Is the Houseparty app really hacking your phone? Everything you need to know

Updated on 01-Apr-2020
HIGHLIGHTS

Users of app Houseparty allege that the app is hacking their smartphones.

The claims of hacking are anecdotal and lack objective proof

Ever since various countries, ours included, went into lockdown, Houseparty, a video calling app shot through the roof in popularity. The app allows you to add contacts to your profile and as you video chat with someone, others on your friend's list can join the conversation, without seeking permission. The app also offers games built-in that you can play with your friends during the video chat. Given the social distancing and isolation brought on by it, people turned to the app as a means of being digitally social. Now, the app has come under some serious fire for claims of stealing users banking details, trying to hack into their Netflix, Spotify accounts and more. Are these claims real?

Where it all began

Claims of Houseparty running rogue through the smartphone started early on Monday, with users taking to Twitter to report suspicious behaviour. Many tweets said “someone is trying to access my Uber account, two days after I installed Houseparty” and similar. Many users shared screenshots from Spotify stating that someone was trying to access their accounts from Russia, Israel, Netherlands etc. Some people even shared screenshots alleging unauthorized transactions, again with the claim being that the behaviour only started after they installed Houseparty.

What security experts have to say

Before we get into what professional cybersecurity experts have said, let’s first just consider how Android and iOS protect apps from each other, especially banking apps. Both iOS and Android offer a Sandbox, a cordoned off part of the ecosystem for secure apps to run, without being in contact with anything outside of it. Think of it like a fenced-off area, your banking app lives inside it and all other apps outside. The outside and the inside cannot interact. That prevents apps from “hacking” into your banking app. Additionally, banking apps do not store your login information on the device, so any claims of credentials being stolen are either uninformed paranoia or the result of a very poorly developed banking app.

As for Houseparty running a hack through your phone is concerned, Naked Security is a threat newsroom by Sophos, a security and encryption company that’s been in the business for over 30 years. Naked Security’s report notes that it is unlikely that Houseparty is a rogue app, designed and serving the purpose of stealing data and credentials.

What Could have gone wrong

Naked Security hypothesizes that in this case, Houseparty was responsible for all the illicit activity, it's more likely that a server of theirs was compromised. That would need to be in conjunction with the fact that many users may have used the same password for their Houseparty account as they did for many others, effectively making their Houseparty password a “masterkey” of sorts. Additionally, Houseparty’s servers would need to store your account information, including your passwords, in a plain text file, a practice that is gravely frowned upon and definitely not expected from an app owned by Epic. While the company has denied any breach of their servers, there has been a trend amongst big corporations to defend their innocence until irrefutable evidence to the contrary is found. Thus, the only way to prove that Houseparty's servers were hacked is if the group responsible was to come forward with damning evidence.

Another nail in the “hacker app” coffin

Typically, when hackers want to siphon off data from your phone, they will usually send you a link to click on, which will take you to a legitimate-looking website, but in the background, it’s probably installing malware scripts to steal the contents of your phone. The reason for this is because both iOS and Android have a very robust app-screening process, one that catches apps that are pure “malware.” While a few apps with deeply embedded questionable code do slip through every now and then, an app that housed code to infiltrate every sandbox, monitor all keystrokes and upload all that data to third-parties would never pass Google’s Play Protect scans or the scrutiny of the iOS App Store moderation team. Typically, if users do find an app behaving maliciously, teams at Android and Apple proactively look into the app and remove it, something that hasn’t happened with Houseparty yet, despite the major social media uproar.

Epic Bounty Program

Convinced that this is nothing short of a smear campaign, Epic has announced two bounty programs. The first bounty program offers a million U.S. dollars to anyone who can provide hard evidence of the Houseparty app actually hacking through a user’s phone. The second bounty program is for another million dollars, up for grabs to anyone who can point to the source of this misinformation campaign. With two million dollars up for grabs, it’s difficult to ignore the confidence Epic has in its property’s innocence.

What Should You Do

If the novelty for Houseparty has worn off, you can delete your account before deleting the app. If you would still like to continue using Houseparty, it would be recommended that you change the passwords to your other social media, email and services accounts. This is so that in the off-chance hackers gained access to the host server for Houseparty and discovered the user passwords, your other accounts are no longer vulnerable. Although Houseparty has clarified through its official Twitter account that none of their servers were breached and that all accounts are still secure. If you’re still shaking with paranoia, then feel free to delete your account and the app, but DO NOT forget to change all your passwords.

Swapnil Mathur

Swapnil was Digit's resident camera nerd, (un)official product photographer and the Reviews Editor. Swapnil has moved-on to newer challenges. For any communication related to his stories, please mail us using the email id given here.

Connect On :