As Valentine’s Day approaches, NowSecure thought it would be interesting to dig into the security and privacy of dating apps. Like many mobile app categories, dating apps have security and privacy risks — some worse than others.
Dating apps pose particular concern due to the massive amount of personal information stored and exchanged by users. In fact, Ars Technica just last week reported that a dating app with millions of users left private images and data exposed on the web.
One leading dating app, Tinder, boasts more than 57 million users across 190 countries and was expected to have generated over $800 million in revenue in 2018, according to TechCrunch. Last year, Tinder suffered from a handful of security and privacy issues cited by Consumer Reports and Wired.
NowSecure recently analyzed the cybersecurity risk level of 50 publicly available dating mobile apps available in the Apple® App Store® and Google Play™. The popular mobile apps tested include the following:
Overall, we found that nine (18%) of the Android and iOS apps have medium and high-risk vulnerabilities such as leaking sensitive and personal data, unencrypted data transmission, and use of known vulnerable third-party libraries. Only 55% of the mobile apps evaluated in our benchmark carry very low or no risk.
Those results are concerning given the prevalence of mobile dating. With the overall mobile dating app market poised to reach $12 billion by 2020, there’s a lot at stake. Dating app developers should take steps to better secure their mobile apps and preserve customer trust in their brands.
Benchmark Methodology
Using the NowSecure automated mobile app security testing engine, we analyzed 26 iOS and 24 Android dating apps for security vulnerabilities, compliance gaps and privacy exposure. We determined a grade using industry-standard CVSS scores while mapping findings to the OWASP MASVS.
The NowSecure Score Risk Range is a scoring algorithm based on count and score values of all CVSS findings, the industry-standard method for rating IT vulnerabilities and determining the level of risk exposure. On an overall risk range of 0-100, apps scoring lower than 60 present a high degree of risk and strong consideration to not use; apps in the 60-80 range require caution; and those scoring 80 or above are deemed low risk.
Overall, the median score of all the mobile apps we analyzed was a cautionary 79 risk rating — 78% for Android and 83% for iOS. Of the 55% of retail apps that scored above 80 on the NowSecure Risk Range, 20% were Android and 35% were iOS. In addition, 92% fail one or more of the OWASP MASVS, a de facto security standard.
As shown in the bar graph below, the benchmark for mobile dating apps spans a low of 44 to a high of 99, revealing a wide variation in the cybersecurity posture of these apps.
The two charts below plot the overall NowSecure risk score based on CVSS findings (on scale of 0-100) vs a count of CVSS scored findings for the Android and iOS apps. The results show that five Android apps (first point below) and four iOS apps (iOS second plot further below) failed because of critical and high risks.
A review of the benchmark findings shows the most common issues we encountered were insufficient keysize, leaked data, improper use of cookies, and lack of proper secure certificate use. The worst failures were sensitive data leakage, certificate validation failures, and unencrypted data transmission over HTTP.
This benchmark underscores the challenges developers have in building and testing secure mobile apps for dating. Developers and security teams that must quickly deliver secure mobile apps should integrate automated mobile dynamic application security testing (DAST) into the dev pipeline and consider outsourced pen testing certification.
And for consumers seeking to strike up a new relationship, dating mobile app risks abound with no real way to know what apps are safest unless they list security certifications.
Mobile app security and development teams can get a free trial of the NowSecure automated test engine that provides instant access to NowSecure mobile app risk score and detailed findings with CVSS scores, issue descriptions, compliance mappings, privacy details and more.
