February 11, 2015
- Half of the companies analyzed by IBM have employees who access applications to schedule blind appointments on work mobile devices.
- IBM offers tips for consumers and businesses to protect themselves.
An analysis by IBM’s Security unit found that more than 60% of the leading dating apps studied are potentially vulnerable to a variety of cyberattacks that put users’ personal information and company data at risk.
The IBM study reveals that many of these dating apps have access to additional features on mobile devices, such as camera, microphone, storage, GPS location, and mobile wallet billing information that, added to vulnerabilities, can make them a target for hackers. . IBM also found that nearly 50% of the organizations surveyed have at least one of these popular dating apps installed on mobile devices used to access company information.
In today’s connected culture, dating apps are a common and convenient way for singles of all ages to find new romantic interests. In fact, a Pew Research study revealed that one in 10 Americans, or roughly 31 million people, used a dating site or app, while the number of people who dated someone they met online rose to 66%. in the last eight years.
“Many consumers use and trust their mobile phones for a variety of applications. It is this trust that gives hackers the opportunity to take advantage of vulnerabilities like the ones we find in these dating apps, ”said Caleb Barlow, Vice President of IBM Security. “Consumers should be careful not to reveal too much personal information on these sites when trying to establish a relationship. Our research shows that some users may be in a dangerous situation: the more information they share, the more they sacrifice their security and privacy. “
Security researchers at IBM Security identified that 26 of the 41 dating apps they analyzed on the Android mobile platform had medium or high severity vulnerabilities. The analysis was carried out on the basis of apps available in the Google Play App Store in October 2014.
Vulnerabilities discovered by IBM make it possible for a hacker to obtain valuable personal information about a user. While some apps have privacy measures in place, IBM found that many are vulnerable to attacks that could lead to the following situations:
The dating app is used to download Malware: Users lower their guard when they anticipate that they will receive interest from a potential date. That is the moment that hackers seize.
· Use of GPS information to follow movements: IBM found that 73% of the 41 dating apps analyzed have access to current and past GPS location information. Hackers can capture the location of the user to know where he lives, works or spends time.
Credit card number theft: 48% of the 41 dating apps analyzed have access to a user’s billing information stored on their device.
Remote control of a phone’s camera or microphone: A hacker can access a phone’s camera or microphone even if the user is not logged in to the app. This means that an attacker can spy on and eavesdrop on users or intrude on confidential company meetings.
Profile tampering in the dating app: A hacker can alter the content and images in the dating profile, impersonate the user and communicate with other users of the app, or allow personal information to leak abroad, to affect the reputation of a user’s identity .
Hackers can intercept cookies from an app through a Wi-Fi connection or fake access point and then sabotage other device features, such as the camera, GPS, and microphone, to which the app has access permissions. They can also create a fake login screen through the dating app, to capture the user’s credentials, so that when they try to connect to a website the information is also shared with the attacker.
Precautions against possible attacks related to dating appsWhile IBM discovered a number of vulnerabilities in more than 60% of the most popular Android dating apps, there are actions that both consumers and businesses can take to protect themselves from threats.What can consumers do?
Be mysterious: Do not disclose too much personal information on these sites, such as where you work, your birthday, or social media profiles, until you feel comfortable with the person you are interacting with through the app.
Suitable permissions: Decide if you are going to use an app by checking the permissions it asks for, viewing the settings on your mobile device. When updated, apps often automatically reconfigure the permissions that determine which phone features they have access to, such as its address book or GPS data.
Keep it exclusive: Use unique passwords for each online account you have. By using the same password for all of your accounts, you can leave multiple attack fronts open in case one account is compromised.
Specific patches: Apply the latest patches and updates to your apps and your device when they are available. This will fix issues identified on your device and applications and have a more secure experience.
Reliable connections: Use only reliable Wi-Fi connections in your dating app. Hackers love to use fake Wi-Fi access points to directly connect to your device and execute these types of attacks. Many of the vulnerabilities found in this research can be exploited over Wi-Fi.
What can companies do?
Companies must also be prepared to protect themselves from vulnerable dating apps that are active within their infrastructures, especially where employees can bring their own mobile devices to work (Bring Your Own Device, BYOD). IBM found that nearly 50% of the organizations surveyed for this research have at least one of these popular dating apps installed on company or staff mobile devices used for work. To protect their confidential assets, companies must:
Adopt the correct protection: Take advantage of Enterprise Mobility Management (EMM) solutions with Mobile Threat Management (MTM) capabilities to enable employees to use their own devices while maintaining the security of the organization.
Define Downloadable Apps: Allow employees to download apps only from authorized app stores, such as Google Play, iTunes, and the corporate app store.
Education is key: Train employees to understand the dangers of downloading third-party applications and what it means to give those applications specific permissions on devices.
Communicate potential threats immediately: Define automated policies on smartphones and tablets that take immediate action if a device is found to be compromised or malicious apps are found. This helps protect corporate resources while the problem is fixed.
About this research IBM Security analysts who are part of the IBM Application Security Research team used the new IBM AppScan Mobile Analyzer tool to analyze the top 41 dating apps on Android devices, with the aim of identifying vulnerabilities that can leave users open to potential attacks and cyber threats. These applications were also analyzed to determine the permissions granted, thus discovering a large number of excessive privileges. To understand business user adoption of these 41 dating apps, app data was analyzed with IBM MobileFirst Protect, formerly known as MaaS360. Before releasing this investigation to the public, IBM Security disclosed it to all impacted app vendors identified in this investigation.
[+] Videos de nuestro canal de YouTube