Online dating. It’s not going away. In fact, according to Pew Research Center, 11% of American adults have used online dating or mobile dating apps in 2013. Many are looking for love, not cyber threats or blackmail. So just in time for Valentine’s Day, RIIS LLC, a consulting firm offering accelerated application development, has released findings that break down the risks for the top five dating sites.
The Android Mobile Security Index analyzes Match.com, Plenty of Fish, and three other extremely popular sites that employees are bound to be accessing at some point during the day. Each app was rated using an industry standard as defined by the OWASP Mobile Security Project.
So, what’s the result? Out of the five, Match scored the lowest while Christian Mingles came out on top.
What’s going on with Match? Insecure data storage – where a user’s profile and activity are all stored locally unencrypted in a SQLite database. To gain access to this data, a hacker would simply need access to the unlocked phone, backup the app's runtime data and APK, and voila, information to exploit.
“It doesn’t get any more sensitive than this,” said Godfrey Nolan, Founder, RIIS, in an interview with Mobile Enterprise. Who wants personal preferences known, or the emails sent between dates?
Oh, so what, many will say.
How about, corporate espionage. Not only are low and mid-level employees accessing dating sites on a daily basis, but so are C-Suite executives, and any one of these groups can become a target for a creative hacker with a scheme. What’s the plan? Harvest intelligence, then leverage it in the real world. Wait, isn’t that just some far-fetched movie plot reminiscent of the Cold War, or perhaps some festival flick starring Jude Law? No.
Foreign entities and domestic companies routinely spy on each other to gain competitive advantage and will continue to do so. In India, for example, 35% of enterprises operating in the region take part in corporate espionage, according to Associated Chambers of Commerce and Industry of India (Assocham). Many also use social sites to keep tabs on employees. That’s the official tally for just one country, and it’s going on all over the world.
Log On, Always On
Christian Mingle’s app had no major security issues, primarily because it is more of a mobile website wrapped in an Android frame than a classic Android app. User data is not stored on the phone. In complete contrast, eHarmony’s app made no real attempt to hide info. Both the username and password, for example, can be found in cleartext on the phone.
“eHarmony suffers from the Starbucks disease,” Nolan said, referring to the recently publicized vulnerability found in the coffee chain’s mobile app. (The company has since added extra levels of protection.)
Why does cleartext matter at all? Because as the name implies, messages can be easily read - there is zero level of encryption. “The first level is to make at least some attempt to encrypt,” Nolan said. “It’s all about raising the bar, how easy are you making it for someone to hack. Can your kid sister do it, or does it require a foreign government?”
Zoosk, Match.com and POF do encrypt the user’s password. However, because it’s saved on the phone, a hacker just needs to back up the data, transfer it to another phone and assume the user’s identity. The RIIS report clearly notes that this is the trade off in mobile development: if you want to protect data, the user must login to access the application.
However, dating sites are all competing with one another, so usability is essential. An initial prompt to log-in creates the perception that the app is secure and everything is fine and dandy. But there are no subsequent prompts to make it more convenient for the end-user.
“It’s completely understandable,” Nolan said, regarding the goal for dating sites to attract more members with easy-to-use apps. “But it’s sacrificing basic security because of that.” And such a risk is not exactly being advertised. Perhaps dating sites are assuming that most users are locking their smartphones, but that’s far from reality.
Findings from the report were sent to each respective dating site, with two out of five responding to RIIS by email. The eHarmony CIO said the company was working on changing the issues in a future release, while a Match.com PR rep said the results would be forwarded to the appropriate tech teams (but further action is not expected.)
For more information on the app risks, download the Android Mobile Security Index.