- iOS -

Last update 04.10.2017 16:16:44

Introduction  List  Kategorie  Subcategory  0  1  2  3  4  5 



iOS 12 Brings Patches for 16 Security Vulnerabilities
20.9.2018 securityweek
iOS

Apple this week officially released iOS 12, which patches various vulnerabilities in the mobile operating system (OS) and brings improved performance and other enhancements.

The tech giant also pushed updates for Apple TV 4K and Apple TV (4th generation) and Apple Watch Series 1 and later, with the release of tvOS 12 and watchOS 5. Safari 12 and Apple Support 2.4 for iOS were also released this week.

A total of 16 vulnerabilities were addressed with the release of iOS 12, most of which impact only iPhone 5s and later, iPad Air and later, and iPod touch 6th generation.

Tracked as CVE-2018-5383, an input validation issue in Bluetooth could allow an attacker in a privileged network position to intercept Bluetooth traffic. It impacts iPhone SE, iPhone 6s, iPhone 6s Plus, iPhone 7, iPhone 7 Plus, iPad Mini 4, 12.9-inch iPad Pro 1st generation, 12.9-inch iPad Pro 2nd generation, 10.5-inch iPad Pro, 9.7-inch iPad Pro, iPad 5th generation, and iPod Touch 6th generation.

The remaining flaws affect components such as Accounts, Core Bluetooth, CoreMedia, IOMobileFrameBuffer, iTunes Store, Kernel, Messages, Notes, Safari, SafariViewController, Security, Status Bar, and Wi-Fi.

Some of these flaws could allow an app to read a persistent account identifier, execute arbitrary code with system privileges, learn information about the current camera view before being granted camera access, or read restricted memory.

Bugs in Messages, Notes, and Safari could allow a local user to discover a user’s deleted messages, notes, or the websites a user has visited. A flaw in iTunes Store could be exploited by an attacker in a privileged network position to spoof password prompts in the iTunes Store.

One other flaw in Safari could prevent a user from deleting browsing history items. Other flaws could allow malicious websites to exfiltrate autofilled data in Safari or could lead to address bar spoofing when visiting malicious websites.

Apple also removed the RC4 cryptographic algorithm from the platform, to prevent attackers from exploiting weaknesses in it, and addressed an issue where anyone with physical access to an iOS device could determine the last used app from the lock screen.

tvOS 12 patches 5 vulnerabilities in Bluetooth, iTunes Store, Kernel, Safari, and Security, while watchOS 5 addressed 4 bugs in iTunes Store, Kernel, Safari, and Security.

Available for macOS Sierra 10.12.6, and macOS High Sierra 10.13.6, Safari 12 patches 3 flaws, while Apple Support 2.4 for iOS addresses one bug in Analytics, which could allow an attacker in a privileged network position to intercept analytics data sent to Apple.


The ZipperDown Vulnerability could affect roughly 10% of iOS Apps
23.5.2018 securityaffairs  iOS

Experts from Chinese jailbreakers Pangu Lab, have recently discovered the ZipperDown flaw that could affect roughly 10% of iOS Apps.
ZipperDown, is a recently discovered vulnerability that could affect thousands of iOS apps and maybe also Android users.

The ZipperDown flaw was first reported by experts from Chinese jailbreakers Pangu Lab, that described it as described as a programming error.

The experts estimate 15,978 out of 168,951 iOS apps are affected, roughly 10% of the total. The list of affected apps includes popular applications such as Weibo, MOMO, NetEase Music, QQ Music and Kwai.

“While auditing iOS Apps from various customers, Pangu Lab noticed a common programming error, which leads to severe consequences such as data overwritten and even code execution in the context of affected Apps.” states the report published by the Pangu Lab.

“We created a signature for the issue and performed a large-scale search on our App analysis platform Janus. Surprisingly, we found that round 10% iOS Apps might be affected by the same or similar issues.”

ZipperDown

Pangu Lab has not publicly released details of the flaw and are reporting the problem to the app publishers.

The hackers published a video PoC of the attack that shows a user downloading and using Weibo apps in an unsafe Wi-Fi environment. In this scenario, the attackers gain code execution in the context of user’s Weibo app by exploiting the ZipperDown vulnerability.

