by hackers to send an alert that asks users to click for an update or to retrieve a message that, in reality, is just a ploy to download malware onto their device.
- GPS Information Used to Track Movements: IBM found 73% of the 41 popular dating apps analyzed had access to current and past GPS location information. Hackers can capture a user’s current and past GPS location information to find out where a user lives, works, or spends most of their time.
- Credit Card Numbers Stolen From App: 48% of the 41 popular dating apps analyzed had access to a user’s billing information saved on their device. Through poor coding, an attacker could gain access to billing information saved on the device’s mobile wallet through a vulnerability in the dating app and steal the information to make unauthorized purchases.
- Remote Control of a Phone’s Camera or Microphone: All the vulnerabilities identified could allow a hacker to gain access to a phone’s camera or microphone even if the user was not logged into the app. That meant an attacker could spy & eavesdrop on users or tap into confidential business meetings.
- Hijacking of Your Dating Profile: A hacker could change Content & images on the dating profile, impersonate the user and communicate with other app users, or leak personal information externally to affect the reputation of a user’s identity. This posed a risk to other users, as well, since a hijacked account could be used by an attacker to trick other users into sharing personal and potentially compromising information.
Some of the specific vulnerabilities identified on the at-risk dating apps include:
- cross site scripting via man in the middle
- debug flag enabled
- weak random number generator
- phishing via man in the middle
When these vulnerabilities are exploited an attacker can potentially use the mobile device to conduct attacks, the report cautioned.
Steps to protect against dating app hacks: IBM
What Can Consumers Do?
- Be Mysterious: Don’t divulge too much personal information on these sites such as where you work, birthday or social media profiles until you’re comfortable with the person you are engaging with via the app.
- Permission Fitness: Figure out if you want to use an app by checking the permissions it asks for by viewing the settings on your mobile device. When updating, apps often automatically reset the permissions determining what phone features they have access to, like your address book or GPS data.
- Keep it Unique: Use unique passwords for every Online account you have. If you use the same password for all your accounts it can leave you open to multiple attacks if one account is compromised.
- Punctual Patching: Always apply the latest patches and updates to your apps & your device when they become available. This will fix any identified bugs in your device and applications, resulting in a more secure experience.
- Trusted Connections: Use only trusted Wi Fi connections when on your dating app. Hackers love using fake Wi Fi access points that connect you directly to their device to execute these types of attacks. Many of the vulnerabilities found in this research can be exploited via Wi Fi.
What Can Enterprises Do?
Businesses also need to be prepared to protect themselves from vulnerable dating apps active inside their infrastructure, especially for Bring Your Own Device (BYOD) scenarios. IBM found that nearly 50% of organizations sampled for this research had at least one of these popular dating apps installed on corporate-owned or personal mobile devices used for work. To protect confidential corporate assets, businesses should:
- Adopt the Right Protection: Leverage Enterprise Mobility Management (EMM) offerings with mobile threat management (MTM) capabilities to enable employees to utilize their own devices while still maintaining the security of the organization.
- Define Downloadable Apps: Allow employees to only download applications from authorized app stores such as Google Play, iTunes, and the corporate app store.
- Education is Key: Educate employees to know the dangers of downloading third party applications and what it means when they grant that app specific device permissions.
- Immediately Communicate Potential Threats: Set automated policies on smartphones and tablets, which take immediate action if a device is found compromised or malicious apps are discovered. This enables protection to corporate resources while the issue is remediated.
For more information on this research, please visit: www.securityintelligence.com/datingapps
Graphic Credit: Pixteller
