Tinder, OKCupid, Grindr & Co. allow intimate data to flow out
Security researchers have analyzed 15 popular dating apps: All apps reveal intimate data such as sexual orientation or exact locations.
(Image: ra2 studio/Shutterstock.com)
- Uli Ries
Attackers can tap into many widely used dating apps to gain access to users' personal details. Belgian security researchers from KU Leuven have pointed this out following a study of 15 dating apps. The apps include Badoo and Tinder, which each have around 100 million downloads.
Procedure
According to their own statements, the security researchers wanted to find out which user data they could access without attacking the servers themselves. They therefore focused on the providers' APIs and analyzed the data that was virtually freely available via these interfaces.
The developer tools in Google Chrome were used to record the API traffic. If there was no web app for the service in question, the researchers reportedly used either an emulator or an Android smartphone, on which they decrypted and recorded the HTTPS data traffic using HTTP Toolkit. If necessary, they used the Frida tool to bypass the certificate pinning used by the app in question.
The results
The researchers have now presented the results at the Black Hat 2024 IT security conference. They claim to have discovered a total of 99 information leaks during their tests. They describe the test setup and the detailed results in detail in their research paper.
Videos by heise
None of the APIs analyzed met the protection criteria established by the researchers. For example, the Badoo API allows users to view their gender or relationship status - even though users can hide this information in the app itself. OKCupid reveals sexual orientation, which can have serious consequences for people in repressive countries such as Egypt, Russia or Saudi Arabia.
Nine of the apps make the time of the last user activity visible and the API traffic of twelve of the apps shows whether the other user likes you before swiping to the right ("liking") or left.
Where were you yesterday?
The researchers consider the disclosure of users' exact coordinates determined by the GPS module in their smartphone to be particularly serious. Six of the apps, including Badoo and Grindr, pack the coordinates into the API data stream. In the case of Grindr, users can even be located to an accuracy of around 100 meters.
Six other apps indicate the distance between the attacker and the victim within the application. If an attacker creates at least two accounts and manipulates their location, the exact location of the victim can gradually be determined using triangulation. According to the researchers, all of the app providers they approached have now at least prevented the exact location from flowing out by only displaying rounded coordinates that can be retrieved via the API.
Wrong motivation
The researchers also criticize the fact that the app providers do not educate their users to be data sparing - on the contrary, they encourage them to disclose as many intimate details about themselves as possible in order to increase the chances of being found.
The published data protection guidelines are also not formulated clearly enough for users to understand exactly how the respective service uses which type of personal or intimate data.
To avoid making it unnecessarily easy for stalkers, the researchers suggest only displaying profiles to verified users. Photo verification is not foolproof either, but according to them it increases the hurdle sufficiently.
(mki)
