A new IBM report serves as a reminder this Valentine's Day that mobile device owners, and enterprises alike, shouldn't take for granted the security of apps downloaded from “trusted” marketplaces.
In a study released Wednesday, called “IBM Security Analysis: Dating Apps Vulnerabilities & Risks to Enterprises,” (PDF) the company scanned 41 of the leading dating apps available in the Google Play store in October 2014. Researchers released the data just in time for the coming holiday, when such apps are likely abuzz with user activity.
IBM found that over 60 percent of the analyzed apps were impacted by medium-to-severe vulnerabilities “that put application data, as well as data stored on the device, at risk,” the report said. Vulnerabilities discovered across the popular apps included cross-site scripting (XSS) flaws, and the use of weak random number generators (RNGs) used for encryption.In addition, many of the 41 apps were vulnerable to phishing attacks via man-in-the-middle (MitM) designed to steal user credentials at fake login screens, while some of the apps were Debug Flag enabled, meaning an attacker could potentially “intercept information that flows into the [Android] application, modify its actions and inject malicious data into it and out of it,” the report said.
IBM also noted the range of information potentially exposed to hackers because of vulnerable apps, such as credit card information (in the form of user billing data saved to devices) and GPS location data. The identified vulnerabilities could also potentially allow an attacker to gain access to a phone's microphone or camera, the company warned.
Caleb Barlow, vice president of mobile management and security at IBM, told SCMagazine.com in a Monday interview that IBM decided not to name the popular dating apps that were vulnerable at the time, but that the company “notified all 41” of the developers.
“Obviously, we had to have some pretty in-depth conversations with some of those [app makers] that were impacted,” Barlow said. “Because of the number of those impacted, we are not disclosing any of the names, because we need to give the industry time to remediate the issues.”
He added that, in many cases, however, the vulnerabilities were the direct result of poor coding practices that could have been avoided with a quick scan of the application.
“For the enterprise, what this means is there are so many opportunities for corporate data to be exfiltrated off the device,” Barlow explained. “If you have a BYOD program, you really need to think about how you can separate personal data from corporate data, and use containers, for instance.”
Risky user behavior – which is encouraged on dating apps were the goal is to mingle with other users and share personal information – coupled with the array of vulnerabilities present in applications, present the larger threat to mobile data in these scenarios, Barlow added.
In the report, IBM advised organizations to adopt company-wide mobile security policies that support real-time detection and response to malware detected on corporate devices. In addition, enterprises were encouraged to blacklist at-risk applications from running on devices that access corporate data, and to implement enterprise mobility management (EMM) solutions for enhanced BYOD security.
