Video chat security: who’s in your Houseparty?

Video chat apps such as Houseparty have seen a significant increase in users over the last few months, as people around the world spend more time at home, and interact more with their friends and colleagues online. When companies grow this quickly, their user-protection can often fall behind. Long-standing communication apps that are built into platforms, such as WhatsApp, iMessage, and FaceTime tend to be robust, as they’re used by billions of users, and have had a lot of examination and testing as a result.

Smaller, newer video platforms haven’t been examined in this way, and, lately, the safety of using some video apps has been called into question. We’ve written at length before about how companies legally harvest your data, how to stay secure online, and the steps to take if your accounts are breached. In this post, I’m going to take a brief look at Houseparty, the risks that come with using it, and what you can do in simple steps to avoid sharing anything that you’d rather keep private.

4 risks all users face: data theft, oversharing or tracking of data, & weak security

Generally speaking, there are four risks that users face from using video apps such as these:

1. Inappropriate content and weak parental controls.
2. Deliberate -- and illegal -- data theft directly from the app company.
3. Deliberate sharing or tracking of data that’s legal but often unexpected.
4. Other people getting to your personal information through negligence in app security, or hacks that are performed as a consequence of weak app security.

Let’s take a look at the likelihood of each of these occurring.

Houseparty’s homepage markets the app as a social network, but lacks the parental control functions that users might reasonably expect from a social network. The app’s promotional text on Google’s Play Store describes it as “truly the next best thing to hanging out in person”. That’s nearly true: for children using Houseparty, the app’s like hanging out in person but with a creepy older person asking them questions about sex.

When signing up to Houseparty, all users must provide their date of birth, and the app keeps that information readily to hand whilst it’s running: it sends the user’s date of birth to the tracking products that the app uses on a regular basis. Houseparty’s newest feature -- and the crux of their monetisation plans -- is a series of integrated quizzes that pay no heed to user age.

When choosing a quiz to play, all users are shown the same list of quizzes, with the 18+ “Slang terms” quiz being the third on the list -- even for underage users. We steer clear of adult content on this blog, so we won’t get into specifics, but the quizzes include a range of profoundly child-unfriendly content, with topics including abbreviations for profane phrases, what really happens at strip-clubs, drugs references from heroin to marijuana, and various descriptions of sex and genitalia. Oh, and there’s also some Jeffrey Dahmer content.

The Houseparty app is marked on Apple’s App Store as being suitable for “12+” and advertising on Google’s Play Store as being suitable for “Teen”. The app has no integrated parental control functionality.

Many parents are justifiably concerned about what their children are exposed to online and in apps, and a number of sites review apps and provide this guidance. In the UK, the non-profit Internet Matters provides such a service with backing from BT, Sky and others. The organisation is currently heavily promoting their guidance on Houseparty, explaining that the work with industry, government and schools to provide this guidance.

Services like this are an important resource for parents, but in the case of Internet Matters, it appears that little or no due diligence has been done. Their advice for parents is extremely limited, largely sticking to a generic warning about stranger danger in videos, ending with a call to action for parents to download the app.

A cursory read of the Houseparty terms and conditions would lead any reasonable expert to notice the app is not GDPR-compliant, lacks parental controls, and claims to rights to use anything users share on the app. This -- along with the 18+ quiz content -- is important to flag up to parents. Internet Matters is actively doing a disservice to concerned parents around the world by providing this content.

Internet Matters isn’t the only service to publish reassuring pages on apps that haven’t been adequately scrutinized, but we’ve chosen to highlight them because, as of 2nd April, they’re still investing in promoting misleading content, despite at least one user publicly reporting concerns.

We believe services like this should prominently display the steps they take when vetting apps, and add a clear disclaimer where vetting has been superficial and undertaken solely from marketing materials and not review of the terms or product itself. These services should consider withdrawing their content after products and services have been updated, until the content can adequately reflect the current state of the app. (Internet Matters’ guidance was last updated 24th December 2019, yet Houseparty introduced quizzes some 11 months prior in January 2019.)

Tracking, tracking, everywhere...

What about legal -- but unexpected -- sharing of personal data? Houseparty has some things going on here.