According to the experts, an attacker can trigger the ZipperDown flaw if at least two unusual conditions are met. The first condition sees the attacker controls the WiFi network to which the device is connected, the second condition is that the app must be running outside the iOS “sandbox.”

An attacker could exploit the flaw to run illicit applications on the affected device, but Pangu Lab added that the sandbox on both iOS and Android can effectively limit ZipperDown’s consequence.

“What can ZipperDown do?
It depends on the affected app and its privileges. In general, attackers could overwrite the affected app’s data, or even gain code execution in the context of the affected app. Note that the sandbox on both iOS and Android can effectively limit ZipperDown’s consequence.” continues the report.


iPhones, iPads Can Be Hacked via 'Trustjacking' Attack
19.4.2018 securityweek iOS

A feature that allows users to wirelessly sync their iPhones and iPads with iTunes can be abused by hackers to take control of iOS devices in what researchers call a “Trustjacking” attack.

This feature can be enabled by physically connecting an iOS device to a computer with iTunes and enabling the option to sync over Wi-Fi. The user is prompted to confirm that the computer is trusted when the mobile device is first connected to it, but no other approval is required to enable the syncing feature or to access the device over Wi-Fi at a later time.

Researchers at Symantec have found a way to abuse the iTunes Wi-Fi sync feature. They discovered that if an attacker can convince the targeted user to connect their iPhone/iPad via a cable to a malicious or compromised device, the hacker gains persistent control over the phone/tablet as long as they are on the same wireless network as the victim.Trustjacking only requires a user to trust a malicious or compromised device

In one attack scenario described by the experts, the Trustjacking attack involves a malicious charger at an airport. Once the user connects a device to the charger, they are asked to confirm that they trust the computer they have connected to – which they will likely do, thinking that the trust will be revoked once the phone/tablet is disconnected. The attacker then enables the Wi-Fi sync option in iTunes in a process that can be automated.

Even after the victim disconnects the iPhone/iPad from the charger, the attacker will still have control over the device, allowing them to conduct a wide range of activities.

For example, an attacker can install a developer image corresponding to the iOS version running on the victim’s system, giving them access to the device’s screen. Repeatedly capturing screenshots allows the hacker to view and record the victim’s every action.

Since the sync feature provides access to the iTunes backup, an attacker can also obtain a user’s photos, SMS and iMessage chats, and application data. The attacker can also install malicious applications or replace existing apps with a modified version.

An attack can also be conducted by hijacking the targeted user’s computer, making it easier to conduct unauthorized activities given that the computer and the mobile device are more likely to be on the same network for extended periods of time.

Trustjacking only requires a user to trust a malicious or compromised device

While the easiest way to conduct a Trustjacking attack involves being on the same Wi-Fi network as the victim, Symantec researchers believe this requirement can be bypassed via what is known as a malicious profile attack.

This method has been known since 2013 and it involves convincing the victim to install a malicious configuration file, or iOS profile, on their iPhone or iPad. These profiles allow cellular carriers, MDM solutions, and apps to configure system-level settings, but they can also be abused to remotely hijack devices.

Symantec says the method can be used to conduct Trustjacking attacks over the Internet by connecting the device to a VPN server and creating a continuous connection between them.

Apple has been informed about the vulnerability and the company has attempted to address it by adding an extra layer of protection in iOS 11. Specifically, users are now asked to enter their passcode when trusting a computer.

“While we appreciate the mitigation that Apple has taken, we’d like to highlight that it does not address Trustjacking in an holistic manner. Once the user has chosen to trust the compromised computer, the rest of the exploit continues to work as described above,” explained Symantec’s Roy Iarchy, one of the people involved in this research.

Some of the mitigations recommended by Symantec include clearing the list of trusted devices and reauthorizing them, enabling encrypted backups in iTunes, setting a strong password, and using mobile security solutions.


