Security Risks of Viral Russian Face-changing mobile app - FaceApp

Sitwat Maroof     7th Jul 2020    

“Faceapp”, an Android and IoS compatible mobile app, launched in 2017, took the internet by storm with its catchy and easy to use filters that dramatically edit photos and videos with a pinch of humour. You can choose a photo from your gallery or take a snap within the app, make changes and share it with your friends to receive some shocking and surprised responses.

Who doesn’t like to peep in the future? The app’s age filter, which predicts how one would look like in old age with wrinkly skin and sagging jaws, became a viral obsession – Thanks to hashtag #Agechallenge. Along with countless regular users, several celebrities including Drake, Gordon Ramsey jumped in and shared their future older selves’ images on social media.

Although the app’s Gender filter always existed – it has recently gone through another round of popularity. The filter morphs your image as if you were a person of opposite gender.

What are the major Security concerns associated with Faceapp?

All the internet based mobile apps come with security concerns and vulnerabilities and Faceapp is no exception. The app is developed by a Russian based company Wireless Lab and claims to use Artificial Intelligence to perform a startling transformation of selfies.

The fact that the app originally hails from Russia raises some eyebrows – as the country has a bad reputation of being home to many scandalous hackers and cyber spies. (However, this perception is controversial, and many believe its politically driven.)

Once you have chosen an image for editing, the selected image is uploaded and retained in the cloud servers for upto 24-48 hours. While in the hindsight it may not seem a big deal as people are accustomed to sharing their photos and videos over social media; There is a more alarming side to this app that user must be aware of. Let’s put things into context and look at some of the consequential security concerns related to Faceapp:

·    Faceapp uses market leaders such as Amazon Web services and Google Cloud as its third party cloud providers which brings a certain degree of satisfaction. However, the fact that your image and personal information has already been stored outside of your mobile exposes you to certain privacy threats. It is pertinent to note that non-photograph information collected will be retained for as long as Facepp deems necessary to meet their certain legal obligation. Videos are though stored and edited locally on your mobile.

·    Photos uploaded to Faceapp servers may include metadata. In its simplest form, it means that information associated with the image such as latitude and longitude (location), place name or perhaps the time stamp might as well be retained. While Faceapp claims to make an effort to delete such information, an ordinary user has limited knowledge on how much personal information has leaked out of his/her mobile. 

·   Let us take it one step further and make it scarier. The app also extracts a bunch of data around your device such as mobile/computer model, manufacturer Google and Apple advertising IDs, your IP address and country and last but not the least – the website you visited before landing Faceapp site. 

·   Nowadays a lot of devices and institutions rely on facial recognition to grant permission and access to their services. Faceapp stands out from other similar apps such as Snapchat in the sense that it encourages users to take ID style selfies. A high-resolution front facing photo along with a bunch of personal information in wrong hands can easily lead to a identity theft. Similar concern was raised by Steve Sammartino, a technology expert and a futurist;  

“Your face is now a form of copyright where you need to be really careful who you give permission to access your biometric data. If you start using that willy nilly, in the future when we're using our face to access things, like our money and credit cards, then what we've done is we've handed the keys to others.”

·   If you log into app via social media platform such as Facebook, you are giving Faceapp a right to collect information from that platform such as your name, number and/or list of friends. Your personal information may be shared with Faceapp service providers and/or affiliated advertisement partners – A perfect use case of the phrase “when you are getting something for free, you are infact the product”

How to stay safe from security threats and identity thsft while using Faceapp?

The founder of Faceapp Yaroslav Goncharov has downplayed any security concerns posed by his brainchild. Regardless, one should follow safe practices when using this app.

·   Immediately revoke permissions granted to access your camera, gallery and microphone after using the app. If you are not a frequent user delete app after using it. IOS has a strange behaviour where it allows user to upload individual photos from the Camera roll even after you have denied app from accessing photos.

·    You have the liberty to request your photograph and other information deleted immediately from the cloud servers before 24-48 hour limit. After using the app, In the “Support” section of your mobile app setting. Click on “Request cloud data removal” to automatically delete all the stored information.

  #GenderFilter #Security #Privacy #FaceApp #AgeChallenge
Sitwat Maroof

Sitwat is a technical writer of significant expertise and experience. She has written on the subjects of futuristic technologies, web/software development, cloud computing, cyber-security, data science, amongst others. She assists clients to reach their targeted audiences successfully.

Join the Discussion