Clubhouse Study[CHS]: The Results

Disclaimer: I did mobile security research in college, but now I'm just a mobile dev with security interest. I'm not looking at this for any company. This is purely personal interest. I'm not going to release any "company secrets" I might find. I just want to prove this app is as dangerous as Facebook and what consumers should pay more attention to."

Recap

In case you forgot I was looking for 3 major things:

• Permissions
• Api calls
• Intents

Permissions

Permissions are the access you give to apps. You give some upon download and others have a popup. Here is what you give Clubhouse permission to:

• address book to send invites
• microphone (and possibly camera) so you can talk
• internet access becuse everything needs internet

API Calls

Api calls are urls that an app calls behind the curtain. From my research there were a lot calls made. At the time my twitter account was tied to it so there were multiple calls to the twitter api. Clubhouse pushes a lot of data back to their servers. What that info is, my skills are too green to know.

Intents

Intents are background calls that apps use to share information. It is in this particular area where I don't trust clubhouse. When you tie your social media accounts you can pull info in two ways. From api calls to that application and through intents. Intents are useful when a user adds a new friend while the app is open. It can pass the data in the background without making new calls every few minutes. Deep down I think there is an "exploit" in the way apple handles these but I could be wrong because Android person. lol

Conclusion

Even though I'm still new to mobile forensics type of stuff there are a few things I noticed. To start let me explain what a social graph is. A Social Graph is a "network" of connection between you and people you follow/friend on social media. Ever wonder how facebook finds people to suggest? It's based on the social graph. The graph shows info like your personal details and then things you like/do. These things are what allows them to suggest people of common interest.

I digress BUT the social graph is the big picture here. "Somehow" clubhouse is taking pieces of your social graphs from other networks and creating a new one. I disconnected my twitter and I'm still getting suggestions from my facebook and/or instagram social graphs. This is not good because it means they have connected the 3 indefinitely.

I took a look in the background using charles proxy and clubhouse makes hella request to connected social media. This would be fine if they weren't getting data from other apps running in the background. There is definitely some permission giving them root (admin/god-level) like access to devices.

I wasn't able to figure out what that permission was because Apple doesn't exactly have clear cut definitions like Google, but what I can tell you is that whatever allows the app to stay open/live in the background and on the phone is the issue.

So your wondering if apple will fix things? probably not. Clubhouse isn't hiding anything and people are willingly using the app. Will this app make it to android? Highly doubt it. Google has done this big push on stalkerware apps and preventing them. Clubhouse can be classified as stalkerware app if used improperly (wouldn't be shocked if they are somehow grabbing location in the background). Given all the previously mentioned issues I don't see them passing the playstore requirements unless someone has SERIOUS pull at google.

Well this is all. Hope you learned something and keep your eyes open. I'll personally be deleting the app off my phone but do as you want. Lastly if anyone at clubhouse finds this I'm not taking this shit down. I can have an opinion and you can easily prove me wrong with a conversation. :)