Dating apps require users to disclose vulnerable messages, not just someone’s romantic dreams. Most of the time, these apps require personal data such as your name, age, and location. Regarding the latter, a new paper details that at one time there were several major applications that made it possible for users’ locations to be exposed to potential adversaries.
Dating app location vulnerability
In a new paper from the University of Leuven in Belgium, “Swiping left for identity theft,” researchers detail the potential privacy risks of 15 location-based dating apps (LBD) that have been downloaded at least 10 million times. Today, dating apps are often location-based to help users find matches that are closer to them. However, since location is required, it exposes users to potential risks.
Daters are changing their app locations to the Olympic Village
All but one app uses the distance between users to measure location. (The exception is that Tantan — an Asian dating app — uses precise coordinates once and only when matching.) “However, due to a lack of adequate protection, the availability of distance may still result in Infer the user’s location,” the document states. “This is done through trilateration.”
Trilateration is the process of determining location by measuring the distance between three triangles (or circles or spheres). There are different types of trilateration applications for determining location. According to TechCrunch, authors Karel Dhondt, Victor Le Pochat, Yana Dimova, Wouter Joosen and Stijn Volckaert found that they were able to find almost exact locations in six of the 15 apps.
Which dating apps have location vulnerabilities?
The most common vulnerability is through “oracle trilateration,” the paper explains, “where adversaries use Oracle It uses a binary signal to indicate whether the victim is nearby, that is, when it is within a defined “proximity distance” to the attacker.
Hinge, Bumble, Badoo (owned by Bumble), and Hily are all susceptible to this kind of trilateration.
A Hinge spokesperson told Mashable:
Mix and match after dark
At Hinge, user security and privacy are always our top priority. Our apps are built with a privacy-by-design approach that strictly protects sensitive user data. We’re proud of our state-of-the-art bug bounty program and ongoing dialogue with researchers designed to attract comments so we can make adjustments before users suffer any harm. When we received feedback from the research team in early 2023, we reviewed it and took appropriate action immediately.
A Bumble spokesperson told TechCrunch and Mashable: “We were made aware of these findings in early 2023 and quickly addressed the issues listed. As a global business with members in countries around the world, we are committed to protecting the privacy of our users and Takes a global approach to privacy compliance.
Bumble told Mashable that this statement also applies to Badoo.
Hily CTO and co-founder Dmytro Kononov shared this statement with TechCrunch:
The results show the potential of trilateration. However, in practice, exploiting this for an attack is impossible. This is due to our internal mechanisms designed to protect against spammers and the logic of our crawling algorithms… Nonetheless, we consulted extensively with the report authors and collaborated on the development of the new geocoding algorithm to completely eliminate such attacks. These new algorithms have been successfully implemented for more than a year.
Grindr is susceptible to precision distance trilateration. This is done when the service displays the exact distance to other users. The authors were able to calculate the user’s position as close as 111 meters (approximately 364 feet). Accurate distance trilateration is possible even if distances are hidden, such as in Egypt where Grindr hides all user locations for security reasons.
Men discover a surprising new way to lie on dating apps
“The proximity that Grindr provides to this community is critical to providing the ability to interact with those closest to you,” Kelly Peterson Miranda, chief privacy officer at Grindr, told TechCrunch. Unlike many location-based social networks, Like dating apps, Grindr requires certain location information in order to connect its users with nearby users… Grindr users can control the location information they provide.
Finally, the application happn is susceptible to “fillet distance trilateration”, which can be accomplished if the application utilizes the fillet position as a precaution. Happn CEO and President Karima Ben Abdelmalek told TechCrunch:
After our Chief Security Officer reviewed the study results, we had the opportunity to discuss the trilateration method with the researchers. However, happn has an extra layer of protection beyond the rounding distance… This extra protection was not taken into account in their analysis, and we agree that this extra measure on happn makes trilateration techniques invalid.
It appears that for the apps with these vulnerabilities, the apps have all taken steps to prevent bad actors from using trilateration to determine a user’s location, with the exception of Grindr.
Which dating apps are not vulnerable?
According to the paper, Tinder and LOVOO use “grid alignment” to prevent trilateration. Grid snapping is the technique of dividing a person’s position into a square grid. The coordinates (aka the user’s location) are moved to the center (Tinder) or to the right (LOVOO) of these squares, and distances are measured from there. Therefore, their actual distance is not accurate and trilateration is not possible.
Plenty of Fish and Meetic cannot access GPS location. While MeetMe, Tagged, and OkCupid do access this information, they convert it to the nearest town. The authors were unable to reverse engineer the information required by TanTan and Jaumo, so they were unable to test this method to find the user’s location.
The paper shows the importance of caution when using dating apps. As the paper concludes, “We hope that our understanding of these issues will lead LBD application providers to reconsider their data collection practices and protect their APIs. [application programming interfaces] Prevent data leaks, prevent location inference, and put users in control of their data and, ultimately, their privacy.
theme
Application and software privacy
