With Valentine’s Day upon us the last thing many people will think about is malware.  However if you look at how many people nowadays get together in the first place to actually celebrate this day, you may be able to see how the holiday could be a trigger for some cyber hijinks and not the good kind.  We’re talking about online dating and the apps that go with it.  Looking at 2013, more than half of first dates in today’s dating scene are set up through online services, making it a high-tech playground where apps play an increasingly big part.  In addition to selectively and voluntarily disclosing personal information about themselves to people they haven’t met yet, the apps that are part of this dating scene may be giving up more information than many people realize.  That’s where today’s report from HP Research takes up the analysis of these apps.

Using HP’s Fortify on Demand product, their Security-as-a-Service application security testing solution, the company scanned twelve of the most popular dating mobile apps today, including:

• eHarmony
• OkCupid
• Zoosk
• Gridnr
• eVow
• Bad Date Rescue
• Badoo
• Compatible Partners
• HowAboutWe
• Let’s Date
• OkCupid Dating
• Passion Match
• POF

One of the things they found was that 100 percent of the dating apps had at least two privacy alerts out of the eleven Fortify on Demand scans.  Over 70 percent of the apps surveyed wanted access to the user’s geo-location.  Also, over 90 percent of the apps surveyed sent sensitive information out from the phone unencrypted, including purchasing information.  Now that last one is not a shocker but it is quite alarming.  The risk that comes from gathering user GPS location is that this information could be leaked to a third party that isn’t authorized by the phone owner should the information be sent unencrypted.

A few more facts from the HP report:

• Only 17 percent of apps passed data storage encryption standards; an attacker who steals the phone could gather personal information without entering a PIN.
• 75 percent of the apps were tracking via geo-location; user’s location can be leaked should the app send it unencrypted to a third party not authorized by the phone’s owner.
• Over 90 percent of apps surveyed sent sensitive information out from the phone unencrypted, including purchasing information.
• 100 percent of the applications analyzed contains calls to cryptographic methods that are deprecated or have known security weaknesses.

Overall, some rather alarming insecurity to be found on these dating apps.  Now, HP Research is unable to lay out every single detail in the report as that would mean open season for those apps on the list.  Believe it, hackers know about plenty of these weaknesses, there is no need to encourage casual attacks that could come from highlighting the vulnerabilities publicly.  Still, the thing to know is that despite the best of intentions of finding that someone special, dating apps may be putting users information at risk of simple attacks and that puts a whole new twist on the classic phrase “be mine”.

photo credit: mohammadali via photopin cc