Risky online dating apps putting your privacy in danger

You may not be as anonymous as you think.

Risky online dating apps putting your privacy in danger

If you weren't nervous enough about the prospect of meeting a complete stranger after connecting on an online dating app, there's something else to worry about.

Just how carefully is your app keeping your personal information and location out of other people's sight?

Researchers at Kaspersky have taken a look at a number of online dating apps for Android and iOS, and found that some are doing a pretty poor job of securing users' details.

Firstly, some apps encourage users to enter their place of work on their profile:

First of all, we checked how easy it was to track users with the data available in the app. If the app included an option to show your place of work, it was fairly easy to match the name of a user and their page on a social network. This in turn could allow criminals to gather much more data about the victim, track their movements, identify their circle of friends and acquaintances. This data can then be used to stalk the victim.

More specifically, in Tinder, Happn and Bumble users can add information about their job and education. Using that information, we managed in 60% of cases to identify users’ pages on various social media, including Facebook and LinkedIn, as well as their full names and surnames.

In addition, some dating apps were found to track users' location - displaying the distance between a malicious party and a target. If a target was staying in one place, a hacker could feed an app bogus co-ordinates and receive information about their relative distance to track down the location of the person they were interested in.

The researchers reported that users of the Tinder, Mamba, Zoosk, Happn, WeChat, and Paktor apps were particularly susceptible to having their location determined.

Risky online dating apps putting your privacy in danger

Meanwhile, some apps were guilty of elementary security failures - transmitting sensitive information in an unencrypted format, opening opportunities for an attack to intercept the data in transit:

Most of the applications use SSL when communicating with a server, but some things remain unencrypted. For example, Tinder, Paktor and Bumble for Android and the iOS version of Badoo upload photos via HTTP, i.e., in unencrypted format. This allows an attacker, for example, to see which accounts the victim is currently viewing.

So, what should you do about this?

The first rule has to always be to think carefully about what information you share online (including in dating apps). Even if the information you have provided to the app isn't in itself enough to identify you, remember that chances are that you have left plenty of other information about yourself lying across the internet (maybe on Facebook on LinkedIn for instance) which will help someone to track you down.

Image searchIt may even be possible for an attacker to conduct what are known as "reverse image searches", where rather than type words into a search engine to look for something, someone could use the image that you have posted on a dating app and see if a similar image appears anywhere else online.

My guess is that many people may be quite happy using the same flattering snap of themselves in a dating app as on a social network or Instagram.

The other issue is that clearly some of these apps are poorly written. Your dating app may contain vulnerabilities that could lead to you unwittingly leaking your personal information, or provide clues that could lead someone to determining your true identity or location.

Depending on the vulnerability there may or may not be ways in which you can protect yourself from this - but I would always recommend using a secure VPN to protect your privacy when connected to the net via public Wi-Fi (even better use 3G or 4G if you're unsure about the Wi-Fi) and as a general rule only share information you don't mind ending up appearing in public online.

(Visited 1,820 times, 1 visits today)

Tags: , , , , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , , , , , ,

One Response

  1. Jonathan

    November 1, 2017 at 2:14 am #

    What is the risk here? So the hacker knows my name, my employer, my alma mater, and my location? Then what?

Leave a Reply