As such, the researchers were able to get authorization tokens for social media from almost all of the apps in question.The credentials were encrypted, but the decryption key was easily extractable from the app itself.
That’s no reason not to use such services — you simply need to understand the issues and, where possible, minimize the risks.This concerns only Android-based devices; malware able to gain root access in i OS is a rarity.The result of the analysis is less than encouraging: Eight of the nine applications for Android are ready to provide too much information to cybercriminals with superuser access rights.Such data is not only viewable, but also modifiable.For example, it’s possible for a third party to change “How’s it going? Mamba is not the only app that lets you manage someone else’s account on the back of an insecure connection. However, our researchers were able to intercept Zoosk data only when uploading new photos or videos — and following our notification, the developers promptly fixed the problem.As our researchers found out, one of the most insecure apps in this respect is Mamba.The analytics module used in the Android version does not encrypt data about the device (model, serial number, etc.), and the i OS version connects to the server over HTTP and transfers all data unencrypted (and thus unprotected), messages included.It turned out that most apps (five out of nine) are vulnerable to MITM attacks because they do not verify the authenticity of certificates.And almost all of the apps authorize through Facebook, so the lack of certificate verification can lead to the theft of the temporary authorization key in the form of a token.Almost all online dating app servers use the HTTPS protocol, which means that, by checking certificate authenticity, one can shield against MITM attacks, in which the victim’s traffic passes through a rogue server on its way to the bona fide one.The researchers installed a fake certificate to find out if the apps would check its authenticity; if they didn’t, they were in effect facilitating spying on other people’s traffic.