Blog Post

Dangerous liaisons. Investigating the protection of internet dating apps

Dangerous liaisons. Investigating the protection of internet dating apps

Investigating the security of internet dating apps

This indicates most of us have written in regards to the hazards of internet dating, from therapy mags to criminal activity chronicles. But there is however one less apparent danger perhaps not pertaining to setting up with strangers – and that's the mobile apps utilized to facilitate the method. We’re speaking right right here about intercepting and stealing information that is personal and the de-anonymization of a dating service that may cause victims no end of troubles – from messages being delivered away in their names to blackmail. We took the essential apps that are popular analyzed what type of user information they certainly were with the capacity of handing up to criminals and under exactly exactly what conditions.

By de-anonymization we mean the user’s genuine name being founded from a social communitying network profile where usage of an alias is meaningless.

Consumer monitoring abilities

To begin with, we checked exactly exactly how effortless it had been to trace users aided by the information for sale in the software. In the event that software included a choice to demonstrate your home of work, it absolutely was simple enough to complement the title of a person and their web web page for a social networking. As a result could enable crooks to assemble even more data about the target, monitor their movements, identify their group of buddies and acquaintances. This data can then be employed to stalk the target.

Discovering a user’s profile on a network that is social means other application restrictions, for instance the ban on composing one another communications, may be circumvented. Some apps just enable users with premium (paid) accounts to send communications, while others prevent guys from beginning a discussion. These limitations don’t frequently use on social networking, and everyone can compose to whomever they like.

More particularly, in Tinder, Happn and Bumble users can add on details about their job and training. Making use of that information, we handled in 60% of situations to determine users’ pages on different social media marketing, including Twitter and LinkedIn, as well as their complete names and surnames.

a good example of a merchant account that gives workplace information which was utilized to spot the consumer on other media networks that are social

In Happn for Android os there is certainly a search that is additional: on the list of data in regards to the users being seen that the host delivers to the application, there is certainly the parameter fb_id – a specially created recognition quantity for the Facebook account. The application utilizes it to learn just exactly exactly how friends that are many individual has in accordance on Facebook. This is accomplished utilising the verification token the software gets from Facebook. By changing this demand slightly – removing some associated with original demand and leaving the token – you'll find out of the name regarding the individual when you look at the Facebook take into account any Happn users seen.

Data received because of the Android form of Happn

It’s even easier to get a individual account using the iOS variation: the host returns the user’s facebook that is real ID to your application.

Data received because of the iOS type of Happn

Details about users in every the other apps is generally limited by just pictures, age, very very first title or nickname. We couldn’t find any is the reason individuals on other networks that are social simply these details. A good search of Google images didn’t assist. The search recognized Adam Sandler in a photo, despite it being of a woman that looked nothing like the actor in one case.

The Paktor application enables you to discover e-mail addresses, and not only of these users which can be seen. Everything you need to do is intercept the traffic, which will be effortless adequate doing all on your own unit. Because of this, an attacker can end up getting the e-mail addresses not merely of these users whose pages they viewed also for other users – the application gets a summary of users through the host with information that features email details. This dilemma can be found in both the Android os and iOS variations of this application. It has been reported by us towards the developers.

Fragment of information which mocospace includes a user’s email

A number of the apps within our study enable you to connect an Instagram account to your profile. The data removed in the account name from it also helped us establish real names: many people on Instagram use their real name, while others include it. Utilizing this information, you may then locate a Facebook or LinkedIn account.


The majority of the apps inside our research are susceptible in terms of determining individual places ahead of an attack, even though this risk had been mentioned in a number of studies (for example, right right right here and right here). We discovered that users of Tinder, Mamba, Zoosk, Happn, WeChat, and Paktor are specially vunerable to this.

Screenshot regarding the Android os form of WeChat showing the exact distance to users

The assault is founded on a function that presents the exact distance with other users, often to those whoever profile is increasingly being seen. Although the application does not show by which way, the positioning is learned by getting around the victim and data that are recording the length for them. This process is fairly laborious, though the solutions on their own simplify the job: an assailant can stay static in one spot, while feeding coordinates that are fake a solution, every time getting information concerning the distance into the profile owner.

Mamba for Android os shows the exact distance to a person

Various apps reveal the length to a person with varying precision: from the few dozen meters as much as a kilometer. The less accurate an software is, the greater amount of dimensions you'll want to make.

plus the distance to a person, Happn shows just exactly exactly how often times “you’ve crossed paths” using them

Unprotected transmission of traffic

The apps exchange with their servers during our research, we also checked what sort of data. We had been thinking about what could possibly be intercepted if, as an example, the consumer links to an unprotected cordless network – to hold an attack out it is enough for a cybercriminal become on a single system. Even when the Wi-Fi traffic is encrypted, it could nevertheless be intercepted on an access point if it is managed by way of a cybercriminal.

A lot of the applications utilize SSL whenever chatting with a host, many things stay unencrypted. For instance, Tinder, Paktor and Bumble for Android os while the iOS form of Badoo upload pictures via HTTP, for example., in unencrypted structure. This enables an assailant, as an example, to see which accounts the target happens to be viewing.

HTTP needs for pictures through the Tinder application

The Android form of Paktor makes use of the quantumgraph analytics module that transmits great deal of data in unencrypted structure, like the user’s name, date of delivery and GPS coordinates. In addition, the module delivers the host details about which application functions the target happens to be making use of. It ought to be noted that into the iOS version of Paktor all traffic is encrypted.

Visit Appcropolis Mobile Builder

Need a different template?

Create your own templates using the Appcropolis Mobile Builder.