14 DAY TRIAL // Users of online dating services on Android are at risk of losing sensitive personal information to cybercriminals exploiting different vulnerabilities in the mobile apps.
A study on 41 such apps has found that in 63% of the cases the product is shipped with a flaw that can be leveraged in some way by a malicious actor.
Localization, eavesdropping and profile hijacking
The threat extends beyond the personal space of the user and into the enterprise environment, as many individuals often install the dating apps on mobile devices that have access to confidential business information.
The research, carried out by IBM, determined that the security flaws present in popular dating apps for Android could be taken advantage of to track a user’s movements, access the microphone or camera of the device, or hijack the dating profile.
“IBM found that 73 percent of the 41 popular dating applications analyzed have access to current and historical GPS location information,” a report from the company said on Wednesday.
These details come in handy if cybercriminals seek information on the whereabouts of a target within a certain timeframe, leading to learning the work place or home address.
Having access to the video and audio components of the device is also useful in targeted attacks, as they can be used to spy on the victim in order to gather more details. IBM says that this feat can be accomplished even if the user is not logged into the dating app.
Another risk stemming from the buggy dating products is that of having the dating profile hijacked. This allows a third party to impersonate the victim and connect with others in an attempt to dupe them into spilling personal data, financial information or even sending money to the crook.
Avoiding compromise may be time-consuming but not difficult
The security researchers from IBM discovered that 26 of the apps analyzed had medium or high severity security issues that permitted cross-site scripting (XSS) or phishing attacks via the man-in-the-middle (MitM) technique.
Debug Flag-enabled exploits are also on the list. If the flag is turned on, a debug-enabled app could attach to another and thus gain access to the data read or written in its memory. This is a powerful attack because attackers could intercept the info and modify it to suit nefarious purposes.
The recommendations for keeping safe from a potential compromise include publishing as little personal info as possible on the dating profile, routinely checking the security settings of the device in search of suspicious modifications, relying on unique account access passwords, and applying the latest software updates as soon as they are available.