The majority of top Android dating apps found in the Google Play store have security vulnerabilities that could leave users open to hacking, stalking and credit card number theft, security researchers at IBM have found. Enterprises are also vulnerable, as these apps are frequently found on business-owned devices or on personal devices brought in by employees for work.
IBM Security identified medium- to high-severity vulnerabilities on 63 percent, or 26 out of 41, popular dating apps available through Google Play in October of last year. Using IBM's AppScan Mobile Analyzer tool, they found that many apps also granted "a large number of excessive privileges."
"Many consumers use and trust their mobile phones for a variety of applications," said Caleb Barlow, vice president of IBM Security. "It is this trust that gives hackers the opportunity to exploit vulnerabilities like the ones we found in these dating apps....Our research demonstrates that some users may be engaged in a dangerous tradeoff -- with increased sharing resulting in decreased personal security and privacy."
Millions of Dating Apps Users
We contacted an IBM spokeswoman to learn more about the analysis of mobile dating apps. She said IBM would not identify the companies whose apps were studied so those organizations would not be targeted by hackers.
"We don't want to put a bull's-eye on them," she said. After conducting the analysis, IBM also contacted the app providers to let them know about the vulnerabilities it identified so these could be corrected, she added.
Security flaws in mobile dating apps have the potential to affect millions of people. According to a study conducted by Pew Research in late 2013, 11 percent of people in the U.S. -- including 38 percent of those who describe themselves as "single and looking" -- have used a dating site or app.
A study last year by the cybersecurity firm Synack found vulnerabilities in dating apps like Tinder and Grindr that could let others identify the exact location of users. (A blog post at Synack described the Tinder app as "basically a stalker's dream.") Tinder responded by patching the flaw, while Grindr disabled location tracking by default in countries where homosexuality is illegal to protect gay users.
Stay Up-to-Date on Patches
The new research from IBM found similar concerns with location tracking on dating apps. Of the 41 apps studied, 73 percent provided access to users' current and past GPS data. Such data could be used by hackers to "find out where a user lives, works, or spends most of their time," according to IBM.
Other vulnerabilities could enable malicious actors to access credit card information, hijack a user's dating profile or send users messages or alerts that, when clicked, would install malware onto their devices. And all the vulnerabilities found provided ways to access a device's camera or microphone, meaning attackers could "spy and eavesdrop on users or tap into confidential business meetings."
IBM recommended that, to protect against security risks, dating apps users should be careful to use only trusted Wi-Fi connections, limit how much personal information they divulge, check permissions, use unique passwords for each account, and stay up to date on patches and bug fixes. Business should also be sure to use mobile threat management tools, keep employees informed about potential risks, and act quickly when security breaches are discovered.
Posted: 2015-02-11 @ 10:29am PT
Just Android itself is a security threat.