For example, hackers could intercept cookies from the app via a WiFi connection or rogue access point, and then tap into other device features such as the camera, GPS and microphone that the app has permission to access. They also could create a fake log-in screen via the dating app to capture the user's credentials, so when the user tries to log into a Website, the information is also shared with the attacker.
Although IBM discovered a number of vulnerabilities in more than 60 percent of popular Android dating apps, both consumers and businesses can take steps to protect themselves against potential threats.
For instance, users can be mysterious. They should not divulge too much personal information on these sites such as where you work, their birthday or social media profiles until they are comfortable with the person they are engaging with via the app. Users also should figure out if they want to use an app by checking the permissions it asks for by viewing the settings on their mobile device. When updating, apps often automatically reset the permissions determining what phone features they have access to, like the user's address book or GPS data.
In addition, users should use unique passwords for every online account they have. If they use the same password for all their accounts, it can leave them open to multiple attacks if one account is compromised.
Moreover, users can protect themselves better by always applying the latest patches and updates to their apps and their device when they become available. This will fix any identified bugs in the device and applications, resulting in a more secure experience. And finally, users should use only trusted WiFi connections when on their dating app. Hackers use fake WiFi access points that connect users directly to their device to execute these types of attacks. Many of the vulnerabilities found in this research can be exploited via WiFi.
Those protections may be fine for individuals, but businesses also need to be prepared to protect themselves from vulnerable dating apps active inside their infrastructure, especially for bring-your-own-device (BYOD) scenarios. IBM found that nearly 50 percent of organizations sampled for this research have at least one of these popular dating apps installed on corporate-owned or personal mobile devices used for work.
To protect confidential corporate assets, businesses should leverage enterprise mobility management (EMM) offerings with mobile threat management (MTM) capabilities to enable employees to utilize their own devices while still maintaining the security of the organization. They also should only allow employees to download applications from authorized app stores such as Google Play, iTunes and the corporate app store.
Also, education is key in security situations. Enterprises should educate employees to know the dangers of downloading third-party applications and what it means when they grant that app specific device permissions. With that understood, businesses must instill in their workers that they must immediately communicate potential threats. Businesses should set automated policies on smartphones and tablets, which take immediate action if a device is found compromised or malicious apps are discovered. This enables protection to corporate resources while the issue is remediated.
In conducting this study, IBM Security analysts from the IBM Application Security Research team used its new IBM AppScan Mobile Analyzer tool to analyze the top 41 dating apps available on Android devices to identify vulnerabilities that can leave users open to potential cyber-attacks and threats. These apps were also analyzed to determine the granted permissions, unveiling a large number of excessive privileges. To understand enterprise user adoption of these 41 dating apps, app data was analyzed from IBM MobileFirst Protect, formerly MaaS360. In advance of releasing this research to the public, IBM Security disclosed all impacted apps to vendors identified with this research.