How secure is Clubhouse?

Clubhouse, the latest popular social networking app to grace the Apple store. Launched in April 2020, Clubhouse is an exclusive invitation-only app that allows its users to participate in audio-chats hosted in ‘rooms,’ allowing discussion on topics of users’ choice between 2 or more speakers. In May 2020, the app was valued at $100m and now, after a busy year which saw app popularity boom, is valued at $1b (as of January 2021).

But as usual when we see a new app propelled into global fame in such a short space of time, the question of security and privacy always needs to be called into question. So, just how secure are you using Clubhouse?

How does it work?

To use Clubhouse, users must sign up using a mobile phone number, and are required to use only their real name or identity. In order to invite more users to the site, you must relinquish access to your contact list. It’s in this way that the app creates “shadow profiles” of all the people still yet to receive an invite, but that are in a new user’s contact list.

How secure is it?

Clubhouse has repeatedly stressed that they are deeply committed to data protection and user privacy, and yet a recent spokesperson for the company has let slip that there were still a “few areas” where they could “further strengthen data protection.” This is chiefly in the encryption element, but also concerning the volume and ability of app data to potentially relay back to the Chinese servers of Agora.io, the head data traffickers and audio producers for the Clubhouse application.

A key point that users should know is that every chatroom or conversation is “temporarily” recorded, in order to support Clubhouse’s incident and investigations team, and users are prohibited from recording or streaming Clubhouse content elsewhere. According to Clubhouse, these recordings are deleted once the chat room has dissipated. Nonetheless, it has been found by security experts that these recordings are not encrypted end-to-end, and that user audio will still continue to be captured by the chatroom, even if that user has left the room and left their microphone on.

What is the policy on data privacy?

As with many popular apps that function in a similar way (like WhatsApp), the Clubhouse app requires the user to provide access to the contacts in their mobile list, in order to connect the user with friends or acquaintances also using the app, and to invite others to join the platform.

What has been noticed as potentially suspicious by security researchers is the amount of times the app prompts users to accept its privacy policy.

Are there any other associated risks?

At the moment, the platform is exclusive to Apple iPhone users. There have been a variety of efforts from various developers to create unofficial third-party web applications that will stream the service for Android and Windows users. With this comes increasing concerns for data protection, collection and privacy policy of third-party users through unofficial vendors. 

Another in-app risk, found by developer Zerforschung, is Clubhouse’s “ghost listen” feature, which allows users to eavesdrop on a conversation without requiring the need to reveal their identity to the room members. Security researchers have found that Clubhouse relies on Agora.io, a Chinese startup service provider that provides the base platform for the application: this has consequently led to fears produced by the requirement of Chinese businesses to hand over any company information they need to see.

Some users that are on the official community reddit page for Clubhouse have also reported a few worrying revelations of late that concern the data collected and used by the app. On member, u/SunnyCity1 expressed confusion at peripheral acquaintances from their place of work (company of over 6,000 employees) being recommended to them as contacts, despite not having a personal affiliation with them (their numbers ever being in their phone), nor any mention of their workplace on their personal profile. This event is echoed by the ambiguity from the apps founders and in the guidelines surrounding what user data is collected, and the purposes for which it is used.

What’s the takeaway?

Like any social networking application propelled into fame and receiving investment funding rounds from the likes of Andressen Horowitz, there will be an element of uncertainty primarily surrounding the protection and use of user data and content in-app. At the end of the day, the decision to use the app falls to user discretion and whether they are happy with the notion that anything they do, say, or give the app permissions for could potentially be shared with third-parties. We just hope this overview of the biggest key concerns to the app’s security comes in useful when making that decision.

Serbus is an industry leader for secure communications and remote device security, providing solutions to the likes of the MoD, UK Government and world class brands alike. If you are interested to learn more about how we can help protect your business devices against external threat, keeping your company IP and customer data at the highest level of security, contact us for a chat. Email us on [email protected] or call our office +44 (0)1432 870 879.