One cybersecurity firm did an investigation and sounds caution to users of such apps.

It is always fun to see a cartoon caricature of yourself—and you may have noticed a surge in these cartoon-style photos on social media platforms. However, mobile apps used to turn photos into cartoon avatars can do more than let you have fun…

Recently, Check Point Research (CPR) conducted a preliminary security analysis on a popular avatar-creation app called Voila to check if there were any risks associated with uploading photographs of faces to software that links to the cloud for processing.

In the event of a cyberattack, face shots, along with user identification details, could end up in malicious hands.  

App investigation results

CPR’s investigations confirm that Voila utilizes only the bare minimum required for operation, and that it uses a server for processing photographs of faces.

All communications with the server are encrypted, and the app uses well-known open source libraries, where possible. Some points of concern include:

  • When a photo is sent to the server, the app includes the specific and unique installation id (vdid) that was generated by Google Play, potentially linking faces to the specific installation
  • Face photos are linked to specific user installation details. Where in the event of a cyberattack, face photos and user details can potentially end up in malicious hands 

According to CPR’s Head of Cyber Research, Yaniv Balmas, while the risk of vdid linkage to personal data is mentioned in the company’s privacy policy, users have to understand that there is the possibility for misuse of the data.

“For example, if the company is hacked, the attackers could potentially gather a large database of all faces of application users. We have no way of telling if the company is doing anything illegal or malicious, but I do think it’s important for new users to be aware of the inherent risks in sending content to servers for processing,” Balmas said.