LAS VEGAS—One great thing about connecting through a dating app is if someone’s clearly not right you can just swipe left and never meet them. But many apps let you view proximity for possible matches, thereby revealing your location to an extent. Flawed security in those apps can reveal a lot more, potentially exposing you to stalking and abuse. Karel Dhondt and Victor Le Pochat, researchers at Belgian university KU Leuven, analyzed 15 apps in this field and homed in on ways they enable threats to a user’s safety and privacy. At the Black Hat conference here, they presented their findings, along with recommendations to remediate these dangers.Trading Privacy for the Right Match“Dating apps and security haven’t been the best match so far,” said Dhondt. “They’ve led to stalking, assault, scammers, and even persecution of minorities.”“Location-based dating elicits a peculiar privacy behavior,” he added. “Users willingly share personal data with people they don’t know. There’s a tension between sharing enough data while still maintaining your own privacy.”
(Credit: PCMag)
Of the 15 apps Dhondt and le Pochat examined, they considered three levels of data exposure. Naturally there’s the intended sharing of data you provide with other users. A second level of exposure is the traffic leak, or data easily extracted from API communications. Finally, they looked at active exfiltration possibilities.API leaks proved the most common. “All 15 of the apps leak API data,” said Dhondt. “We found 99 API leaks in total. This highlights the need for better security.”Dhondt noted that some of the apps leaked the exact location of other users in API data communication. But hacking into API traffic isn’t required to locate a target.Most of the apps tell you just how far away a given potential match is. They don’t give the actual location, but an adversary could pinpoint you using a technique called trilateration. It’s actually pretty simple. The adversary spoofs a location and checks the distance to the target. Doing that twice more yields a total of three location and distance pairs. The adversary draws a circle around each spoofed location with a radius matching the specified proximity. Where the three circles intersect…there you are!
(Credit: PCMag)
Some apps round off the distance information, meaning this technique might only be accurate to 100 meters or so. But Dhondt showed that by moving the spoofed location until the rounded distance changes value, an adversary could increase the accuracy. A similar technique works with “proximity oracle” reports that merely say whether the target is within a certain distance.Exposing the AdversaryLe Pochat took over to detail the obstacles a stalker might face. To see information about other users, you must have an account yourself. Getting that account requires exposing your own details, to a greater or lesser extent. Some apps even ask for a verified picture of you in a specific pose, or holding up a specific code word, so you can’t use a fake photo.“Most require your email, which is easy to anonymize,” said le Pochat. “Half require a valid phone number, which is a higher barrier, especially in countries that require you to register your identity with your SIM card.” Half of the tested apps also say they require real profile data, but they never verify. He pointed out that Grindr permits an empty profile, and Hinge lets you hide your profile. MeetMe and Tagged ask for nothing beyond an email address.
Recommended by Our Editors
Improving Dating Security“Sharing data in dating apps is expected,” said Dhondt. “People don’t find it concerning. They see it as beneficial. You want to see data on other users to select a good match.” He noted that certain groups are at higher risk if their data gets leaked. Women are more vulnerable to stalking or harassment. Those in the LGBTQ community can be outed or even face prosecution.“These apps should give users control, choice, and agency,” said Dhondt. They should stop nudging users to share more and more data. In fact, they should default to not sharing, so sharing becomes a conscious decision. They should only show profiles to other verified users.”API data leaks are the biggest problem, and it’s a well-known issue, said Dhondt. App makers should enforce proper access control and avoid sending unnecessary data in API responses.He noted that Tinder now rounds location reporting to an accuracy of one kilometer. It omits many of the sensitive details retained (and leaked) by others. “If you don’t have the data, you can’t leak it,” said Dhondt.Good News for the LovelornThe group disclosed their findings to the 15 app companies, and 12 of them acknowledged receipt. Of those, nine engaged in discussions with the team. And all the data leaks have been fixed. You may still get your heart broken on a dating app, but the chances you’ll get stalked or abused have gone down, thanks to these researchers.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
