Latest news with #appsecurity
Washington Post
07-08-2025
- Washington Post
Companies keep building dangerous apps. Users keep paying the price.
A recent cyberattack exposed the sensitive personal data of thousands of women who used the Tea Dating Advice app to discuss and review men they date. A few days later, a California jury found that Meta wrongfully collected data from women using the period-tracking app Flo. The steady drum of high-profile app hacks and leaks has become background noise for many consumers — in 2024 alone, 1.7 billion people had their personal data compromised, according to data from the Identity Theft Resource Center. Among the recent targets are genetic data company 23andMe, Microsoft's workplace software and Tea, which explicitly billed itself as a safety app for women. Sometimes, the companies that fail to safeguard user data find themselves facing legal challenges from users or the government, as was the case with Flo. More often though, it's business as usual. Tea and Flo are both still operating and available in major app stores. Some Tea users, meanwhile, are left scrambling to remove their faces from online forums. It's a good reminder how often we turn over sensitive information to our apps and what little recourse we have when things go wrong. Online safety advocates have been warning for years that our apps — from big-name mainstays to relative newcomers like Tea — collect too much data and store it unsafely. But despite a stream of unnerving hacks, not much has changed, they say. The United States still doesn't have a comprehensive data privacy law. Tech companies, increasingly aided by AI programs that write code, rush products to market without proper safety measures. And consumers are left to fend for themselves, according to tech and security experts. 'It's not uncommon among software developers — especially small, scrappy start-up kind of stuff — to not even know how to store this information securely,' said Chester Wisniewski, a global director at cybersecurity company Sophos. You couldn't blame app users for wondering: When cybersecurity disaster strikes, who should be held responsible? Tea shot to the top of the Apple App Store in July as videos trended on social media discussing the app's controversial components, including letting women rate and review the men they date along with 'red flags,' 'green flags' and photos. Soon after, people on Reddit and 4chan called for the app to be targeted, and hackers found and shared the selfies, government IDs and direct messages of thousands of Tea users. Since the hack, Tea has continued to post lighthearted content promoting itself on its Instagram page. Last week, it posted a statement in response to the hack, saying it was taking its direct message system down out of an 'abundance of caution.' But the app's setup reflects a lack of safety precautions and security testing, putting users at risk from day one, says Dave Meister, a global head at cybersecurity research firm Check Point Software. Like many app start-ups, Tea appears to have released a product that looks good on the front end but lacks appropriate security infrastructure on the back end, he said. In this case, an exposed database let bad actors easily access troves of sensitive information, according to Meister. 'The fact that [the hackers] got in and just got free rein in the style which they did makes it very clear that the security there wasn't adequate and probably hadn't been considered as a part of the development of the application,' he said. Tea's founder and CEO, Sean Cook, has said that he got the idea for the app after watching his mother struggle with catfishing online. Cook previously worked as a product manager at Salesforce, Shutterfly and other tech companies, according to his LinkedIn. Cook, through the company's PR firm, declined to be interviewed for this story or comment on the breach. Tea spokesperson Taylor Osumi said Wednesday in an emailed statement that the company 'remains fully engaged in strengthening the Tea App's security, and we look forward to sharing more about those enhancements soon.' Tea will provide 'free identity protection services' to affected individuals, according to the statement. Apple, meanwhile, is still hosting the Tea app as well as the similar TeaOnHer app in its online store. Its guidelines require that apps 'implement appropriate security measures to ensure proper handling of user information' and 'prevent its unauthorized use, disclosure, or access by third parties.' When Apple finds that an app is out of compliance, it contacts the developer to explain the violation and gives them time to resolve it, Apple spokesperson Peter Ajemian said. He declined to comment on the Tea app specifically. With companies and app stores often passing the buck, it might fall to regulators to keep consumers safe, security experts say. Last week's Flo app ruling against Meta comes after the Federal Trade Commission accused Flo in 2021 of misleading users over how it treats their health data. A group of users also sued Flo over its privacy practices. Flo settled both lawsuits without admitting wrongdoing. But while regulators catch up, tech industry changes are putting consumers at increased risk of shoddy apps, Wisniewski said. For example 'vibe coding,' in which people use AI tools to write software programs, lets inexperienced developers spin up new apps with just a few typed commands. 'Everybody's talking about vibe-coding,' he said. 'You think these apps are bad now? Wait until AI starts writing them, they're going to be a hundred times worse.' Unsafe apps pose an outsize risk to women and other vulnerable groups, said Michael Pattullo, senior threat intelligence manager at Moonshot, a company that monitors online dangers. Moonshot has recorded an average of 3,484 violent threats against women per month in high-risk online spaces such as 4chan since it started monitoring in 2022. Data breaches fuel this ecosystem and put users at risk of physical harm when their names or addresses are leaked, Pattullo said. Social media platforms don't do enough to stop the spread of leaked information, he noted. Mainstream social media sites took down 28 percent of the violative posts Moonshot flagged in 2024, the company says. So far this year, that rate has decreased to six percent. Without tech companies, social platforms and app stores keeping users safe, the burden falls on regular people to withhold their data or try to guess which apps are trustworthy, Pattullo said. 'A user isn't joining any of these platforms expecting to have their privacy and physical security at risk, just by being in an online space, especially one that presents itself as secure,' he said. 'The one who has to take accountability and responsibility for this isn't the user, right?'