QR Code Bug in Apple iOS 11 Could Lead You to Malicious Sites
29.3.2018 thehackernews iOS

A new vulnerability has been disclosed in iOS Camera App that could be exploited to redirect users to a malicious website without their knowledge.
The vulnerability affects Apple's latest iOS 11 mobile operating system for iPhone, iPad, and iPod touch devices and resides in the built-in QR code reader.
With iOS 11, Apple introduced a new feature that gives users ability to automatically read QR codes using their iPhone's native camera app without requiring any third-party QR code reader app.
You need to open the Camera app on your iPhone or iPad and point the device at a QR code. If the code contains any URL, it will give you a notification with the link address, asking you to tap to visit it in Safari browser.
However, be careful — you may not be visiting the URL displayed to you, security researcher Roman Mueller discovered.
According to Mueller, the URL parser of built-in QR code reader for iOS camera app fails to detect the hostname in the URL, which allows attackers to manipulate the displayed URL in the notification, tricking users to visit malicious websites instead.

For the demo, the researcher created a QR code (shown above) with the following URL:
https://xxx\@facebook.com:443@infosec.rm-it.de/
If you scan it with the iOS camera app, it will show following notification:
Open "facebook.com" in Safari
When you tap it to open the site, it will instead open:
https://infosec.rm-it.de/
I have tested the vulnerability, as shown in the screenshot above, on my iPhone X running iOS 11.2.6 and it worked.
QR (Quick Response) code is a quick and convenient way to share information, but the issue becomes particularly more dangerous when users rely on QR codes for making quick payments or opening banking websites, where they might end up giving their login credentials away to phishing websites.
The researcher had already reported this flaw to Apple in December last year, but Apple hasn’t yet fixed the bug to the date.


A flaw in the iOS camera QR code URL parser could expose users to attacks
28.3.2018 securityaffairs iOS

A vulnerability in the iOS Camera App could be exploited by hackers to redirect users to a malicious website, the issue affects the built-in QR code reader.
The iOS Camera App is affected by a bug that could be exploited by hackers to redirect users to a malicious website, the issue resides in the built-in QR code reader.

The flaw affects the latest Apple iOS 11 for iPhone, iPad, and iPod touch devices.

The problem ties a new feature that was implemented in iOS 11 to allow users to automatically read QR codes while using the camera app without requiring any third-party QR code reader app.

To read a QR code, users need to open the Camera app on their Apple devices and point the iPhone or the iPad at a QR code, in this way if the code an URL, the system will give the users a notification with the link address. Tapping the notification the users can visit the URL in Safari browser, but according to the security researcher Roman Mueller who discovered the vulnerability, the URL visited could be changed.

The expert discovered that the URL parser of built-in QR code reader for iOS camera app doesn’t correctly detect the hostname in the URL making it possible to change the displayed URL in the notification and hijacking to users to malicious websites.

“The URL parser of the camera app has a problem here detecting the hostname in this URL in the same way as Safari does.” wrote the expert in a blog post.

“It probably detects “xxx\” as the username to be sent to “facebook.com:443”.
While Safari might take the complete string “xxx\@facebook.com” as a username and “443” as the password to be sent to infosec.rm-it.de.”
“This leads to a different hostname being displayed in the notification compared to what actually is opened in Safari.”

Mueller created a QR code containing the following URL:

https://xxx\@facebook.com:443@infosec.rm-it.de/

When he scanned it he noticed that the device was showing the following notification:

Open “facebook.com” in Safari

Once tapped it opened https://infosec.rm-it.de/ instead Facebook.

The expert successfully tested the issue on his iPhone X running iOS 11.2.6.

QR code hack

The researcher had already reported this flaw to Apple in December last year, but Apple hasn’t yet fixed the bug to the date.

The bug is very dangerous and opens the doors to numerous attack scenarios.

Mueller reported the vulnerability to the Apple security team on 2017-12-23, but at the time I was writing the flaw is still present.


New Cisco App Helps Organizations Secure iOS Devices
14.12.2017 securityweek iOS
Cisco on Thursday announced the availability of Security Connector, an iOS application designed to provide organizations visibility and control for mobile devices running Apple’s operating system.

Security Connector for iOS, the result of a partnership between Apple and Cisco, is an application that combines functionality from the Cisco Umbrella secure internet gateway and the Cisco Advanced Malware Protection (AMP) endpoint security product, specifically its Clarity component.

