Voilà AI Artist: The biggest security risks of the popular face-changing app

File picture: Pexels

File picture: Pexels

Published Jul 2, 2021

Share

By now, most of us have seen our friends turn into four different cartoon versions of themselves, thanks to the Voilà AI Artist app.

The cartoon avatar app has recently exploded in popularity. According to data from app analytics company Sensor Tower, it jumped from nearly 300 000 downloads across the iOS App Store and Google Play Store globally in April to nearly 8 million in June.

But how safe is the app and what are the security risks?

Check Point Research (CPR) has conducted a preliminary security analysis on the app. Although it found no obvious red flags (for now), it highlighted potential risks. These are worth mentioning as identity theft is on the rise.

South Africans have been warned to protect their personal information with urgency now more than ever after new statistics released by the Southern African Fraud Prevention Service (SAFPS) show a sharp increase in identity fraud over the past year.

According to the SAFPS report on 2020 fraud statistics, impersonation fraud was up by a whopping 337% over 2019’s figures.

The security risk could lie in that the fact that the Voilà app sends face pictures to its servers for processing.

You might be thinking “Okay, but isn’t that the idea?” The problem is that not only your pictures, but your user identification details could end up in malicious hands, in the event of a cyberattack. This is because your face pictures and your identification details are linked.

How the app works:

– Voila app sends face photos to its servers for processing,

– When it sends photos for verification, the app includes specific and unique installation ID (vdid) generated by Google Play.

– As said before, face photos are linked to specific user installation details. Where in the event of a cyberattack, face photos and user details can potentially end up in the wrong hands.

CPR has run a preliminary security scan on Viola app.

It found that app has been written by a legitimate LLP company registered in the UK. In terms of permissions, the app uses only the bare minimum required for operation. The app verifies that the images contain face(s), and only after that verification, does the app sends them to the server for processing.

All communication with the server is performed using HTTPS, so the traffic is encrypted out-of-the-box. Where possible, the app is also using well-known open source libraries.

“Most users likely assume that the processing of Voila app is done locally on their phone. This is not the case,” said the head of cyber research at Check Point Software, Yaniv Balmas.

“A non-obvious fact here is that the company sends face pictures to its servers for processing. When a face photo is sent to the company’s server, the app includes unique installation IDs that were generated by Google Play. So, each photo is packaged up with user identification details.

“While this fact is mentioned in the company’s privacy policy, the possibility for misuse of the data opens up – either by the company itself or by a third party. For example, if the company is hacked, the attackers could potentially gather a large data base of all faces of application users.

“We have no way of telling if the company is doing anything illegal or malicious, but I do think it’s important for new users to be aware of the inherent risks in sending content to servers for processing. The risk being pictures of your or your loved ones face in malicious hands, in the event of a data breach or cyberattack.”

IOL TECH

Related Topics: