Roskachestvo tested guest vkontakte applications

Roskachestvo experts found out if it is possible to find out who visited “VKontakte” user’s page with the help of third-party applications. How dangerous are these kinds of apps and what are the dangers of installing them?. Of all the 56 apps of this type studied 40 on Android and 16 on iOS , not a single one passed the test successfully. Conclusion: applications of the category “My guests in VK” are misleading about the main stated functionality.

The administration of the social network “VKontakte” explains: it’s impossible to know the “guests of the page”. “Such applications or browser extensions can pose a threat to the user’s account and personal data. Cybercriminals could use such services for phishing. We advise you not to use such apps and extensions. They produce false results,” VKontakte press service said. This is not provided by the service architecture itself, and applications that supposedly have this functionality fake the results. But hundreds of thousands of users install such services anyway.

Many applications examined by Roskatchestvo Digital Expertise Center promised to “catch guests” not only on VKontakte pages, but also on Instagram, Twitter, and Facebook. But even there their promises turned out to be empty. During testing, each app was subjected to the same experiment: a different user visited the test account page and spent a certain amount of time on it. All 100% of apps failed to identify and show the account from which they accessed the test page.

The main dangers of such applications are the lack of privacy guarantees and the possibility of charging your account. In this case, after getting personal data or user’s money, the app can simply disappear. So, 10 of the 56 apps had disappeared from stores by the time of publication. During the study, the experts managed to establish that six of these ten applications did not have the IP-login to the real.

When checking the applications, the specialists analyzed the outgoing traffic with specialized software and tracked where this traffic was directed. Particular attention has been paid to the app’s inquiries during the authorization process. Thus, 60% of the apps at this stage sent requests to other countries – most went to Turkish servers. Among the apps with Turkish roots are “Real VK Guests”, “My guests – Activity on VK page”, “My VK fans”, “Search on Android for Twitter”, “MyTopFans for Twitter”.

Head of Roskachevo Digital Expertise Center Anton Kukanov explains what happens when third-party app conducts authorization not directly through social network’s server but through its own server. “Imagine having to open the door to your apartment. In one case, you take the keys out of your pocket and put them in the well, opening the door. In another one, you give your keys to a stranger and he opens the door at your request. But you don’t know what that stranger will do before you open the door. He might make a mold of the keys and use them later for his own purposes.

Fifty-four of the 56 apps were conditionally free. The “free” apps have advertising, and it is this that allows their owners to monetize their activities. Ads are either not turned off at all or are turned off for money. In the applications “Search for hidden friends for VKontakte – Facebook Explorer” and “Who was watching my photos at VKontakte?” shows full-size banners that are easy to click on accidentally, which can lead to phishing or other malicious sites, because developers are not too picky in their choice of advertisers.

In two applications with a paid subscription it is not obvious: the user is shown only once a window with the registration and is not told about future expenses. This is potentially fraught with debit charges, which will come as a surprise to the user.

Excessive permissions are a classic vulnerability in Android devices, where an app can gain important access without notifying users. Blatant spyware was not detected during the study, but you should pay attention to the applications that access the camera, storage and search for other accounts on your device – this is a potential spy functionality “VK Guests”, “My guests – Activity on VK page”, “Real VK Guests” and “Guests and Statistics from Vkontakte” . Although these accesses are due to the logic of the applications, it is worth bearing in mind that none of them are from an official developer. It means you have to understand that you are in potentially unsafe environment, and pay more attention to each new access request.

If you carefully read the descriptions of the applications, almost everywhere it is mentioned that they do not give a hundred percent guarantee that the guests of the page, but only analyze open information transmitted by the servers of “Vkontakte” through the API Application Program Interface .

Head of Roskachevo Digital Expertise Center Anton Kukanov: “The main potential risk is transferring your account data to a third-party server. It is fraught with the risk of losing your account and everything it contains personal data, correspondence, and their contents . And if a user uses the same username/password combination on other resources, all services are at risk at once. Remember that by signing in to unofficial applications we are not talking about “using or via a social network” , you deliberately submit your account data to third parties, whose integrity cannot be guaranteed. Roskachevo recommends: don’t install such apps, use only official mobile clients”