Enterprises can download the application from the Apple App Store – the app itself is free but requires a license from Cisco – and deploy it on devices running iOS 11 via mobile device management (MDM) solutions such as Cisco’s Meraki Systems Manager. Once installed, the app provides deep visibility to ensure compliance, establish risk exposure, and aid incident response.

Cisco Security Connector also offers control over iPhones and iPads to ensure that their users cannot connect to malicious website, regardless of whether they are using the corporate network, their own cellular data plan, or public Wi-Fi connections. Cisco claims the product has no impact on employees’ mobile experience.

The new product leverages the Network Extension Framework in iOS 11, which exposes APIs that give developers the ability to customize network features, to enable organizations to monitor and control DNS traffic and provide insight into traffic generated by users, apps and devices.

Several Cisco customers have already tested Security Connector and the networking giant has described a scenario in the healthcare sector to show its potential usefulness.

“Ransomware and malware are spreading across the Internet and increasingly targeting mobile devices. Together with Apple, we are helping enterprises become the most connected, collaborative, and secure businesses in the world,” said David Ulevitch, senior vice president and general manager of Cisco’s Security Business Group. “With this app, we want to provide businesses with tools to meet their security, risk, and compliance requirements.”


Twilio Credentials Hardcoded in Mobile Apps Expose Calls, Texts
9.11.2017 securityweek Mobil  Android  iOS
Hundreds of mobile applications that use the Twilio SDK or REST API include hardcoded credentials that could be abused to access millions of calls and text messages, researchers warned on Thursday.

Appthority’s Mobile Threat Team has analyzed more than 1,100 iOS and Android applications that use Twilio, a cloud communications platform designed for developing voice and messaging apps.

Twilio’s documentation provides guidance on best security practices, but researchers found that 686 apps from 85 developers exposed Twilio account IDs and access tokens (i.e. passwords). Roughly one-third of the applications containing hardcoded Twilio credentials are business-related, and the ones designed for Android have been downloaded between 40 and 180 million times.

The affected apps, more than 170 of which are still available on Google Play and the Apple App Store, include software used for secure communications by a federal law enforcement agency, one that allows sales teams to record audio and annotate discussions in real-time, and navigation apps for AT&T and US Cellular customers.

Researchers estimated that by extracting the Twilio account credentials from the source code of these apps, malicious actors could have gained access to hundreds of millions of call records, calls and call audio recordings, and SMS and MMS messages. North America, the U.K. and Australia are the most affected regions.

The vulnerability, which Appthority has dubbed “Eavesdropper,” was discovered in April and Twilio was notified in July. The service provider has been working with the developers of the impacted apps to address the issue.

However, researchers pointed out that the only way for developers to properly address the problem is to get their users to install an updated version of their app that does not include hardcoded credentials and change their Twilio account tokens.

Hardcoded credentials can pose a serious risk, not just for apps that use Twilio. Appthority warned that roughly 40% of the analyzed applications also expose Amazon S3 credentials.

Researchers have found credentials for more than 2,000 Amazon accounts in the analyzed apps. A closer analysis showed that roughly 900 of the accounts are still active and they provide access to nearly 22,000 S3 buckets, including ones that store potentially sensitive information.

“Eavesdropper poses a serious enterprise data threat because it allows an attacker to access confidential company information, which may include a range of sensitive information often shared in an enterprise environment, such as negotiations, pricing discussions, recruiting calls, product and technology disclosures, health diagnoses, market data or M&A planning,” warned Seth Hardy, Appthority Director of Security Research. “An attacker could convert recorded audio files to text and search a massive data set for keywords and find valuable data.”

Earlier this year, Appthority reported that more than 1,000 iOS and Android applications installed on enterprise mobile devices had been exposing sensitive data via backend systems.


Dangerous liaisons

25.10.2017 Kaspersky Android  iOS
Investigating the security of online dating apps
It seems just about everyone has written about the dangers of online dating, from psychology magazines to crime chronicles. But there is one less obvious threat not related to hooking up with strangers – and that is the mobile apps used to facilitate the process. We’re talking here about intercepting and stealing personal information and the de-anonymization of a dating service that could cause victims no end of troubles – from messages being sent out in their names to blackmail. We took the most popular apps and analyzed what sort of user data they were capable of handing over to criminals and under what conditions.

