*Disclaimer: I did mobile security research in college, but now I\'m
just a mobile dev with security interest. I\'m not looking at this for
any company. This is purely personal interest. I\'m not going to release
any \"company secrets\" I might find. I just want to prove this app is
as dangerous as Facebook and what consumers should pay more attention
to.\"*
Recap
-----
In case you forgot I was looking for 3 major things:
- Permissions
- Api calls
- Intents
Permissions
-----------
Permissions are the access you give to apps. You give some upon download
and others have a popup. Here is what you give Clubhouse permission to:
- address book to send invites
- microphone (and possibly camera) so you can talk
- internet access becuse everything needs internet
API Calls
---------
Api calls are urls that an app calls behind the curtain. From my
research there were a lot calls made. At the time my twitter account was
tied to it so there were multiple calls to the twitter api. Clubhouse
pushes a lot of data back to their servers. What that info is, my skills
are too green to know.
Intents
-------
Intents are background calls that apps use to share information. It is
in this particular area where I don\'t trust clubhouse. When you tie
your social media accounts you can pull info in two ways. From api calls
to that application and through intents. Intents are useful when a user
adds a new friend while the app is open. It can pass the data in the
background without making new calls every few minutes. Deep down I think
there is an \"exploit\" in the way apple handles these but I could be
wrong because Android person. lol
Conclusion
----------
Even though I\'m still new to mobile forensics type of stuff there are a
few things I noticed. To start let me explain what a social graph is. A
Social Graph is a \"network\" of connection between you and people you
follow/friend on social media. Ever wonder how facebook finds people to
suggest? It\'s based on the social graph. The graph shows info like your
personal details and then things you like/do. These things are what
allows them to suggest people of common interest.
I digress BUT the social graph is the big picture here. \"Somehow\"
clubhouse is taking pieces of your social graphs from other networks and
creating a new one. I disconnected my twitter and I\'m still getting
suggestions from my facebook and/or instagram social graphs. This is not
good because it means they have connected the 3 indefinitely.
I took a look in the background using charles proxy and clubhouse makes
hella request to connected social media. This would be fine if they
weren\'t getting data from other apps running in the background. There
is definitely some permission giving them root (admin/god-level) like
access to devices.
I wasn\'t able to figure out what that permission was because Apple
doesn\'t exactly have clear cut definitions like Google, but what I can
tell you is that whatever allows the app to stay open/live in the
background and on the phone is the issue.
**So your wondering if apple will fix things?** probably not. Clubhouse
isn\'t hiding anything and people are willingly using the app. **Will
this app make it to android?** Highly doubt it. Google has done this big
push on stalkerware apps and preventing them. Clubhouse can be
classified as stalkerware app if used improperly (wouldn\'t be shocked
if they are somehow grabbing location in the background). Given all the
previously mentioned issues I don\'t see them passing the playstore
requirements unless someone has SERIOUS pull at google.
Well this is all. Hope you learned something and keep your eyes open.
I\'ll personally be deleting the app off my phone but do as you want.
Lastly if anyone at clubhouse finds this I\'m not taking this shit down.
I can have an opinion and you can easily prove me wrong with a
conversation. :)