Clubhouse’s exclusivity has created a huge buzz – but does the app and platform’s security match the hype around it?

Jonathan Fischbein, Chief Information Security Officer at Check Point Software

“I don’t want to belong to any club that will accept people like me as a member,” as Groucho Marx famously observed.  But with leading media and business influencers such as Oprah Winfrey, Kanye West, Drake and Elon Musk enthusing about Clubhouse, the invitation-only ‘drop-in audio’ app has created massive awareness and interest globally, even though it’s still in beta mode.  It claims to have 10 million users, up from 2 million in January 2021, and its $1 billion valuation makes it a tech unicorn ranking alongside familiar apps such as Uber and AirBnb.

However, as with any new and fast-growing social media app, there are signs of growing pains, in the form of questions about its security and privacy, both in the sign-up process and in how well it protects its content.  So just what is Clubhouse, and what are the security concerns associated with it?

Clubhouse is an audio-based social network in which people have conversations that a virtual audience can listen to. Effectively, it is like a collection of exclusive live podcasts or radio shows, with the topics grouped into a range of categories such as business, culture, politics and so on.  Clubhouse states that the conversations disappear when they are finished, and cannot be recorded.  Currently, the app is only available on iOS for iPhones, and people can only join with an invitation from an existing member, which means the app does not appear on Apple’s App Store.

What does Clubhouse membership cost?

Although it is free to join if you are invited, the questions over Clubhouse’s privacy start with the sign-up process.  When someone is invited to join by an existing member, the app accesses to all of the person’s contacts on their device in order to help them find other Clubhouse users.  The app also encourages users to connect their Twitter and Instagram accounts as another way to find people (or for people to find them).

This is standard practice for a new app, and quite common with popular apps such as TikTok:  but what is not clear is exactly what data the Clubhouse app extracts or shares with other social media apps.  Many users have reported that their contact details have been shared with other Clubhouse users, without their permission.  This lack of transparency again demonstrates the truth behind the familiar saying: “if you’re not paying for a product, then you are the product.”

Who’s listening?

Therefore, there are questions over the way Clubhouse handles users’ contacts. There are also questions over just how private users’ actions and audio content are on the app, too.  Investigations by the Stanford Internet Observatory (SIO) have confirmed that Agora, a Shanghai-based provider of real-time engagement software, supplies back-end infrastructure to the Clubhouse App, and the SIO also found that users’ unique Clubhouse ID numbers and chatroom IDs are transmitted from the app to its core infrastructure in plain text, leaving those details potentially exposed to access by the Chinese government.  It’s possible this arrangement could also give the Chinese government access to users’ audio content:  the SIO observed metadata from Clubhouse chats being relayed to servers believed to be hosted in China.  Clubhouse says it has taken steps to prevent this.

In addition, during February 2021, Bloomberg reported that an unidentified user was able to stream Clubhouse audio feeds from several different chatrooms onto their own third-party website.  So while Clubhouse maintains that conversations disappear from its app as soon as they are finished, the same cannot be said of audio that has been extracted from the app and hosted elsewhere.  Clubhouse stated that it had banned the user who had streamed audio feeds on their own website, and had installed new safeguards to prevent the situation recurring.  However, the point remains that a user was able to extract audio feeds without Clubhouse’s participation – and there are no guarantees that audio cannot be extracted from the app by other methods and made public in the future.  It is a similar situation to the security of messages in a private group on WhatsApp:  if anyone in that group exports the messages or content from that group to another platform, then it is no longer private.

Fake memberships

Of course, as with any exclusive commodity, demand outstrips supply, which opens up opportunities for scammers.  There has been many reports of people selling Clubhouse invitations:  some of the vendors may be legitimate, but the purchaser is unlikely to find out if the invitation is genuine until after they have paid.  Other scammers are offering fake apps in the hope of tricking people.  Check Point Research has identified bogus Clubhouse apps for both iOS and Android devices, which aim to harvest users’ personal data and credentials.  One such app was found in Google’s official Play story before being taken down, showing that the scammers were able to bypass the store’s security and vetting procedures.

In conclusion, Clubhouse is experiencing a hype cycle that is commonly seen with popular new apps.  It has experienced explosive growth that exceeded the company’s expectations while it is still in the beta phase, and this has magnified privacy and security problems that would otherwise probably be ironed out during the app’s pre-launch phase, without the general public being aware of them.  Yet these issues clearly demonstrate that anyone planning to use Clubhouse needs to be aware of the potential security issues of doing so.  Groucho Marx was wise to question whether he would want to be a member of a club just because he had been invited.

It is worth remembering these security tips to protect yourself against malicious apps and mobile scams, too:

  1. Only install apps from trusted sources such as official app stores (remember, Clubhouse is currently available only in the Apple App Store).
  2. Carefully review the app permissions for accessing contacts and data on your device: do not just click ‘Accept All.’
  3. Do not automatically trust an app recommendation or invitation, even from someone you think you know.
  4. Consider deploying a mobile security solution on your device to protect against potentially malicious downloads.

You may also like