We studied the following online dating applications:

Tinder for Android and iOS
Bumble for Android and iOS
OK Cupid for Android and iOS
Badoo for Android and iOS
Mamba for Android and iOS
Zoosk for Android and iOS
Happn for Android and iOS
WeChat for Android and iOS
Paktor for Android and iOS
By de-anonymization we mean the user’s real name being established from a social media network profile where use of an alias is meaningless.

User tracking capabilities
First of all, we checked how easy it was to track users with the data available in the app. If the app included an option to show your place of work, it was fairly easy to match the name of a user and their page on a social network. This in turn could allow criminals to gather much more data about the victim, track their movements, identify their circle of friends and acquaintances. This data can then be used to stalk the victim.

Discovering a user’s profile on a social network also means other app restrictions, such as the ban on writing each other messages, can be circumvented. Some apps only allow users with premium (paid) accounts to send messages, while others prevent men from starting a conversation. These restrictions don’t usually apply on social media, and anyone can write to whomever they like.

More specifically, in Tinder, Happn and Bumble users can add information about their job and education. Using that information, we managed in 60% of cases to identify users’ pages on various social media, including Facebook and LinkedIn, as well as their full names and surnames.
 

An example of an account that gives workplace information that was used to identify the user on other social media networks

In Happn for Android there is an additional search option: among the data about the users being viewed that the server sends to the application, there is the parameter fb_id – a specially generated identification number for the Facebook account. The app uses it to find out how many friends the user has in common on Facebook. This is done using the authentication token the app receives from Facebook. By modifying this request slightly – removing some of the original request and leaving the token – you can find out the name of the user in the Facebook account for any Happn users viewed.
 

Data received by the Android version of Happn

It’s even easier to find a user account with the iOS version: the server returns the user’s real Facebook user ID to the application.
 

Data received by the iOS version of Happn

Information about users in all the other apps is usually limited to just photos, age, first name or nickname. We couldn’t find any accounts for people on other social networks using just this information. Even a search of Google images didn’t help. In one case the search recognized Adam Sandler in a photo, despite it being of a woman that looked nothing like the actor.

The Paktor app allows you to find out email addresses, and not just of those users that are viewed. All you need to do is intercept the traffic, which is easy enough to do on your own device. As a result, an attacker can end up with the email addresses not only of those users whose profiles they viewed but also for other users – the app receives a list of users from the server with data that includes email addresses. This problem is found in both the Android and iOS versions of the app. We have reported it to the developers.
 

Fragment of data that includes a user’s email address

Some of the apps in our study allow you to attach an Instagram account to your profile. The information extracted from it also helped us establish real names: many people on Instagram use their real name, while others include it in the account name. Using this information, you can then find a Facebook or LinkedIn account.

Location
Most of the apps in our research are vulnerable when it comes to identifying user locations prior to an attack, although this threat has already been mentioned in several studies (for instance, here and here). We found that users of Tinder, Mamba, Zoosk, Happn, WeChat, and Paktor are particularly susceptible to this.
 

Screenshot of the Android version of WeChat showing the distance to users

The attack is based on a function that displays the distance to other users, usually to those whose profile is currently being viewed. Even though the application doesn’t show in which direction, the location can be learned by moving around the victim and recording data about the distance to them. This method is quite laborious, though the services themselves simplify the task: an attacker can remain in one place, while feeding fake coordinates to a service, each time receiving data about the distance to the profile owner.
 

Mamba for Android displays the distance to a user

Different apps show the distance to a user with varying accuracy: from a few dozen meters up to a kilometer. The less accurate an app is, the more measurements you need to make.
 

As well as the distance to a user, Happn shows how many times “you’ve crossed paths” with them

Unprotected transmission of traffic
During our research, we also checked what sort of data the apps exchange with their servers. We were interested in what could be intercepted if, for example, the user connects to an unprotected wireless network – to carry out an attack it’s sufficient for a cybercriminal to be on the same network. Even if the Wi-Fi traffic is encrypted, it can still be intercepted on an access point if it’s controlled by a cybercriminal.

