The folk over at RIIS, an IT services firm in Troy, Mich., have put out an annual report over the past few years exploring Android security. That report has opted to look at the largest romance sites as they publish in mid-February, near Valentine's Day.
Looking at the report over the years — I last commented on it two years ago — allows us to see how the industry is progressing. The good news is that almost everyone examined passed this year. The bad news is that one didn't, and that one is Match.com, a vendor that had been found to have security holes in prior reports.
The new RIIS report found that, unlike in prior years, Match.com has indeed been storing customer passwords encrypted. But it failed to obscure the files, which allowed RIIS to simply reverse-engineer to see all login information. Didn't the Ashley Madison attacks teach anyone anything?
The RIIS group said it analyzed the apps using OWASP criteria, specifically evaluating whether apps had weak server-side controls, insecure data storage, insufficient transport layer protection, unintended data leakage, poor authorization and authentication, broken cryptography, client-side injection, security decisions via untrusted inputs, improper session handling or lack of binary protections. Also evaluated were Tinder, Coffee Meets Bagel, OKCupid, Plenty of Fish and eHarmony.
"For the third year in a row, Match.com fell short when it came to securing their application. Username and password, while encrypted, could be pulled from the device. No obfuscation meant we could decrypt the password and recover the user login credentials," the report said. "On the positive side, it was great to see that every other tested application used some form of code obfuscation to hide information from anyone reverse engineering the code."
The report focused on the inadequacy of relying solely on encryption to protect customer credentials.
"eHarmony and Match.com both save encrypted login information on the phone. Both of these apps use encryption but do not use obfuscation. If you store the user data on the phone, then no matter how hard you try to protect it, all the [thief] has to do is backup the app data and then restore it on a different phone. This is the trade off in mobile development: if you want to protect your user's data, you have to make them login when they use the application," the report said. "Match.com scored the worst, as [it] has insecure data storage and insufficient transport layer protection. The username and password is encrypted in the shared preferences file but can be easily recovered by analyzing the app's decompiled source code."
Given the — ahem — sensitive nature of much of the data on these apps, the report noted, not forcing a password for every interaction could harm customers. "If a spouse finds these apps on your phone, he or she does not need to hack anything as they can simply open the apps," the report said.
In an interview this week, RIIS President Godfrey Nolan said the oversight is a bad security sign for Match.com. "This is the third year in a row that Match.com still has a problem, so they obviously don't have a focus on security," he said. Asked why a vendor would take such security shortcuts, Nolan said that vendors "want to make it as easy as possible to use their app on an Android phone. It's a trade-off."
And it's apparently a trade-off that Match.com has reconsidered. I reached out and spoke with Match.com, and a spokesperson said the company would get back to me. It has yet to respond.
But Nolan did, reaching out again on Thursday night (Feb. 18), mere hours before this column was slated to publish. Upon retesting, he said, RIIS found that Match.com had updated its app and specifically fixed the obfuscation issue.
"They changed their app. Now that it's all obfuscated, it's hard to tell what they actually fixed," Nolan said. "It looks like they changed the file structure, the directory structure. They did some significant changes."
With the changes, he said, "I can't see how they're decrypting. It's a much safer app now. They've done what they're supposed to do."
On the one hand, it's great that this story has a happy ending. But there are plenty of Android mobile apps out there that don't have security companies and media outlets breathing down their virtual necks. Relying solely on encryption is just a bad idea. After all, what looks from a distance like Cupid shooting an arrow could actually be a cyberthief planting malware.