CNET
04-08-2025
- CNET
Here's How You Can Lock and Hide Apps on Your iPhone in a Few Easy Steps
Sometimes my nephew will want to watch a monster truck video on YouTube so I'll pull up a video and hand him my iPhone. But if I take my eyes off him for a moment he finds a way to shoot a video on my camera or post something on social media. When Apple released iOS 18 in September, the tech giant introduced a feature to lock certain apps on your iPhone. That way you can keep kids and others out of your apps. You can also hide certain apps in their own hidden folder so others are not tempted to open them and invade your privacy. So now I can hand my nephew my iPhone and not worry that he might get into something he shouldn't be in. Here's how to lock and hide your iPhone apps for an extra layer of security. You can also check out all the features iOS 26 will likely bring to your iPhone this fall. How to lock your iPhone apps 1. Long press an app. 2. Tap Require Face ID. 3. Tap Require Face ID again. Locking iPhone apps can help stop your kids from buying random games or apps. Apple/CNET Now every time you try to access this app, it will need your Face ID or passcode to open. You can't lock every app on your iPhone. Some apps, like Camera, Find My and Settings can't be locked. But you can lock most apps, such as App Store, Messages and third-party apps. How to hide your iPhone apps Hiding apps on your iPhone also locks them. It follows the same process as locking apps. Keep in mind this option isn't available for all apps. In my experience with iOS 18, you can only hide third-party apps, such as Instagram and Twitter. Here's how you can hide these apps on your iPhone. 1. Long press an app. 2. Tap Require Face ID. 3. Tap Hide and Require Face ID. Your iPhone will then ask for your Face ID or passcode, then it will ask if you're sure you want to hide the app. A new menu will appear on your phone that says hiding an app will remove its icon and name from your home screen and place it in a Hidden folder in your App Library. The menu will also say you won't receive any notifications from the app. The Hidden folder appears to show apps in it whether you hide nine apps or no apps. Apple/CNET Tap Hide App at the bottom of the menu and your iPhone will hide the app. To see your hidden apps, swipe right until you're in your App Library. Scroll to the bottom of the page where you'll see a folder labeled Hidden with a symbol that looks like an eye with a line across it. Tap this folder and enter your Face ID or passcode. The folder will then display your hidden apps. How to unhide and remove locks If you want to unhide or remove a lock from an app, long press on the app, tap Don't Require Face ID and enter your Face ID or passcode. Your locked apps will now be unlocked and your hidden apps will be removed from the Hidden folder. Unhiding apps doesn't automatically put them back on your home screen. To add an app back to your home screen, go to your App Library, long press on the app and tap Add to Home Screen. For more on iOS 18, here's what you need to know about iOS 18.6 and iOS 18.5, as well as our iOS 18 cheat sheet. You can also check out what you should know about iOS 26 and my first impressions of the iOS update.
Gizmodo
25-07-2025
- Gizmodo
Dating App That Lets Women ‘Rate' Men Hits Number 1 on the App Store, Immediately Suffers Data Breach
Tea, an app that lets women 'rate' and 'review' the men in their lives, has been on a hot streak lately, having shot to the top of the App Store and enjoyed several recent write-ups in major media outlets. Unfortunately, the app has now disclosed a data breach involving self-submitted user images. One report cites claims that some of the data has been shared on 4chan, the incel-ridden internet backwater best known for helping to spawn the QAnon conspiracy theory. 404 Media first reported on the data breach, writing that users from 4chan 'claim to have discovered an exposed [Tea] database hosted on Google's mobile app development platform, Firebase.' The notorious site's resident trolls bragged that they were parsing personal data and selfies from the app's internal databases. 404 attempted to verify the claims made on the site. 'While reporting this story, a URL the 4chan user posted included a voluminous list of specific attachments associated with the Tea app,' the outlet wrote. While the files were initially viewable, the page now gives an error and 404 says that it 'verified that Tea does contain the same storage bucket URL that 4chan claims was related to the exposure.' Gizmodo has not been able to independently verify this reporting. On Friday, Tea confirmed to Gizmodo that a data breach had occurred. 'We can confirm that at 6:44 AM PST on Friday, July 25th, Tea identified unauthorized access to one of our systems and immediately launched a full investigation to assess the scope and impact,' a PR representative shared. The breach partially involved selfies submitted to the app for verification purposes, they said: Preliminary findings indicate that the incident involved a legacy data storage system containing information from over two years ago. Approximately 72,000 images – including approximately 13,000 images of selfies and photo identification submitted during account verification and 59,000 images publicly viewable in the app from posts, comments and direct messages – were accessed without authorization. The spokesperson told Gizmodo that the company has seen no evidence 'that current or additional user data was affected.' Ironically, Tea has also said that the information in question was 'originally stored in compliance with law enforcement requirements related to cyberbullying prevention.' Gizmodo further inquired about 4chan's supposed role in the incident; we'll update this post when we receive a reply. Tea dubs itself a 'women's safety app' and allows its users to anonymously post pictures and the real names of the men they've dated, with appended criticisms and concerns. While the goal of giving women a way to vet their dates is ostensibly an honorable one, the Washington Post points out that Tea 'doesn't limit its feedback to safety concerns,' and that criticism is also frequently aimed at men's appearance or the way a specific relationship came to an end. Arguably, that would make it the perfect target for the internet's most disgruntled and misogynistic hordes. More to the point, any time you share personal information with an app, you're just asking for that information to be shared with the rest of the world. The internet—in particular the app industry—is a deeply insecure place, governed as it is by male egos and burned-out coders.