Most of the applications use SSL when communicating with a server, but some things remain unencrypted. For example, Tinder, Paktor and Bumble for Android and the iOS version of Badoo upload photos via HTTP, i.e., in unencrypted format. This allows an attacker, for example, to see which accounts the victim is currently viewing.
 

HTTP requests for photos from the Tinder app

The Android version of Paktor uses the quantumgraph analytics module that transmits a lot of information in unencrypted format, including the user’s name, date of birth and GPS coordinates. In addition, the module sends the server information about which app functions the victim is currently using. It should be noted that in the iOS version of Paktor all traffic is encrypted.
 

The unencrypted data the quantumgraph module transmits to the server includes the user’s coordinates

Although Badoo uses encryption, its Android version uploads data (GPS coordinates, device and mobile operator information, etc.) to the server in an unencrypted format if it can’t connect to the server via HTTPS.
 

Badoo transmitting the user’s coordinates in an unencrypted format

The Mamba dating service stands apart from all the other apps. First of all, the Android version of Mamba includes a flurry analytics module that uploads information about the device (producer, model, etc.) to the server in an unencrypted format. Secondly, the iOS version of the Mamba application connects to the server using the HTTP protocol, without any encryption at all.
 

Mamba transmits data in an unencrypted format, including messages

This makes it easy for an attacker to view and even modify all the data that the app exchanges with the servers, including personal information. Moreover, by using part of the intercepted data, it is possible to gain access to account management.
 

Using intercepted data, it’s possible to access account management and, for example, send messages
 

Mamba: messages sent following the interception of data

Despite data being encrypted by default in the Android version of Mamba, the application sometimes connects to the server via unencrypted HTTP. By intercepting the data used for these connections, an attacker can also get control of someone else’s account. We reported our findings to the developers, and they promised to fix these problems.
 

An unencrypted request by Mamba

We also managed to detect this in Zoosk for both platforms – some of the communication between the app and the server is via HTTP, and the data is transmitted in requests, which can be intercepted to give an attacker the temporary ability to manage the account. It should be noted that the data can only be intercepted at that moment when the user is loading new photos or videos to the application, i.e., not always. We told the developers about this problem, and they fixed it.
 

Unencrypted request by Zoosk

In addition, the Android version of Zoosk uses the mobup advertising module. By intercepting this module’s requests, you can find out the GPS coordinates of the user, their age, sex, model of smartphone – all this is transmitted in unencrypted format. If an attacker controls a Wi-Fi access point, they can change the ads shown in the app to any they like, including malicious ads.
 

An unencrypted request from the mopub ad unit also contains the user’s coordinates

The iOS version of the WeChat app connects to the server via HTTP, but all data transmitted in this way remains encrypted.

Data in SSL
In general, the apps in our investigation and their additional modules use the HTTPS protocol (HTTP Secure) to communicate with their servers. The security of HTTPS is based on the server having a certificate, the reliability of which can be verified. In other words, the protocol makes it possible to protect against man-in-the-middle attacks (MITM): the certificate must be checked to ensure it really does belong to the specified server.

We checked how good the dating apps are at withstanding this type of attack. This involved installing a ‘homemade’ certificate on the test device that allowed us to ‘spy on’ the encrypted traffic between the server and the application, and whether the latter verifies the validity of the certificate.
 

It’s worth noting that installing a third-party certificate on an Android device is very easy, and the user can be tricked into doing it. All you need to do is lure the victim to a site containing the certificate (if the attacker controls the network, this can be any resource) and convince them to click a download button. After that, the system itself will start installation of the certificate, requesting the PIN once (if it is installed) and suggesting a certificate name.

Everything’s a lot more complicated with iOS. First, you need to install a configuration profile, and the user needs to confirm this action several times and enter the password or PIN number of the device several times. Then you need to go into the settings and add the certificate from the installed profile to the list of trusted certificates.
 

It turned out that most of the apps in our investigation are to some extent vulnerable to an MITM attack. Only Badoo and Bumble, plus the Android version of Zoosk, use the right approach and check the server certificate.

It should be noted that though WeChat continued to work with a fake certificate, it encrypted all the transmitted data that we intercepted, which can be considered a success since the gathered information can’t be used.
 

