This Valentine’s day, your chances of finding love on an app as well as online dating sites can put you at greater risk when it comes to cyber attacks. In fact, with South Africa’s, as well as Africa’s, burgeoning mobile user market and more than half of urban cellphone users – 51% – now using mobile apps, it’s a matter of time before the wrong information falls into the wrong hands.
Even though many dating applications are relatively new to market, apps like Tinder already have more than 450 million profiles worldwide that are rated every day, and membership is growing by 15% each week. Tinder is also becoming increasingly popular across African continent.
But as the number of dating applications and registered users grow, so does their attractiveness to potential attackers.
According to a recent report by IBM, analysis of dating applications revealed that nearly 60% of the mobile dating applications they studied, on the Android mobile platform, are vulnerable to potential cyber-attacks that could put personal user information and organisational data at risk.
For 50% of enterprises that IBM analysed, employee-installed popular dating applications were present on mobile devices that had access to confidential business data. So how do businesses educate their staff on the potential risks and mobile security best practices to utilise the applications safely. With over 1000 dating sites in South Africa and even more spanning across Africa, the potential for information to get into the wrong hands through an innocent romantic encounter, is real.
Potential Exploits in Dating Apps
The vulnerabilities that IBM discovered are more powerful than you might suspect. Some of them make it possible for hackers to collect valuable personal information about you. Even though certain applications employ privacy measures, IBM found that many are vulnerable to attacks, which can permit attackers to:
– Use GPS Information to Track Your Movements:
IBM found that 73% of the 41 popular dating applications analysed have access to current and historical GPS location information. Hackers may capture your current and former GPS location details to find out where you live, work or spend most of your day.
– Control Your Phone’s Camera or Microphone:
Several identified vulnerabilities permit hackers to gain access to your phone’s camera or microphone, even when you’re not logged into dating applications. Such vulnerabilities can allow attackers to spy and eavesdrop on your personal activities or tap into data that you capture on your cell phone camera in confidential business meetings.
– Hijack Your Dating Profile:
A hacker can change content and images on your dating profile, impersonate you, communicate with other application users from your account or leak personal information that could tarnish your personal and/or professional reputation.
– How Do Attackers Exploit these Vulnerabilities?
Which specific vulnerabilities enable hackers to carry out the exploits mentioned above, permitting them to gain access to your confidential information? IBM’s security researchers determined that 26 of the 41 dating applications they analysed on the Android mobile platform had either medium- or high-severity vulnerabilities, which included the following:
– Cross Site Scripting Attacks, via Man in the Middle:
This vulnerability can act as a gateway for attackers to gain access to mobile applications and other features on your device. It can permit an attacker to intercept cookies and other information from your application via an insecure Wi-Fi connection or rogue access point, and then tap into other device features such as your camera, GPS and microphone that the app has access to.
– Debug Flag-Enabled Exploits:
If Debug Flag is enabled on an application, it means that a debug-enabled application on an Android device may attach to another application and read or write to the application’s memory. The attacker can then intercept information that flows into the application, modify its actions and inject malicious data into it and out of it.
– Phishing Attacks, via Man in the Middle:
An attacker can offer up a fake login screen via dating applications to capture your user credentials, so that when you try to log into a site of their choosing, your credentials are disclosed to the attacker without your knowledge. Then, the attacker can reach out to your contacts, pretending to be you, and send them phishing messages with malicious code that could potentially infect their devices,
What Can You Do to Protect Yourself Against these Exploits?
One of the primary challenges with dating apps is that they operate in a different fashion that other social media sites. Most social media sites encourage you to connect with people you already know. By definition, mobile dating applications encourage you to connect with people you don’t already know. So, what can you do to protect yourself?
– Trust Your Instinct:
As the old saying goes, “there are many fish in the sea.” If the person who you’re engaging with online refuses to provide the same basic information that s/he asks of you, if their photos and profile appear too good to be true, if their profile information doesn’t seem to align with the type of person you’re communicating with, trust your instinct and move on. Until you get to know the person well, resist any efforts to meet him/her anywhere but in a public location, with plenty of other people around.
– Keep Your Profile Lean:
Don’t divulge too much personal information on these sites. Information such as where you work, your birthday or links to your other social media profiles should be shared only when you’re comfortable with the person you’re engaging with on the applications.
– Schedule a Routine “Permission Review”:
On a routine basis, you should review your device settings to confirm that security settings haven’t been altered. For example, the author of this blog had his cell phone revert to “GPS-enabled,” when he upgraded the software on his device, permitting another user to identify his precise geographical location via a chat application. Prior to the upgrade, GPS device-tracking had not been enabled. So you need to be vigilant, since updating your applications can inadvertently reset permissions for device features associated with your address book or GPS data. You should be particularly vigilant after any software upgrade or updates are made.
– Utilise Unique Passwords for All of your Online Accounts:
Utilise unique passwords for every online account that you manage. If you use the same password for all your accounts, it can leave you open to multiple attacks, should an individual account be compromised. Remember to always utilise different passwords for your e-mail and chat accounts than for your social media profiles, as well.
– Patch Immediately:
Always apply the latest patches and updates to your applications and your devices, as soon as they become available. Doing so will address identified bugs in your device and applications, resulting in a more secure online experience.
– Clean Up Your Contact List:
Review the contacts and notes on your device. Sometimes users attach passwords and notes about personal and business contacts in their address book, but doing so could prove embarrassing and costly if they fall into the wrong hands.
– Live Happily Ever After:
When you’re fortunate enough to have found your special someone, go back to the dating site and delete or inactivate your profile rather than keeping your personal information available to others. And, don’t forget to buy him/her a Valentine’s gift this year!
What Can Organisations Do to Protect their Users?
In addition to encouraging employees to follow safe online practices, organizations need to protect themselves from vulnerable dating apps that are active inside their infrastructure. As referred to earlier, IBM found that nearly 50 organizations, sampled for this research, have at least one popular dating app installed on either corporate-owned and Bring Your Own Devices (BYOD). To protect sensitive data, organisations should consider the following mobile security activities:
– Protect BYOD Devices:
Leverage Enterprise Mobility Management (EMM) offerings with mobile threat management (MTM) capabilities to enable employees to utilize their own devices to access the sites, while maintaining organisational security.
– Permit Employees to Download from Authorized App Stores only:
Allow employees to download applications solely from authorised application stores such as Google Play, iTunes and your organisation’s app store, if applicable.
– Educate Employees about Application Security:
Educate employees about the dangers of downloading third-party applications and potential dangers that can result from weak device permissioning.
– Act Immediately, when a Device has been Compromised:
Set automated policies on smartphones and tablets, which take immediate action if a device is found compromised or malicious apps are discovered. That approach permits your organisation’s data to be protected while the issue’s being remediated.