A new research paper says location-based dating apps like Grindr and Tinder can be hacked to reveal email addresses, pictures and private messages.
Security analyst Raymond Choo, working at the University of South Australia in Adelaide, looked at the security of dating apps by adding fake profiles to eight top apps.
The case study uses forensic techniques on the popular location-based apps, to find out what type of data could be retrieved.
The apps the team analysed were: Badoo, Grindr, Skout, Tinder, Jaumo, MeetMe, FullCircle and MuiMeet.
The researchers performed their forensic analysis by using the process outlined in the chart below, which they said would: “ensure that we collected all relevant information saved by apps on the device.”
In the paper, Choo said: “In addition to this process, as the code for these apps was mostly obfuscated and could not be directly analyzed, we captured the network traffic of each app while performing the standard actions of viewing a profile, sending and receiving a message and sending a photo through private messages if the function was available.
“Analysis was performed on an extraction of the data in the apps private directory using the adb pull and adb backup commands to preserve original data.”
Choo’s team found that for at least half of the apps, they could extract the private chat messages of the user.
They were able to access images of all the nearby profiles a Tinder or Grindr user had encountered, which could potentially allow someone to “expose other members of the community.”
Their paper also said dating apps store messages and location readings, which could be used to reconstruct events or prove an alibi, which may aid in the prosecution of crimes involving these apps.
Choo and his team also found that Skout collected Facebook data from non-Skout users, and for apps Full Circle and MiuMeet, private images were viewable, which could potentially be exploited by a malicious party.
However, the researchers were only able to access most of this data because they physically had the device – meaning users would only be at risk if their phone had been stolen.
In conclusion, Choo said: “Considering the personal nature of the information and images being shared over GeoSocial dating apps, it is disturbing that so much data can be so easily recovered. It is also problematic that many users are not aware how much data is being sent, stored and what their data is being used for. Many users would not appreciate their privately shared images and conversations being seen by third parties that they had not consented to.
“App developers must consider the types of sensitive data they are collecting and storing on mobile devices that may be subject to unauthorized access (either physically or remotely) and how this data can be better protected. For example, encrypting sensitive data stored on mobile devices may not resolve the issue of unauthorized access entirely, but it at least provides another layer of difficulty for a physical attacker to break through. App suppliers should also be implementing technical procedures to detect the improper storage of sensitive data on mobile devices during the initial app validation process.”
Read the full report here.