Message from Happn in intercepted traffic

Remember that most of the programs in our study use authorization via Facebook. This means the user’s password is protected, though a token that allows temporary authorization in the app can be stolen.
 

Token in a Tinder app request

A token is a key used for authorization that is issued by the authentication service (in our example Facebook) at the request of the user. It is issued for a limited time, usually two to three weeks, after which the app must request access again. Using the token, the program gets all the necessary data for authentication and can authenticate the user on its servers by simply verifying the credibility of the token.
 

Example of authorization via Facebook

It’s interesting that Mamba sends a generated password to the email address after registration using the Facebook account. The same password is then used for authorization on the server. Thus, in the app, you can intercept a token or even a login and password pairing, meaning an attacker can log in to the app.

App files (Android)
We decided to check what sort of app data is stored on the device. Although the data is protected by the system, and other applications don’t have access to it, it can be obtained with superuser rights (root). Because there are no widespread malicious programs for iOS that can get superuser rights, we believe that for Apple device owners this threat is not relevant. So only Android applications were considered in this part of the study.

Superuser rights are not that rare when it comes to Android devices. According to KSN, in the second quarter of 2017 they were installed on smartphones by more than 5% of users. In addition, some Trojans can gain root access themselves, taking advantage of vulnerabilities in the operating system. Studies on the availability of personal information in mobile apps were carried out a couple of years ago and, as we can see, little has changed since then.

Analysis showed that most dating applications are not ready for such attacks; by taking advantage of superuser rights, we managed to get authorization tokens (mainly from Facebook) from almost all the apps. Authorization via Facebook, when the user doesn’t need to come up with new logins and passwords, is a good strategy that increases the security of the account, but only if the Facebook account is protected with a strong password. However, the application token itself is often not stored securely enough.
 

Tinder app file with a token

Using the generated Facebook token, you can get temporary authorization in the dating application, gaining full access to the account. In the case of Mamba, we even managed to get a password and login – they can be easily decrypted using a key stored in the app itself.
 

Mamba app file with encrypted password

Most of the apps in our study (Tinder, Bumble, OK Cupid, Badoo, Happn and Paktor) store the message history in the same folder as the token. As a result, once the attacker has obtained superuser rights, they will have access to correspondence.
Paktor app database with messages

In addition, almost all the apps store photos of other users in the smartphone’s memory. This is because apps use standard methods to open web pages: the system caches photos that can be opened. With access to the cache folder, you can find out which profiles the user has viewed.

Conclusion
Having gathered together all the vulnerabilities found in the studied dating apps, we get the following table:

App Location Stalking HTTP (Android) HTTP (iOS) HTTPS Messages Token
Tinder + 60% Low Low + + +
Bumble – 50% Low NO – + +
OK Cupid – 0% NO NO + + +
Badoo – 0% Medium NO – + +
Mamba + 0% High High + – +
Zoosk + 0% High High –
(+ iOS) – +
Happn + 100% NO NO + + +
WeChat + 0% NO NO – – –
Paktor + 100% emails Medium NO + + +
Location — determining user location (“+” – possible, “-” not possible)

Stalking — finding the full name of the user, as well as their accounts in other social networks, the percentage of detected users (percentage indicates the number of successful identifications)

HTTP — the ability to intercept any data from the application sent in an unencrypted form (“NO” – could not find the data, “Low” – non-dangerous data, “Medium” – data that can be dangerous, “High” – intercepted data that can be used to get account management).

HTTPS — interception of data transmitted inside the encrypted connection (“+” – possible, “-” not possible).

Messages — access to user messages by using root rights (“+” – possible, “-” not possible).

TOKEN — possibility to steal authentication token by using root rights (“+” – possible, “-” not possible).

As you can see from the table, some apps practically do not protect users’ personal information. However, overall, things could be worse, even with the proviso that in practice we didn’t study too closely the possibility of locating specific users of the services. Of course, we are not going to discourage people from using dating apps, but we would like to give some recommendations on how to use them more safely. First, our universal advice is to avoid public Wi-Fi access points, especially those that are not protected by a password, use a VPN, and install a security solution on your smartphone that can detect malware. These are all very relevant for the situation in question and help prevent the theft of personal information. Secondly, do not specify your place of work, or any other information that could identify you. Safe dating!