New Kaspersky Lab Publishes Research On Security Deficiencies Of The Most Popular Online Dating Apps

The most popular online dating apps can be used by cybercriminals to discern the personal details of users, according to new research.

Security researchers Kaspersky Lab recently undertook analysis of a number of popular dating platforms: Tinder, Bumble, OkCupid, Badoo, Mamba, Zoosk, Paktor, Happn and WeChat.

The Kaspersky team looked at whether these apps had security vulnerabilities related to various personal information such as location, real name, email address, pictures, data and app files.

To start with, they looked at the topic of how easy it was to track users with the data available in the app.

The analysis found that if the app included an option to reveal your place of work, it was “fairly easy” to match that person’s name and their social network profile.

This was made easier in apps like Tinder, Happn and Bumble, where users can add information about their job and education, the Kaspersky team identifying users’ pages on social media sites like Facebook and LinkedIn in 60% of cases when they had this information.

Kaspersky Lab

Writing in a blog post, the team said: “Discovering a user’s profile on a social network also means other app restrictions, such as the ban on writing each other messages, can be circumvented.

“Some apps only allow users with premium (paid) accounts to send messages, while others prevent men from starting a conversation. These restrictions don’t usually apply on social media, and anyone can write to whomever they like.”

On Happn’s Android version, they found that within the user data the server sends to the app, there is the parameter fb_id, a specifically generated identification number for the Facebook account.

The researchers found that by modifying this request, you are able to find out the name of any Happn users viewed from this.

For the rest of the apps, where details were limited to photos, age, first name or nickname, the researchers could not find any accounts for people on social networks using just this information.

They also discovered that Paktor allows you to discover email addresses if you intercept its traffic, meaning that “an attacker can end up with the email addresses not only of those users whose profiles they viewed but also for other users”.

The report says this is found in both the Android and iOS versions of the app, and that Paktor’s developers have been notified.

Elsewhere, the Kaspersky team found that “most of the apps” in its research were vulnerable to disclosing locations, in particular Tinder, Mamba, Zoosk, Happn, WeChat and Paktor.

Explaining how this can be done, the researchers explained in a blog post: “The attack is based on a function that displays the distance to other users, usually to those whose profile is currently being viewed.

“Even though the application doesn’t show in which direction, the location can be learned by moving around the victim and recording data about the distance to them.

“This method is quite laborious, though the services themselves simplify the task: an attacker can remain in one place, while feeding fake coordinates to a service, each time receiving data about the distance to the profile owner.”

Kaspersky Lab

One of the most interesting aspects of the wide-ranging report was to do with encryption of the data the various dating apps exchange with their servers.

The analysis found that although most of the applications use SSL when communicating with a server, some things remain unencrypted – for example, Tinder, Paktor, Bumble for Android and the iOS version of Badoo upload photos in an unencrypted HTTP format.

According to the report, Mamba “stands apart” in that it loads information about device to the server in an unencrypted format and connects to the server using the unencrypted HTTP protocol.

Similar issues were found with Zoosk, but after being informed, the developers fixed it.

The report also speaks about vulnerabilities with regards to withstanding MITM attacks, superuser rights and tokens.

In summation, the researchers shared the following table, and the corresponding graph key.

Kaspersky Lab
Their conclusion read: “As you can see from the table, some apps practically do not protect users’ personal information. However, overall, things could be worse, even with the proviso that in practice we didn’t study too closely the possibility of locating specific users of the services.

“Of course, we are not going to discourage people from using dating apps, but we would like to give some recommendations on how to use them more safely.

“First, our universal advice is to avoid public Wi-Fi access points, especially those that are not protected by a password, use a VPN, and install a security solution on your smartphone that can detect malware.

“These are all very relevant for the situation in question and help prevent the theft of personal information. Secondly, do not specify your place of work, or any other information that could identify you.”

Read more here.