A study of 100 dating apps revealed a disturbing picture: nearly 2,000 vulnerabilities were detected, 17% of which were classified as critical. The analysis was conducted by AppSec Solutions.
The study’s results were published by Vedomosti . As Nikita Pinaev, head of security analysis at AppSec Solutions, explained to the magazine, another 23% of the identified vulnerabilities were classified as medium severity, while 14% were classified as low severity.
The remaining issues fall into the Info category or represent organizational, network, logical, and other errors. According to Nikita Pinaev, the most common critical issue was storing sensitive data directly in the source code : this error was identified in 22 applications. In another 46 cases, credentials, including logins, passwords, and tokens, were transmitted in clear text.
In 12 applications, the vulnerabilities were related to authentication and session management errors, and in 40 cases, to improper configuration or operation of cloud services. Andrey Sobolevsky, mobile developer at EvApps, noted in a comment to Vedomosti that , on average, a single mobile app contains 20 to 30 vulnerabilities.
These are often related to insecure data storage, weak user identification and authentication mechanisms, and SQL injections . According to Anton Prokofiev, head of operations support for Solar Group’s Solar appScreener platform, mobile app vulnerabilities are common and largely industry-independent.
The main causes, researchers report, are a lack of testing during development and the use of untested open source components . Nikolai Anisenya, head of PT Maze development at Positive Technologies, added that using tools to prevent reverse engineering would reduce the number of detected vulnerabilities by about 40%, and even by half in some application categories.
Anton Prokofiev also noted that the five most common categories of vulnerabilities in mass-marketing apps, which in addition to dating, include food delivery, online shopping, and pharmaceutical services, are five:
These vulnerabilities are present in three out of four applications and open the way to man-in-the-middle (MITM) attacks, in which an attacker infiltrates the communication channel.
This, in turn, can lead to user data leaks. Dmitry Ovchinnikov, Information Security Architect at UserGate uFactor, noted that one of the main dangers of such attacks is their invisibility to users.
Furthermore, attackers can not only steal data but also access hidden features of the app and use this information in other attacks, including targeted ones. Vladimir Ivanov, Information Security Engineer at Spicatel, also warned that stalkers, for example, could exploit the features of dating apps to spy on users.
According to AppSec Solutions, 70% of mobile apps contain vulnerabilities. Attackers actively exploit them to monetize access through phishing, large-scale mass attacks, extorting money for non-existent services, and abusing other users’ accounts and paid subscriptions.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
