Over 60% of some of the most popular Android mobile dating apps have security or privacy flaws, which could make users vulnerable to attack and put corporate data on BYOD handsets at risk, according to IBM Security.
In October last year, the firm ran 41 leading applications available on Google Play through its AppScan Mobile Analyzer, and found that a worrying 26 had medium or high severity vulnerabilities.
Specifically, it found that 73% of the apps had access to current and historical GPS data, which could allow hackers to track users’ movements. IBM also claimed to have found several flaws which could allow attackers to eavesdrop on users by accessing the camera or mic, or even hijack a user’s profile.
The research pointed to Man in the Middle (MITM) flaws which could enable attackers to craft fake log-in pages, giving them access to the user’s account from where they could spam out phishing messages loaded with malware.
IBM Security also warned of cross-site scripting via MITM, made possible by an insecure Wi-Fi connection or rogue access point. This could potentially allow an attacker to access features available to the dating app, such as camera, GPS and microphone.
Another potential flaw flagged by IBM relates to the debug flag function:
“If Debug Flag is enabled on an application, it means a debug-enabled application on an Android device may attach to another application and read or write to the application’s memory. The attacker can then intercept information that flows into the application, modify its actions and inject malicious data into it and out of it.”
The flaws present not only a danger to users’ personal information but also corporate data.
In half of the organizations IBM analyzed employees had installed dating apps on devices which also accessed sensitive enterprise information.
The vendor advised organizations to roll-out mobile device management capabilities; restrict which apps staff can download and from where; improve employee awareness around the dangers of unauthorized apps; and set automated policies which will take immediate action in the event of a compromise.
IBM's CTO of mobile, Martin Gale, told Infosecurity that password, biometric or two-factor schemes could be implemented on devices to lock down access control for apps.
"BYOD is part of it but not the only risk - corporate supplied devices can still introduce vulnerabilities unless you have the right tools and management policies in place to secure your assets," he added. "You wouldn't roll out 1,000 iPads with no controls over them, for example."
Organizations should also consider the security of the app code deployed onto the devices, so that vulnerabilities introduced during development don't make it easier for attackers to steal data and transactions through tampering or reverse engineering, said Gale.