The Clubhouse data breach has once again brought mobile app security vulnerabilities into the spotlight. As Clubhouse quickly gained funding and popularity over the past several months, it has become the next hot social media app - but in that short time, it has also proven that it lacks data security and transparency with consumers. This breach reinforces that it's critical for people to understand where their data is being sent, how it is secured, and what resources the application is accessing on your mobile device. The backlash that Clubhouse will experience will erode consumer confidence and put other popular apps under a microscope, and it's up to the industry to come together to remedy its reputation and lead the way in security and transparency. We already see regulations entering the consumer IoT and federal IoT markets, security and privacy in the mobile space is the next logical target if things do not get better.

Clubhouse wants to bring communities together by enabling individuals to discuss common interests and learn more about new topics. The trouble is that the audio data is built on a Chinese-based platform, which means some of that data is sent back to China.

It’s alarming that platforms like this are built on leveraging coarse data transfer practices that users accept when they install these apps. Consumers trust their mobile devices and the apps on them to be inherently secure. This may lead them to open up their devices to unknown communications with data collection and traffic management systems. 

There were similar issues with TikTok communicating with Chinese IPs in 2020. The parent company, ByteDance, said it didn’t share any user data with the Chinese government. In the case of both TikTok and Clubhouse, we all know that if the Chinese government really wants something, they’ll get it.

In this case, the developers have disabled App Transport Security by default for this app, which means unsecured traffic and weak encryption standards may be used. The network diagram of the analysis of the app clearly shows hardcoded communication with Chinese servers. This falls far outside of data best practices when user data is then being sent to biometric, voice, and data analytics companies based in China. IT and security teams need a way to understand the data handling and transfer practices of any app on an employee device. Some app permissions that seem innocuous to the individual end-user may be malicious in the corporate sense and violate compliance policies.

This serves as a reminder to individuals that they shouldn’t share sensitive data over personal channels. We now seamlessly transition between our work and personal lives on a mobile device, increasing the risk of users inadvertently sharing corporate information on social media, even if it’s with another co-worker. 

This incident shows how important it is to have mobile security that can alert you to risky data handling practices. You also need a way to ensure apps don’t introduce malware, in order to effectively protect against data exfiltration."

Despite the exclusivity of Clubhouse being available on an invite-only basis and limited to iOS devices, its popularity has surged over the last year. Therefore, it is unsurprising to see that individuals have found a way to reverse engineer the Clubhouse API and subsequently publish open source tools that can be used to extract audio from rooms and ultimately develop a clone of the app for Android devices.

In this case, the user's intentions were clear: they wanted to use the application without the need for an iOS device. However, there could be other more nefarious individuals out there who might snoop in on conversations and/or speak as ghost users (not visible in a room, but able to chat) in both public and private rooms, infringing on what legitimate users believe is a limited audience.

There is also the likelihood of vulnerabilities lingering throughout the platform that have yet to be discovered and disclosed. We hope that Clubhouse will introduce an official vulnerability disclosure process so that researchers can help Clubhouse secure its growing platform and, ultimately, its users.

Clubhouse is still in its early phase and like with many applications, privacy of its users is often an afterthought. Similar to when Zoom usage went through the roof, Clubhouse is experiencing a huge uptake and learning as it goes. Far too often security and privacy of a start up’s userbase is seen as not as important as growth of the company. However, without the right protection in place there is arguably no longevity.

Companies need to do more in investing the right amount of resources into protecting users from any type of data breach. Whether it is private data or not, any data related to any user without a privacy promise is something to be wary of. I would advise users to limit the amount of personal data they offer up to the service and watch for updates and added security features in further releases.

Clubhouse is currently riding a wave of popularity and as it works to rapidly scale to meet demand, the company may have been less focused on user security. Its ‘by invite only’ model may also create a furtive breeding ground for future cyber-criminal activity, such as fake ‘invitation links’ directing users to malicious downloads.

As the line blurs between the use of devices for personal and work use, businesses should cautiously examine which apps employees use on work devices to understand what users may be trying to accomplish with new downloads. This should be backed up by cybersecurity awareness training to educate employees on the latest threats and provide clear guidelines on what can and can’t be downloaded on work phones and computers.

The data leakage from audio chat app Clubhouse appears to hinge on a lack of proper authentication and a lack of end-to-end encryption. Add in the challenge of relying on 3rd party infrastructure and potentially their security as well, and it is easy to understand how something like this can happen. To be secure and private, applications must have their security baked in from the start. It needs to be embedded at every level, from the communications protocols up through the user interface. Unfortunately, cybersecurity is an afterthought for many developers and many organizations rely on their security stack to take over when expedited development takes precedence over secure coding practices.

Clubhouse is a platform for social communication, most risks associated with the platform that are raised relate to privacy, essentially something the platform already have issues with managing and addressing according to amongst others the German data protection authorities.

Personally, I have not spent an ounce of effort looking into the platform and how it works, but I think we can all agree that there is room for doubt that for a company that forgot to address GDPR in its terms and conditions, technical security would have been first in mind when building it. Use the platform for what it is, a space to meet and chat in a likely insecure and far from a privacy-focused environment, and if you are comfortable with that – you won’t be disappointed. If privacy is your thing, this for sure is not the platform to choose for your interactions.