IBM Report Details Potential Vulnerabilities That Could Compromise Mobile Security

New technology has completely revolutionized the dating process. Many people are using mobile dating applications to find their “special someones.” In fact, a recent Pew Research study found that 1 in 10 Americans have used a dating site or application, and the number of people who have dated someone they met online has grown to 66 percent over the past eight years. Even though many dating applications are relatively new to the market, Pew Research also found that an astonishing 5 percent of Americans who are in a marriage or committed relationship met their significant other online.

As the number of dating applications and registered users grows, so does their attractiveness to potential attackers. Powered by IBM Application Security on Cloud technology, a recent IBM analysis of dating applications revealed the following:

  • Nearly 60 percent of leading mobile dating applications they studied on the Android mobile platform are vulnerable to potential cyberattacks that could put personal user information and organizational data at risk.
  • For 50 percent of enterprises IBM analyzed, employee-installed popular dating applications were present on mobile devices that had access to confidential business data.

The goal of this blog is not to discourage you from using these applications. Rather, its goal is to educate organizations and their users on potential risks and mobile security best practices to use the applications safely.

Potential Exploits in Dating Apps

The vulnerabilities IBM discovered are more powerful than you might suspect. Some of them make it possible for cybercriminals to collect valuable personal information about you. Even though certain applications employ privacy measures, IBM found that many are vulnerable to attacks, which can let cybercriminals do the following:

  • Use GPS Information to Track Your Movements: IBM found that 73 percent of the 41 popular dating applications analyzed have access to current and historical GPS location information. Cybercriminals may capture your current and former GPS location details to find out where you live, work or spend most of your day.
  • Control Your Phone’s Camera or Microphone: Several identified vulnerabilities let cybercriminals gain access to your phone’s camera or microphone even when you aren’t logged in to dating applications. Such vulnerabilities can let attackers spy and eavesdrop on your personal activities or tap into data you capture on your cell phone camera in confidential business meetings.
  • Hijack Your Dating Profile: A cybercriminal can change content and images on your dating profile, impersonate you, communicate with other application users from your account or leak personal information that could tarnish your personal and/or professional reputation.

How Do Attackers Exploit These Vulnerabilities?

Which specific vulnerabilities enable attackers to carry out the exploits mentioned above, permitting them to gain access to your confidential information? IBM’s security researchers determined 26 of the 41 dating applications analyzed on the Android mobile platform either had medium- or high-severity vulnerabilities, which included the following:

  • Cross-Site Scripting Attacks via Man in the Middle: This vulnerability can act as a gateway for attackers to gain access to mobile applications and other features on your devices. It can permit an attacker to intercept cookies and other information from your application via an insecure Wi-Fi connection or rogue access point, and then tap into other devices features the app has access to, such as your camera, GPS and microphone.
  • Debug Flag-Enabled Exploits: If Debug Flag is enabled on an application, it means a debug-enabled application on an Android device may attach to another application and read or write to the application’s memory. The attacker can then intercept information that flows into the application, modify its actions and inject malicious data into it and out of it.
  • Phishing Attacks via Man in the Middle: Attackers can offer up a fake login screen via dating applications to capture your user credentials so that when you try to log in to a site of their choosing, your credentials are disclosed to the attackers without your knowledge. Then, the attacker can reach out to your contacts, pretend to be you and send them phishing messages with malicious code that could potentially infect their devices.

What Can You Do to Protect Yourself Against These Exploits?

One of the primary challenges with dating apps is that they operate in a different fashion than other social media sites. Most social media sites encourage you to connect with people you already know. By definition, mobile dating applications encourage you to connect with people you don’t already know. So, what can you do to protect yourself?

  • Trust Your Instinct: As the old saying goes, “There are plenty of fish in the sea.” If people you’re engaging with online refuse to provide the same basic information they ask of you; if their photos and profile appear too good to be true; or if their profile information doesn’t seem to align with the type of person with whom you’re communicating, trust your instinct and move on. Until you get to know the person well, resist any efforts to meet him or her anywhere but in a public location with plenty of people around.
  • Keep Your Profile Lean: Don’t divulge too much personal information on these sites. Information such as where you work, your birthday or links to your other social media profiles should be shared only when you’re comfortable with someone.
  • Schedule a Routine “Permission Review:” On a routine basis, you should review your device settings to confirm your security settings haven’t been altered. For example, I once had my cell phone revert to “GPS-enabled” when I upgraded the software on my device, permitting another user to identify my precise geographical location via a chat application. Prior to the upgrade, GPS device-tracking had not been enabled. Thus, you need to be vigilant, because updating your applications can inadvertently reset permissions for device features associated with your address book or GPS data. You should be particularly vigilant after any software upgrade or updates are made.
  • Use Unique Passwords for All Your Online Accounts: Be sure to use unique passwords for every online account you manage. If you use the same password for all your accounts, it can leave you open to multiple attacks should an individual account be compromised. Remember to always use different passwords for your email and chat accounts than for your social media profiles, as well.
  • Patch Immediately: Always apply the latest patches and updates to your applications and devices as soon as they become available. Doing so will address identified bugs in your device and applications, resulting in a more secure online experience.
  • Clean Up Your Contact List: Review the contacts and notes on your devices. Sometimes, users attach passwords and notes about personal and business contacts in their address book, but doing so could prove embarrassing and costly if they fall into the wrong hands.
  • Live Happily Ever After: When you’re fortunate enough to have found your special someone, go back to the dating site and delete or deactivate your profile rather than keeping your personal information available to others. And don’t forget to buy him or her a Valentine’s Day gift this year!

What Can Organizations Do to Protect Their Users?

In addition to encouraging employees to follow safe online practices, organizations need to protect themselves from vulnerable dating apps that are active inside their infrastructure. As referred to earlier, IBM found nearly 50 organizations sampled for this research had at least one popular dating app installed on either corporate-owned devices or bring-your-own devices (BYOD). To protect this sensitive data, organizations should consider the following mobile security activities:

  • Protect BYOD Devices: Leverage enterprise mobility management capabilities to enable employees to use their own devices to access the sites while maintaining organizational security.
  • Permit Employees to Download From Authorized App Stores Only: Allow employees to download applications solely from authorized application stores, such as Google Play, the Apple App Store and your organization’s app store, if applicable.
  • Educate Employees About Application Security: Educate employees about the dangers of downloading third-party applications and the potential dangers that can result from weak device permissioning.
  • Act Immediately When a Device Is Compromised: Set automated policies on smartphones and tablets that take immediate action if a device is found compromised or malicious apps are discovered. This approach protects your organization’s data while the issue is remediated.

About This Research

IBM Security analysts from IBM’s Application Security Research team used IBM Application Security on Cloud to analyze the top 41 dating apps available on Android devices to identify vulnerabilities that can leave users open to potential cyberattacks and threats. Those apps were also analyzed to determine the granted permissions, unveiling a host of excessive privileges. To understand enterprise adoption of these 41 dating apps, app data was analyzed from IBM MaaS360. In advance of releasing this research to the public, IBM Security disclosed all affected app vendors identified with the research. To try a free 30-day trial of IBM Application Security on Cloud, please click here.

More from Software Vulnerabilities

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today