Dating apps ask users to disclose personal information, and not just about someone’s romantic dreams. Often, these apps ask for personal information like name, age, and location. Speaking of location, a new paper details how at one point, several major apps left users’ locations exposed to potential adversaries.
Location vulnerability in dating apps
In a new paper, “Swipe Left, Your Identity is Being Stolen,” from the Catholic University of Leuven in Belgium, researchers analyze the potential privacy risks of 15 location-based dating apps (LBD) that have been downloaded at least 10 million times. Modern dating apps are typically location-based to help users find partners who are physically nearby. However, the need for location exposes users to potential risks.
Dating app users changing location to Olympic Village
All but one app used the distance between users to measure location. (The exception, Asian dating app TanTan, used precise coordinates only once, at the point of matching, but only if a match was made.) “However, without sufficient protection, it may be possible to infer a user’s location from the distance being available,” the paper states. “This is done by trilateration.”
Trilateration is the process of determining location by measuring the distance between three triangles (or circles, or spheres). There are many different trilateration apps used to determine location. As reported by TechCrunch, authors Karel Dhondt, Victor Le Pochat, Yana Dimova, Wouter Joosen, and Stijn Volckaert found that 6 out of 15 apps were able to determine a fairly accurate location.
Which dating apps had location vulnerabilities?
The most common vulnerability is “oracle trilateration,” which the paper explains: “An adversary Oracle Through a binary signal, it indicates whether the victim is nearby, i.e., within a defined “proximity distance” from the attacker.”
Hinge, Bumble, Badoo (owned by Bumble), and Hily are susceptible to this kind of trilateration.
A Hinge spokesperson told Mashable:
Mashable After Dark
At Hinge, the safety and privacy of our users has always been our top priority. Our apps are built with a privacy-by-design approach, and we closely guard sensitive user data. We are proud of our cutting-edge bug bounty programs and ongoing dialogue with researchers. These programs are designed to collect comments so we can make adjustments before harm is caused to our users. We reviewed feedback from this research team as we received it in early 2023 and took immediate action where appropriate.
A Bumble spokesperson told both TechCrunch and Mashable: “We became aware of these findings in early 2023 and promptly addressed the issues. As a global company with members around the world, we are committed to protecting the privacy of our users and take a global approach to privacy compliance.”
Bumble told Mashable that this statement also applies to Badoo.
Dmytro Kononov, CTO and co-founder of Hily, told TechCrunch:
Our findings showed the potential for trilateration. However, in practice, it was not possible to exploit this in an attack. This is due to our internal mechanisms designed to protect against spammers, and the logic of our search algorithms. Nevertheless, we consulted extensively with the authors of the report and together we developed new geocoding algorithms to completely eliminate this type of attack. These new algorithms have been successfully implemented for over a year.
Grindr was vulnerable to “exact distance trilateration,” which can occur if the service exposes exact distances to other users. The authors were able to pinpoint a user’s location to within 111 meters (about 364 feet). Exact distance trilateration was possible even when the distance was hidden, such as in Egypt, where Grindr hides the locations of all users for security reasons.
Men discover a surprising new way to lie on dating apps
“The proximity that Grindr provides to this community is paramount in giving you the ability to interact with the people closest to you,” Kelly Peterson Miranda, Grindr’s chief privacy officer, told TechCrunch. “Like many location-based social networks and dating apps, Grindr requires your specific location to connect you with people nearby…Grindr users have control over the location information they provide.”
Finally, the app happn was vulnerable to “rounded distance trilateration,” which can occur when an app uses rounded location information as a precaution. Karima Ben Abdelmalek, CEO and president of happn, told TechCrunch:
After our Chief Security Officer reviewed their findings, we had a chance to discuss the trilateration methodology with the researchers. However, happn has an additional layer of protection beyond just rounding the distance… This additional protection was not considered in the analysis, and we mutually agreed that this additional measure by happn renders the trilateration technique ineffective.
With the exception of Grindr, all of the vulnerable apps appear to have measures in place to stop bad actors from using trilateration to pinpoint a user’s location.
What dating app doesn’t have vulnerabilities?
According to the paper, Tinder and LOVOO used “grid snapping” to prevent trilateration. Grid snapping is a technique that divides locations into a grid of squares. Coordinates (i.e. the user’s current location) are moved to the center (Tinder) or to the right (LOVOO) of these squares, and distances are measured from there. Therefore, the actual distances are inaccurate and cannot be trilaterated.
Plenty of Fish and Meetic do not access GPS location information. MeetMe, Tagged, and OkCupid access this information but convert it to the nearest town. The authors were not able to reverse engineer the necessary information for TanTan and Jaumo, so were unable to test finding a user’s location in this manner.
The paper shows the importance of caution when using dating apps. It concludes: “We hope that our awareness of these issues will lead LBD app providers to rethink their data collection practices and secure their APIs (application programming interfaces).” It prevents data leaks, prevents location estimation, and ultimately ensures privacy by giving users control over their own data.”
topic
App and Software Privacy
