IBM Security found that over 60% of leading Android dating mobile apps they studied are potentially vulnerable to a variety of cyber-attacks that put personal user information and corporate data at risk.
Some of the specific vulnerabilities identified on the at-risk dating apps include cross site scripting via man in the middle, debug flag enabled, weak random number generator and phishing via man in the middle. When these vulnerabilities are exploited an attacker can potentially use the mobile device to conduct attacks.
Many of these dating applications have access to additional features on mobile devices such as the camera, microphone, storage, GPS location and mobile wallet billing information, which in combination with the vulnerabilities may make them exploitable to hackers.
Nearly 50% of organizations have at least one of these employee-installed popular dating apps on mobile devices used to access confidential business information.
In today’s connected culture, dating apps are a common and convenient way for singles of all ages to meet new love interests. In fact, a Pew Research study revealed one in 10 Americans have used a dating site or app and the number of people who dated someone they met online grew to 66% over the past eight years.
Security researchers from IBM Security identified that 26 of the 41 dating apps they analyzed on the Android mobile platform had either medium or high severity vulnerabilities. The analysis was done based on apps available in the Google Play app store in October 2014.
While some apps have privacy measures in place, many are vulnerable to attacks that could lead to the following scenarios:
Dating app used for malware: The anticipation of receiving interest from a potential new date is just the sort of moment, when users let their guard down, that hackers thrive on. Some of the vulnerable apps could be reprogrammed by hackers to send what seems like a message that asks users to click for an update or to retrieve a message that, in reality, is just a ploy to download malware onto their device.
GPS information used to track movements: IBM found 73% of the 41 popular dating apps analyzed have access to current and past GPS location information. Hackers can capture a user’s current and past GPS location information to find out where a user lives, works, or spends most of their time.
Steal credit card numbers from app: 48% of the 41 popular dating apps analyzed have access to a user’s billing information saved on their device. Through poor coding, an attacker could gain access to billing information saved on the device’s mobile wallet through a vulnerability in the dating app and steal the information to make unauthorized purchases.
Take control of a phone’s camera or microphone: All vulnerabilities identified can allow a hacker to gain access to a phone’s camera or microphone even if the user is not logged into the app. This means, an attacker can spy and eavesdrop on users or tap into confidential business meetings.
Hacker can hijack your dating profile: A hacker can change content and images on the dating profile, impersonate the user and communicate with other app users, or leak personal information externally to affect the reputation of a user’s identity. This poses a risk to other users, as well, since a hijacked account can be used by an attacker to trick other users into sharing personal and potentially compromising information.
What can consumers do?
Be mysterious: Don’t divulge too much personal information on these sites such as where you work, birthday or social media profiles until you’re comfortable with the person you are engaging with via the app.
Permission fitness: Figure out if you want to use an app by checking the permissions it asks for by viewing the settings on your mobile device. When updating, apps often automatically reset the permissions determining what phone features they have access to, like your address book or GPS data.
Keep it unique: Use unique passwords for every online account you have. If you use the same password for all your accounts it can leave you open to multiple attacks if one account is compromised.
Punctual patching: Always apply the latest patches and updates to your apps and your device when they become available. This will fix any identified bugs in your device and applications, resulting in a more secure experience.
Trusted connections: Use only trusted Wi-Fi connections when on your dating app. Hackers love using fake Wi-Fi access points that directly connect you to their device instead to execute these types of attacks. Many of the vulnerabilities found in this research can be exploited via Wi-Fi.