The risk of illegal data theft is extremely low. Houseparty's parent company has clear business models that doesn’t involve this, and they’re headquartered a country with decent data protection laws. Houseparty is owned by Epic Games. There’s no evidence to suggest that it would steal a user’s data, and to be caught doing so would be counterproductive for it.

Houseparty isn’t a paid product, and its revenue model isn’t currently clear. That’s good reason to be wary of what the app might be tracking. As it stands, however, we’ve not seen any evidence that Houseparty have been hacked or are leaking info.

Anecdotes on Twitter aren’t enough...

There are plenty of reports on Twitter of users claiming that their banks accounts were raided, Spotify accounts accessed, or emails made available after using Houseparty, but those reports are all anecdotal and unreliable. Lots of people use easy-to-guess passwords and get hacked all the time: Security Magazine covered a University of Maryland study suggesting hackers attack every 39 seconds, and Gemalto’s data suggests 291 records are stolen every second.

To demonstrate the point: Apple’s security is generally rock-solid, but every now and then there’s still a suggestion that Apple have been hacked; it’s easy enough to find any number of cranks on Twitter alleging this at any time. Anecdotal accusations don’t prove wrongdoing.

In the meantime, Houseparty claim a third-party is orchestrating a smear campaign against them:

We are investigating indications that the recent hacking rumors were spread by a paid commercial smear campaign to harm Houseparty. We are offering a $1,000,000 bounty for the first individual to provide proof of such a campaign to bounty@houseparty.com.

— Houseparty (@houseparty) March 31, 2020

Houseparty have also said:

All Houseparty accounts are safe - the service is secure, has never been compromised, and doesn’t collect passwords for other sites

To an extent, however, that’s wordplay: any reasonable product won’t collect or store passwords, they use authentication tokens instead. Where users connect their Houseparty accounts with Facebook, Spotify or Snapchat, the Houseparty app will be able to access and potentially store authentication or data-sharing tokens for these accounts, and there’s no indication whether or not these are stored. There’s nothing intrinsically unusual about storing these sorts of tokens, but there’s still an important question: does Houseparty sync contacts with Facebook solely on sign-up, or do they store the authentication token for Facebook so that it can sync contacts or other account data in future? Their tweet doesn’t rule this out.

Houseparty’s security and data use in more detail

ESET looked at Houseparty’s Android app and suggested it looks broadly OK. We’ve taken a similar look at Houseparty’s iOS app and how it stores data, as well as some of the contracts and legalese around the service. We’ve highlighted a few notable finds from the com.herzick.houseparty app, as it’s called:

• Houseparty currently integrates with Facebook, just as Zoom did. Integration involves sharing some usage data with Facebook. It’s ostensibly there to enable inviting one’s Facebook friends, and tracking is an inevitable consequence if users choose to connect with Facebook.
• Houseparty stores and caches feed addresses for all sorts of configuration data on end-user devices. For example, it includes the path to all of the questions and answers for Houseparty’s “fun fact” trivia game. It appears to be left on every user’s phone, along with a bunch of other feeds.
• The Houseparty app caches some “Facemails” that users receive. They can be found in Library/Application Support/Prefetch-Facemails, and they’re stored in mp4 format. (If you’re curious to look for yourself, this document should help.)
• There’s a reasonable amount of tracking information that gets stored about a user’s phone, most likely for device fingerprinting. Just like Netflix, Houseparty stores a device’s user-agent (ie. Mozilla/5.0 (iPhone; CPU iPhone OS 13_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148) but also keeps values such as bnc_device_fingerprint_id, which help them identify devices using the service over time Device fingerprinting is a pervasive practise that Apple have repeatedly cracked down on, and Houseparty don’t appear to be using the recommended IDFA / IDFV tracking identifiers that Apple provide. Presumably because they blunt the effectiveness of tracking!
• Surprisingly, backups of the Houseparty app include a full logging / tracking database for the app. That only includes a user's own data, but it's really verbose and includes all sorts of granular data that shouldn’t be in a backup.

We suspect Houseparty wouldn’t get through a third-party security audit without at least some of these points being flagged up, so the fact that these continue to be present in the current version of the app makes us nervous. Confirmation that Houseparty have undertaken a third-party security audit would be reassuring.

