The hugely popular dating app Tinder has been warned of weaknesses in its Android and iOS apps that allow hackers to tear up the software and rebuild it so they don’t have to pay for premium content. Despite the disclosure from San Francisco start-up Bluebox Security, which created such an app in its labs, Tinder did not consider the warning as important. “Bluebox’s findings have little or no impact on Tinder and its revenue because hardly anyone has the capacity to do so,” spokeswoman Rosette Pambakian said.
On some level, Tinder is right: the average Tinder user is unlikely to be able to reverse engineer an app and then recompile it. Such skills are the domain of serious programmers and security researchers. Bluebox’s own researchers first had to intercept traffic between the app and the Tinder server to identify messages confirming that a logged-in user was paying for premium features, such as unlimited “swipes” that allow the user to browse as many future potential connections as they wish, or the possibility of recalling a shot. Tinder charges between $ 9.99 and $ 19.99 per month for these Plus services.
Since some Plus features were handled within the app, rather than on the server side, it made changes relatively easy for an attacker, Bluebox said. The hacker would simply have to change some parameters of the code during recompilation to make it look like the features were paid for when they weren’t.
Andrew Blaich, chief security analyst at Bluebox, told FORBES his team created a fake app to prove this point. He said a hacker could create an app with paid features enabled by default and sell it in third-party stores. It wouldn’t be worth risking it in the Play market or the App Store, because
Tinder is also guilty of poor design, according to Ken Munro of Pen Test Partners, a UK-based security consultancy. This is because most modern app developers choose to handle paid features on the server side, and not in the app like Tinder did.
“All permissions and access control should be managed on the server side, never on the client side,” Munro said. “Almost any code you provide to a client web browser or mobile device can be manipulated … validation of anything sent to the server by the mobile app has to be done on the server side. You don’t know. not what the user did to the expected entry, so it needs to be validated. “
Bluebox didn’t stop at Tinder. Researchers found similar issues in Hulu, finding they could recreate the app to make ads disappear, a service that typically costs $ 11.99 over the usual $ 7.99. The app used a ad breaks list for every video uploaded from Hulu servers. This could be changed to report the number of ads to the video player as zero, resulting in no ads.
Hulu did not respond to a request for comment, although Bluebox said it had been notified of the arrival of the streaming content provider’s fixes.
The team also explored Kylie Jenner’s official app. The results are in the Bluebox white paper, released this morning and shown to FORBES ahead of publication.