Dating apps are more popular than ever, especially in the run up to Valentine’s Day. According to Pew Research, 38% of U.S. singles may have a dating website or app to thank for their Valentine’s date this weekend. But are these apps secure, guaranteed against hackers interested in accessing so much highly sensitive data?
Sadly, the answer is no.
Last month, my security team conducted an in-depth review of five top dating apps. Our findings were disturbing: Of the five apps we analyzed, all were vulnerable to hacking, containing exploits that would enable breaches similar to the infamous attack on Snapchat in 2014 or just last December, the leaking of users’ data from an HIV-positive dating app. The dating apps we reviewed are extremely well known. In fact, the two very most popular we analyzed have been downloaded between 10 million and 100 million times from Google Play alone.
Because these vulnerabilities exist in so many widely used apps, we strongly recommend that dating app users at large take some simple precautions. Developers of dating apps — and for that matter, app developers and publishers in general — should understand how we identified these vulnerabilities so quickly, how hackers may exploit them, and what they should do now to increase security.
We randomly selected and downloaded five apps currently among the top 10 of Google Play’s dating apps.
We used commonly available tools to decompile the apps’ code, extract their files from the binary, and analyze their source code text.
Of all the dating apps we analyzed, 100% were decompilable — a process that enables hackers to reverse engineer and compromise an app.
None of the dating apps we analyzed had protections to prevent or delay unauthorized decompiling.
Of all the dating apps we analyzed, one was not using secure communications, making it easy for hackers to intercept data being exchanged between the app and the server.
None of the source code was obfuscated, meaning it was in easy-to-read, plain text. In some cases, this text contained hard-coded key values, website addresses, and other critical information that could allow hackers access to sensitive data. (See below.)
It took my team just a few minutes to decompile each app and less than an hour to identify potential exploits within them. Again, we did this not through any unique techniques on our part, but through readily available utilities anyone with a general fluency with code can replicate. (There are even step-by-step tutorials for doing so on YouTube.)
Exploitable code and hacking scenarios
To explain how hackers can easily find and exploit code within decompiled dating apps, here are some code snippets drawn directly from two apps in our study. (Identifying details have been obscured.) This sample is drawn from the most widely used app in our analysis:
This is a screenshot from the app’s folder, and it contains part of the login credentials for the app to communicate with Taplytics, a popular third-party service provider. Accessing this would allow a hacker to discover an app’s real user numbers and, more concerning, enable a potential backdoor into the app’s servers.
Here’s another serious vulnerability we discovered in a dating app currently rising in popularity:
As you can see, this app had both the Parse App ID and the client key hard-coded into the app’s source code. With these two variables, a hacker could log into Parse and gain direct access to the app’s server. With Facebook’s recently announced plans to shutter Parse, this particular vulnerability is somewhat less dire. However, a recent McAfee study identified numerous vulnerabilities with other backend services, including those from Amazon and Google. In any case, this also illustrates the reality that developers often inadvertently put in login details without thinking about the consequences. This is roughly akin to writing down the combination to your safe on a post-it, then attaching it to the safe door.
These vulnerabilities expose users to numerous potential threats, including ”Man in the middle” attacks that can intercept user-to-user messages and files (such as photos), theft of sensitive user data like user location and direct contact info, and the creation of repackaged, dummy versions of the official app surreptitiously published online to fool users into giving away everything. Hackers have already done this and more with Snapchat and a popular Chinese clone of Tinder. As more of us use dating apps, many more hacks are sure to follow.
Recommendations for app developers
We would like to say that the vulnerabilities we found in our research were exceptions, but unfortunately, the truth is that they’re the norm. As we discovered in our previous study of the top 100 Google apps, 85% of the 200 most popular free apps are also vulnerable. In the rush to market and the constant pressure to meet investor milestones, security is often a startup’s lowest priority. But as we’ve seen in far too many cases, the cost of an exploited app can be devastating.
There are several measures most companies can feasibly take to give their apps a basic level of protection. Developers should make security considerations an integral part of their regular code review process and apply post-compile security measures to their apps before publishing them. Further, we strongly recommend obfuscating an app’s binary and also obfuscating its underlying source code — steps that would impede the techniques demonstrated in our analysis.
Finally, developers: Don’t hard-code key values into your app’s source code. Doing this makes for a quick and easy development cycle, but the trade-offs are not worth it. Instead, encrypt your keys with the knowledge that you are not only protecting your app and your investment in it but some of the most private and sensitive information your users will ever share on their phones.
Min Pyo Hong is CEO and founder of SEWORKS, a Qualcomm-backed security solutions developer based in San Francisco. He has advised corporations, NGOs, and governments on digital security issues for over 20 years, and led a team of five-time finalists at DEFCON.