Dating app security flaws could jeopardize more than just users' personal information.
By hosting personal information and private conversations, dating apps put users in a vulnerable position. But enterprises with BYOD models may also be at risk. Several cybersecurity vendors have noted in recent years that many popular data apps have glaring weaknesses and vulnerabilities.
For example, in a 2017 study conducted by Kaspersky examined nine such apps and found they were susceptible to man-in-the-middle attacks and put private messages and access tokens at risk. In addition, researchers were able to identify 60% of users' pages on various social media, including Facebook and LinkedIn, as well as their full names and surnames using information from popular dating apps.
Some experts argue if a dating app security vulnerability is exploited on a BYOD, hackers could potentially gain access to not only a user's personal information, but also to sensitive information that could put their enterprise at risk. Therefore, employees who have enterprises' apps or store work-related data on their devices endanger their employer with the possibility of leaking private information, including the employee address book, phone numbers, geolocation and even confidential corporate data.
And unfortunately for enterprise security, studies show dating app use on mobile devices is most popular. According to a 2017 Statista report, 76% of respondents who used dating apps indicated their smartphone as their primary device of usage, with primarily computer-based users at 72%, and tablet users at 48%.
"We've seen a lot of apps that leak usernames and passwords -- and about 75% of corporate end users use the same password across both business and personal sites. If you have a dating app that doesn't protect a login, and if someone gets that info, suddenly they have the keys to the kingdom to login to the enterprise because now the whole data center has been opened up," said Michael Covington, vice president of product strategy at Wandera, an enterprise mobile security vendor based in London.
The risks are further compounded by the extensive access that many of these apps have to other third-party apps and data on a user's device. A 2016 study of 25 popular dating apps by IT asset management vendor Flexera Software found that 60% of dating apps can access social networking apps and texting functions; 36%, including Grindr and OkCupid, can access calendars on a device; and 24%, including Blendr, Hinge and Tinder, can access users' address books.
While dating app users volunteer certain information that may seem harmless to enterprises, Bob Kelly, senior product manager at Flexera Software, said users and enterprises alike should consider the related data that can be accessed and the implications of potential data leaks.
"The problem we see most often is enabling access to things that aren't inherently understood, for example, location services and access to a microphone or camera. Sometimes it's not the employee, but the app's own capability to access things that poses the risk, and the same translates to desktop apps," Kelly said.
Enterprise concerns about dating app security have existed for some time. In 2015, IBM Security published a research paper titled "Dating Apps Vulnerabilities & Risks to Enterprises," which found that over 60% of the leading dating apps studied are vulnerable to medium and/or severe vulnerabilities that put application data -- as well as data stored on the device -- at risk. IBM also found that nearly 50% of organizations analyzed in its research vulnerable dating apps installed on mobile devices used to access business information.
Experts said the security flaws for online dating apps aren't unique compared to other mobile apps. "Any app installed on a device introduces some level of risk," Kelly said. "There's a risk to installing even a reputable app from certain vendors that you trust."
But dating apps are notable for their popularity, the amount of personal information they contain, and the perceived risk to individual users versus enterprises. "While the vulnerable apps can leak personal user information," the IBM Security report states, "if corporate data is also located on the device it can affect the enterprise."
While many of the online dating services analyzed in these security research reports have improved the security of their mobile apps in recent years, vulnerabilities and weaknesses are still common. For example, earlier this year application security testing firm Checkmarx reported serious vulnerabilities with Tinder's app, including an HTTPS implementation issue that left photos exposed. As a result, a threat actor on the same Wi-Fi network could observe users' photos and activity, including swipes.
And because many enterprises instill a true BYOD model, enterprises' ability to limit which apps employees have access to on their personal device is an ongoing struggle. "BYOD is great while it lasts," Kelly said, "but you can't really enforce policies on BYOD devices."
Dating app security risks
The above research reports list several vulnerabilities, weaknesses and threats common to popular dating apps. For example, the specific medium and high severity vulnerabilities that IBM uncovered across the at-risk 60% of leading dating apps include: cross-site scripting (XSS) via man in the middle (MitM), enabled debug flags, weak random number generators (RNG) and phishing via MitM attacks.
An XSS-MitM attack -- also known as a session hijacking attack -- exploits a vulnerability in a trusted website visited by the targeted victim and gets the website to deliver the malicious script for the attacker. The same-origin policy requires that all content on a webpage comes from the same source. When this policy isn't enforced, an attacker is able to inject a script and modify the webpage to suit their own purposes. For example, attackers can extract data that will allow the attacker to impersonate an authenticated user or input malicious code for a browser to execute.
Also, debug-enabled application on an Android device may attach to another application and extract data and read or write to the application's memory. Thus, an attacker can extract inbound information that flows into the application, modify its actions and inject malicious data into it and out of it.
Weak RNGs pose another risk. While some dating apps use encryption with a random number generator, IBM found the generators to be weak and easily predictable, making it easy for a hacker to guess the encryption algorithm and gain access to sensitive information.
In phishing via MitM attacks, hackers can spoof users by creating a fake login screen to trick users into providing their user credentials to access users' personal information, including contacts who they can also fool by posing as the user. The attacker can send phishing messages with malicious code that could potentially infect contacts' devices.
Additionally, IBM warned that a phone's camera or microphone could be turned on remotely through a vulnerable dating app, which could be used to eavesdrop on conversations and confidential business meetings. And in its research, Flexera highlighted how dating apps' access to location services and Bluetooth communications, among other device features, can be abused by hackers.
One of the more common dating app security risks involves encryption. While many dating apps have implemented HTTPS to protect the transmission of private data to their servers, Kaspersky researchers said many implementations are incomplete or vulnerable to MitM attacks. For example, the Kaspersky report noted Badoo's app will upload unencrypted user data, including GPS location and mobile operator data, to its servers if it can't establish an HTTPS connection to those servers. The report also found that more than half of the nine dating apps were vulnerable to MitM attacks even though they had HTTPS fully implemented; researchers discovered that several of the apps didn't check the validity of SSL certificates trying to connect to the apps, which allows threat actors to spoof legitimate certificates and spy on encrypted data transmissions.