{"id":9732,"date":"2017-10-25T14:37:45","date_gmt":"2017-10-25T10:37:45","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=9732"},"modified":"2019-11-15T15:23:43","modified_gmt":"2019-11-15T11:23:43","slug":"dating-apps-threats","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/dating-apps-threats\/9732\/","title":{"rendered":"Are dating apps safe?"},"content":{"rendered":"

Searching for one\u2019s destiny online \u2014 be it a lifelong relationship or a one-night stand \u2014 has been pretty common for quite some time. Dating apps are now part of our everyday life. To find the ideal partner, users of such apps are ready to reveal<\/a> their name, occupation, place of work, where they like to hang out, and lots more besides. Dating apps are often privy to things of a rather intimate nature, including the occasional nude photo. But how carefully do these apps handle such data? Kaspersky Lab decided to put them through their security paces.<\/p>\n

Our experts studied the most popular mobile online dating apps<\/a> (Tinder, Bumble, OkCupid, Badoo, Mamba, Zoosk, Happn, WeChat, Paktor), and identified the main threats for users. We informed the developers in advance about all the vulnerabilities detected, and by the time this text was released some had already been fixed, and others were slated for correction in the near future. However, not every developer promised to patch all of the flaws.<\/p>\n

Threat 1. Who you are?<\/h2>\n

Our researchers discovered that four of the nine apps they investigated allow potential criminals to figure out who\u2019s hiding behind a nickname based on data provided by users themselves. For example, Tinder, Happn, and Bumble let anyone see a user\u2019s specified place of work or study. Using this information, it\u2019s possible to find their social media accounts and discover their real names. Happn, in particular, uses Facebook accounts for data exchange with the server. With minimal effort, anyone can find out the names and surnames of Happn users and other info from their Facebook profiles.<\/p>\n

And if someone intercepts traffic from a personal device with Paktor installed, they might be surprised to learn that they can see the e-mail addresses of other app users.<\/p>\n

Turns out it is possible to identify Happn and Paktor users in other social media 100% of the time, with a 60% success rate for Tinder and 50% for Bumble.<\/p>\n

Threat 2. Where are you?<\/h3>\n

If someone wants to know your whereabouts, six of the nine apps will lend a hand. Only OkCupid, Bumble, and Badoo keep user location data under lock and key. All of the other apps indicate the distance between you and the person you\u2019re interested in. By moving around and logging data about the distance between the two of you, it\u2019s easy to determine the exact location of the \u201cprey.\u201d<\/p>\n

Happn not only shows how many meters separate you from another user, but also the number of times your paths have intersected, making it even easier to track someone down. That\u2019s actually the app\u2019s main feature, as unbelievable as we find it.<\/p>\n

Threat 3. Unprotected data transfer<\/h3>\n

Most apps transfer data to the server over an SSL-encrypted channel, but there are exceptions.<\/p>\n

As our researchers found out, one of the most insecure apps in this respect is Mamba. The analytics module used in the Android version does not encrypt data about the device (model, serial number, etc.), and the iOS version connects to the server over HTTP and transfers all data unencrypted (and thus unprotected), messages included. Such data is not only viewable, but also modifiable. For example, it\u2019s possible for a third party to change \u201cHow\u2019s it going?\u201d into a request for money.<\/p>\n

Mamba is not the only app that lets you manage someone else\u2019s account on the back of an insecure connection. So does Zoosk. However, our researchers were able to intercept Zoosk data only when uploading new photos or videos \u2014 and following our notification, the developers promptly fixed the problem.<\/p>\n

Tinder, Paktor, Bumble for Android, and Badoo for iOS also upload photos via HTTP, which allows an attacker to find out which profiles their potential victim is browsing.<\/p>\n

When using the Android versions of Paktor, Badoo, and Zoosk, other details \u2014 for example, GPS data and device info \u2014 can end up in the wrong hands.<\/p>\n

Threat 4. Man-in-the-middle (MITM) attack<\/h3>\n

Almost all online dating app servers use the HTTPS protocol, which means that, by checking certificate authenticity, one can shield against MITM<\/a> attacks, in which the victim\u2019s traffic passes through a rogue server on its way to the bona fide one. The researchers installed a fake certificate to find out if the apps would check its authenticity; if they didn\u2019t, they were in effect facilitating spying on other people\u2019s traffic.<\/p>\n

It turned out that most apps (five out of nine) are vulnerable to MITM attacks because they do not verify the authenticity of certificates. And almost all of the apps authorize through Facebook, so the lack of certificate verification can lead to the theft of the temporary authorization key in the form of a token. Tokens are valid for 2\u20133 weeks, throughout which time criminals have access to some of the victim\u2019s social media account data in addition to full access to their profile on the dating app.<\/p>\n

Threat 5. Superuser rights<\/h3>\n

Regardless of the exact kind of data the app stores on the device, such data can be accessed with superuser rights. This concerns only Android-based devices; malware able to gain root access in iOS is a rarity.<\/p>\n

The result of the analysis is less than encouraging: Eight of the nine applications for Android are ready to provide too much information to cybercriminals with superuser access rights. As such, the researchers were able to get authorization tokens for social media from almost all of the apps in question. The credentials were encrypted, but the decryption key was easily extractable from the app itself.<\/p>\n

Tinder, Bumble, OkCupid, Badoo, Happn, and Paktor all store messaging history and photos of users together with their tokens. Thus, the holder of superuser access privileges can easily access confidential information.<\/p>\n

Conclusion<\/h3>\n

The study showed that many dating apps do not handle users\u2019 sensitive data with sufficient care. That\u2019s no reason not to use such services \u2014 you simply need to understand the issues and, where possible, minimize the risks.<\/p>\n

Do\u2019s:<\/h3>\n