IBM Report Details Potential Vulnerabilities That Could Compromise Mobile Security

New technology has completely revolutionized the dating process. Many people are using mobile dating applications to find their “special someones.” In fact, a recent Pew Research study found that 1 in 10 Americans have used a dating site or application, and the number of people who have dated someone they met online has grown to 66 percent over the past eight years. Even though many dating applications are relatively new to the market, Pew Research also found that an astonishing 5 percent of Americans who are in a marriage or committed relationship met their significant other online.

As the number of dating applications and registered users grows, so does their attractiveness to potential attackers. Powered by IBM Application Security on Cloud technology, a recent IBM analysis of dating applications revealed the following:

  • Nearly 60 percent of leading mobile dating applications they studied on the Android mobile platform are vulnerable to potential cyberattacks that could put personal user information and organizational data at risk.
  • For 50 percent of enterprises IBM analyzed, employee-installed popular dating applications were present on mobile devices that had access to confidential business data.

The goal of this blog is not to discourage you from using these applications. Rather, its goal is to educate organizations and their users on potential risks and mobile security best practices to use the applications safely.

Potential Exploits in Dating Apps

The vulnerabilities IBM discovered are more powerful than you might suspect. Some of them make it possible for cybercriminals to collect valuable personal information about you. Even though certain applications employ privacy measures, IBM found that many are vulnerable to attacks, which can let cybercriminals do the following:

  • Use GPS Information to Track Your Movements: IBM found that 73 percent of the 41 popular dating applications analyzed have access to current and historical GPS location information. Cybercriminals may capture your current and former GPS location details to find out where you live, work or spend most of your day.
  • Control Your Phone’s Camera or Microphone: Several identified vulnerabilities let cybercriminals gain access to your phone’s camera or microphone even when you aren’t logged in to dating applications. Such vulnerabilities can let attackers spy and eavesdrop on your personal activities or tap into data you capture on your cell phone camera in confidential business meetings.
  • Hijack Your Dating Profile: A cybercriminal can change content and images on your dating profile, impersonate you, communicate with other application users from your account or leak personal information that could tarnish your personal and/or professional reputation.

How Do Attackers Exploit These Vulnerabilities?

Which specific vulnerabilities enable attackers to carry out the exploits mentioned above, permitting them to gain access to your confidential information? IBM’s security researchers determined 26 of the 41 dating applications analyzed on the Android mobile platform either had medium- or high-severity vulnerabilities, which included the following:

  • Cross-Site Scripting Attacks via Man in the Middle: This vulnerability can act as a gateway for attackers to gain access to mobile applications and other features on your devices. It can permit an attacker to intercept cookies and other information from your application via an insecure Wi-Fi connection or rogue access point, and then tap into other devices features the app has access to, such as your camera, GPS and microphone.
  • Debug Flag-Enabled Exploits: If Debug Flag is enabled on an application, it means a debug-enabled application on an Android device may attach to another application and read or write to the application’s memory. The attacker can then intercept information that flows into the application, modify its actions and inject malicious data into it and out of it.
  • Phishing Attacks via Man in the Middle: Attackers can offer up a fake login screen via dating applications to capture your user credentials so that when you try to log in to a site of their choosing, your credentials are disclosed to the attackers without your knowledge. Then, the attacker can reach out to your contacts, pretend to be you and send them phishing messages with malicious code that could potentially infect their devices.

What Can You Do to Protect Yourself Against These Exploits?

One of the primary challenges with dating apps is that they operate in a different fashion than other social media sites. Most social media sites encourage you to connect with people you already know. By definition, mobile dating applications encourage you to connect with people you don’t already know. So, what can you do to protect yourself?

  • Trust Your Instinct: As the old saying goes, “There are plenty of fish in the sea.” If people you’re engaging with online refuse to provide the same basic information they ask of you; if their photos and profile appear too good to be true; or if their profile information doesn’t seem to align with the type of person with whom you’re communicating, trust your instinct and move on. Until you get to know the person well, resist any efforts to meet him or her anywhere but in a public location with plenty of people around.
  • Keep Your Profile Lean: Don’t divulge too much personal information on these sites. Information such as where you work, your birthday or links to your other social media profiles should be shared only when you’re comfortable with someone.
  • Schedule a Routine “Permission Review:” On a routine basis, you should review your device settings to confirm your security settings haven’t been altered. For example, I once had my cell phone revert to “GPS-enabled” when I upgraded the software on my device, permitting another user to identify my precise geographical location via a chat application. Prior to the upgrade, GPS device-tracking had not been enabled. Thus, you need to be vigilant, because updating your applications can inadvertently reset permissions for device features associated with your address book or GPS data. You should be particularly vigilant after any software upgrade or updates are made.
  • Use Unique Passwords for All Your Online Accounts: Be sure to use unique passwords for every online account you manage. If you use the same password for all your accounts, it can leave you open to multiple attacks should an individual account be compromised. Remember to always use different passwords for your email and chat accounts than for your social media profiles, as well.
  • Patch Immediately: Always apply the latest patches and updates to your applications and devices as soon as they become available. Doing so will address identified bugs in your device and applications, resulting in a more secure online experience.
  • Clean Up Your Contact List: Review the contacts and notes on your devices. Sometimes, users attach passwords and notes about personal and business contacts in their address book, but doing so could prove embarrassing and costly if they fall into the wrong hands.
  • Live Happily Ever After: When you’re fortunate enough to have found your special someone, go back to the dating site and delete or deactivate your profile rather than keeping your personal information available to others. And don’t forget to buy him or her a Valentine’s Day gift this year!

What Can Organizations Do to Protect Their Users?

In addition to encouraging employees to follow safe online practices, organizations need to protect themselves from vulnerable dating apps that are active inside their infrastructure. As referred to earlier, IBM found nearly 50 organizations sampled for this research had at least one popular dating app installed on either corporate-owned devices or bring-your-own devices (BYOD). To protect this sensitive data, organizations should consider the following mobile security activities:

  • Protect BYOD Devices: Leverage enterprise mobility management capabilities to enable employees to use their own devices to access the sites while maintaining organizational security.
  • Permit Employees to Download From Authorized App Stores Only: Allow employees to download applications solely from authorized application stores, such as Google Play, the Apple App Store and your organization’s app store, if applicable.
  • Educate Employees About Application Security: Educate employees about the dangers of downloading third-party applications and the potential dangers that can result from weak device permissioning.
  • Act Immediately When a Device Is Compromised: Set automated policies on smartphones and tablets that take immediate action if a device is found compromised or malicious apps are discovered. This approach protects your organization’s data while the issue is remediated.

About This Research

IBM Security analysts from IBM’s Application Security Research team used IBM Application Security on Cloud to analyze the top 41 dating apps available on Android devices to identify vulnerabilities that can leave users open to potential cyberattacks and threats. Those apps were also analyzed to determine the granted permissions, unveiling a host of excessive privileges. To understand enterprise adoption of these 41 dating apps, app data was analyzed from IBM MaaS360. In advance of releasing this research to the public, IBM Security disclosed all affected app vendors identified with the research. To try a free 30-day trial of IBM Application Security on Cloud, please click here.

More from Software Vulnerabilities

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

10 min read - September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

10 min read