Dating apps a potential corporate vulnerability in BYOD, according to IBM
Wed 11 Feb 2015
In a report that throws pending Valentine’s day under a cold shower, IBM claims to have discovered exploitable vulnerabilities in 26 out of 41 smartphone dating apps available on Google’s Android mobile platform – and that 50 per cent of BYOD devices in the companies surveyed have dating apps installed on them.
The report states that users have a higher level of trust in messages and interactions that take place on installed mobile apps than they would with similar communications over email, but that this level of confidence is not justified by the apps’ security performance.
The threats identified are all in the ‘medium to high’ category of security risks, and include the potential to activate the end-user’s microphone remotely and leak GPS data, posing risks to private and corporate security.
IBM did not identify the apps which they found to contain the weaknesses, but have alerted the publishers involved. It noted also that it was not aware of any wide-spread exploitation of these vulnerabilities.
The vulnerability of dating apps on Android came to prominence also in September of 2014 when researchers from the University of New Haven identified serious data leakage vulnerabilities in a slew of mobile dating and social apps including Tinder, Grindr, OKcupid, Instagram and Oovoo.
Using sex and romance as tools of espionage predates current technology by a few thousand years, but even younger online-dating users may remember news of the ILOVEYOU worm which was diffused worldwide from the Philippines by email in 2000.
IBM reports that the point-of-vulnerability is similar in app usage, where end-users may engage over-eagerly with ‘phishing’-style messages that seek sensitive information or to allow the installation of malware.
Since the report is limited to the Android platform, it’s unclear to what extent, if any, the vulnerabilities are related to the security of the Android OS itself.
In 2013 it was revealed that the current version of the Tinder dating app was vulnerable to a hack that could leak GPS data, and therefore the location of the end-user. At that time Appthority also found that Tinder’s API was dispensing Facebook IDs and exact date of births.
Perhaps the most surprising part of the IBM report is that 50% install-base on company-related devices. Last October Tinder hit UK headlines with the disclosure that many of the staff at Buckingham Palace used Tinder and were bringing their hot dates back to palace grounds.