Looking at the fine print...

Finally, Turning to Houseparty’s privacy policy and legalese, we saw a few things that didn’t sit well. Firstly, there’s no responsible disclosure policy. That would be a document that describes how the company reacts as and when a security researcher finds a problem. Usually, policies like this include a security bounty for the finder on the basis that they responsibly disclose the problem to the company so that the problem can be fixed.

Lacking a policy like this, security researchers are usually left to email customer care teams when they find problems, and it’s notoriously hard to get through customer care to make contact with a company’s security team. Had we found anything really terrible in the app whilst looking, a disclosure policy would have given us a place to easily report what we found. (For reference, here’s Reincubate’s disclosure policy.)

It seems truly astonishing that Houseparty would offer a $1m bounty (without any clear terms or conditions!) to find evidence of a smear campaign on their security, but not advertise any reward for responsible disclosure of security problems in the platform.

There are some concerning aspects of the Houseparty terms and conditions: there's no mention at all of Safe Harbor / Privacy Shield or GDPR, which indicates a casual attitude towards the protection of users, and could potentially put them in legal difficulties with European data protection regulators. Moreover, lack of GDPR compliance could also mean that businesses using such services are themselves in violation of Data Protection legislation, which could expose them to challenges from their own customers. One indication that GDPR has not been considered is that users can only choose to opt-out of marketing -- that’s in violation of Europe’s GDPR legislation, which requires such options to be “opt-in” at the point of sign-up. There's also no way to opt-out of other data collection.

Houseparty’s terms include the following:

You agree that Life on Air is free to use the content of any communications submitted by you via the Services, including any ideas, inventions, concepts, techniques, or know-how disclosed therein, for any purpose including developing, manufacturing, and/or marketing goods or Services

We’re not lawyers, but that seems to raise intellectual property issues: if you talk about your business idea or product, Houseparty would be free to take anything discussed by you to either develop their own product or sell the information to a third-party. It also suggests the service may retain some message content: if so, it may fall foul of European laws around the monitoring of communications.

Their terms also include this phrase, which prompts users to email Houseparty in order to opt-out of unsolicited marketing communications:

Individuals who provide us with Personal Information, or whose Personal Information we obtain from Third Parties, may receive periodic emails, newsletters, mailings, push notifications or text messages from us with information on our or our business partners’ products and services or upcoming special offers/events we believe may be of interest. We offer the option to decline these communications at no cost to the Individual by following the instructions in Section 5 below.

All of these Houseparty privacy issues stand in stark contrast to established messaging apps, such as FaceTime, iMessage, WhatsApp, Zoom, and Slack. WhatsApp has an excellent set of documentation and policies on privacy. Even Zoom states that “Zoom does not monitor or use customer content for any reason other than as part of providing our services. Zoom does not sell customer content to anyone or use it for any advertising purposes”. Slack makes it clear that they only use Customer Data to provide the service, and they retain it in accordance with the wishes of the customer (e.g some business plans provide archiving).

What to do if you’re concerned about your security

If you’re concerned about keeping yourself secure online, or about using Houseparty, we’d recommend you take the following steps.

• Uninstalling Houseparty isn’t enough to remove your data from their service. Their service may still store your phone number, name, uploaded contact list, and authentication tokens. Their terms suggest contacting hello@houseparty.com to opt-out of marketing and to have your details removed. Oddly, the email data-requests@lifeonair.com is cited later, but not for data requests!
• It is possible to use Houseparty without sharing much other than your phone number. The Facebook, Snapchat and Spotify integrations are all optional, as is uploading your contact list. We recommend you avoid doing any of those things, and instead add friends manually.
• When running Houseparty, users should be aware that visitors can drop into a room at any time. Other users will be notified you’re online as soon as you open the app. Beware! By default, rooms aren’t locked, which means that anyone who has added could drop in. There are all sorts of tweets about users being surprised by their boss dropping in on their Houseparty whilst they were in the bath! You can change this in Houseparty’s settings.
• As with any online service, we’d recommend taking a simple set of precautions for staying safe online. We summarise these at the end of this article, and lay out comprehensive security tips for Apple users here.