Americans are flocking to online and mobile dating to find that special someone. Unfortunately, more than 60 percent of those matchmaking apps are carry medium- to high-severity security vulnerabilities–a fact that channel partners can use to help illustrate emerging dangers for their customers.
A study from Pew Research shows that one in 10 Americans, roughly 31 million people, admit to using a dating site or app. And, the number of people who dated someone they met online grew to 66 percent over the past eight years.
But getting to the heart of the risk, as it were, IBM researchers analyzed 41 of the most popular dating apps and found that not only do a full 63 percent of them have exploitable flaws, but also that a surprisingly large percentage (50 percent) of companies have employees who use dating apps on work devices. And that opens up huge security loop holes in the mobile enterprise space.
A full 26 of the 41 dating apps that IBM analyzed on the Android mobile platform had either medium or high severity vulnerabilities, allowing bad actors to use the apps to spread malware, eavesdrop on conversations, track a user’s location or access credit card information.
Some of the specific vulnerabilities identified on the at-risk dating apps include cross site scripting via man in the middle (MiTM), debug flag enabled, weak random number generator and phishing via MiTM.
For example, hackers could intercept cookies from the app via a Wi-Fi connection or rogue access point, and then tap into other device features such as the camera, GPS, and microphone that the app has permission to access. They also could create a fake login screen via the dating app to capture the user’s credentials, so when they try to log into a website, the information is also shared with the attacker.
Some of the vulnerable apps could be reprogrammed by hackers to send an alert that asks users to click for an update or to retrieve a message that, in reality, is just a ploy to download malware onto their device.
The IBM study also revealed that many of these dating applications have access to additional features on mobile devices, such as the camera, microphone, storage, GPS location and mobile wallet billing information, which in combination with the vulnerabilities may make them a treasure trove for hackers.
It’s a hazardous reality that requires users to rethink the way they use dating apps, especially since many of today’s leading dating apps access personal information.
For instance, IBM found that 73 percent of the 41 popular dating apps analyzed have access to current and past GPS location information. So, hackers can capture a user’s current and past GPS location information to find out where a user lives, works or spends most of their time.
Also, 48 percent of the 41 popular dating apps analyzed have access to a user’s billing information saved on their device. Through poor coding, an attacker could gain access to billing information saved on the device’s mobile wallet through a vulnerability in the dating app and steal the information to make unauthorized purchases.
“Many consumers use and trust their mobile phones for a variety of applications. It is this trust that gives hackers the opportunity to exploit vulnerabilities like the ones we found in these dating apps,” said Caleb Barlow, vice president at IBM Security, in a statement. “Consumers need to be careful not to reveal too much personal information on these sites as they look to build a relationship. Our research demonstrates that some users may be engaged in a dangerous tradeoff – with increased sharing resulting in decreased personal security and privacy.”
Businesses clearly need to be prepared to protect themselves from vulnerable dating apps active inside their infrastructure, especially for bring your own device (BYOD) scenarios. For instance, they should allow employees to only download applications from authorized app stores such as Google Play, iTunes and the corporate app store, and invest in employee cyber-awareness education.