A San Francisco-based security startup has warned Tinder about flaws in its app that allow hackers to dissemble and rebuild software to dodge paying for its premium services.
Bluebox Security has reached out to the popular dating app after creating a duplicate app that enabled them to use Tinder Plus features, like unlimited “swipes” and its “undo” button for free.
To do so, Bluebox’s researchers intercepted the traffic between the app and Tinder’s server, in order to find activity and messages that identified a user was paying for the premium features.
According to the startup, the process was made easier because some of the premium services were operated from within the application, as opposed to being handled on the server side.
This ultimately makes it easier for hackers to make the necessary changes, by easily switching out certain areas in the app’s coding.
In a statement, Bluebox said: “When the “Plus” subscription became available, Tinder quickly jumped hundreds of spots to rank near the top for overall app revenue rankings.
“Bluebox determined that some of the “Plus” features are managed and controlled, unprotected, in the mobile app code, leaving them exposed to hackers.
“Altering the app code granted at least half of the premium features to the user, but did not grant the account full “Plus” status.”
However, Tinder were quick to dismiss this information as insignificant, with spokesperson Rosette Pambakian saying: “Bluebox’s findings have an inconsequential to zero impact on Tinder and its revenue because virtually no one has the capability to do this.”
Tinder currently charges users between $9.99 to $19.99 a month to use Tinder Plus.
While there is a minimal chance of Tinder users having the skills required to make such modifications, there is a risk that a professional hacker could create such an app and sell it on “unsanctioned” app stores, Bluebox said.
The company also found similar problems with US streaming service Hulu, after finding that it could recreate the application to eliminate ads – a feature which normally costs users $11.99.
Since publicising its findings, Bluebox has offered companies some advice about how to ensure that their products are secure.
It said: “Enterprises should not rely on the device manufacturers, the app stores, or even app developers to ensure mobile apps are secure.
“In order to protect corporate revenue and brand, enterprises must create mobile apps that can defend themselves.
“Bluebox routinely examines the state of security for popular mobile apps, and the results consistently show that mobile app security is almost non-existent.
“Mobile apps that contain even basic security measures, such as anti-tampering controls and encryption of app data, are few and far between.”
For more information, check out the full blog post here.