Clubhouse Study[CHS]: The Red Flags

Intro into my clubhouse investigation

Disclaimer: I did mobile security research in college, but now I'm just a mobile dev with security interest. I'm not looking at this for any company. This is purely personal interest. I'm not going to release any "company secrets" I might find. I just want to prove this app is as dangerous as Facebook and what consumers should pay more attention to."

I been saying this a lot the past week or so but Clubhouse is a malicious app. Don't believe me? Of course you don't but I'll prove it or atleast make you see the little things that should cause you pause. To start I'm going to just give you the red flags I've seen.

Before we get too far I want to also note that I'm not sure this app can ever be on Android. From what I've seen and the "new" rules on the play store, this app could be considered stalkerware. I'd also like to state that I don't know the language stack this was built in but that doesn't make a difference. Malware is malware is malware.

Flag 1: Access to Contacts

When I got an invitation I thought nothing of giving my number to the person. Upon being in the app I realized that the person had to add me to their contacts in order to even send an invite. This is a HUGE red flag. Since they are using a twilio number anyway to send out invites you should be able to just submit a number through a little text box.

There is no reason for them to need access to my contacts. After getting my close friends on the platform I revoked access to my contacts. Why? I noticed these other flags and I keep pretty personal info in my address book. There are bdays, emails, and addresses for folks that haven't given clubhouse those details, yet they have access to it. I'm not going to be the weak link for my friends and family to be screwed over.

Flag 2: Phone calls

Have you ever gotten a phone call while on clubhouse? Next time you do notice how the app doesn't pause. That's strange and makes me think the app has access to phone logs. Upon downloading the app you give them access to your mic. It's been awhile since I looked at what all is attached in iOS permissions but did we give them phone & mic access, phone & camera access, or just mic access?? to be determined but something to think about.

Flag 3: Friend Suggestions

On clubhouse you can tie your twitter and/or instagram accounts. I only tied my twitter account so naturally if others tie their twitter accounts I expect them to show up on suggestions when they join. So what's the problem?

I've started getting suggestions of people from my instagram and facebook. People who don't even know my twitter details. That is a big problem for me as I've separate my life online a certain way. My prediction? When clubhouse is active and/or in the background it is either getting every open app broadcast OR the app somehow has the equivalent to root/admin access to my device.

Because of this I try to only be on twitter or respond to txt when I'm using the app. I absolutely refuse to open banking apps while the app is open or anything I deem important enough not to leak.

TLDR: Conclusion

These are 3 major flags that I want to investigate on the clubhouse app. To simplify, I want to look at app permissions (what you give them access to), api calls (what they send to their server), and intents (what info they are getting from other apps).

My suggestions

  • Be careful with clubhouse
  • Don't use any important apps while the app is open
  • Pay attention to what you give them access to as time goes on