Blog: Vulnerability Advisory
Dating apps that track users from home to work and everywhere in-between
- We were able to precisely locate and track the users of four major dating apps, potentially putting at risk 10 million users
- This risk level is elevated for the LGBT+ community who may use these apps in countries with poor human rights where they may be subject to arrest and persecution.
- App makers must do more to prevent location leakage in their apps and properly communicate this risk to their users.
During our research into dating apps (see also our work on 3fun) we looked at whether we could identify the location of users.
Previous work on Grindr has shown that it is possible to trilaterate the location of its users. Trilateration is like triangulation, except that it takes into account altitude, and is the algorithm GPS uses to derive your location, or when locating the epicentre of earthquakes, and uses the time (or distance) from multiple points.
Triangulation is pretty much the same as trilateration over short distances, say less than 20 miles.
Many of these apps return an ordered list of profiles, often with distances in the app UI itself:
By supplying spoofed locations (latitude and longitude) it is possible to retrieve the distances to these profiles from multiple points, and then triangulate or trilaterate the data to return the precise location of that person.
We created a tool to do this that brings together multiple apps into one view. With this tool, we can find the location of users of Grindr, Romeo, Recon, (and 3fun) – together this amounts to nearly 10 million users globally.
Here’s a view of central London:
And zooming in closer we can find some of these app users in and around the seat of power in the UK:
By simply knowing a person’s username we can track them from home, to work. We can find out where they socialise and hang out. And in near real-time.
Asides from exposing yourself to stalkers, exes, and crime, de-anonymising individuals can lead to serious ramifications. In the UK, members of the BDSM community have lost their jobs if they happen to work in “sensitive” professions like being doctors, teachers, or social workers. Being outed as a member of the LGBT+ community could also lead to you using your job in one of many states in the USA that have no employment protection for employees’ sexuality.
But being able to identify the physical location of LGBT+ people in countries with poor human rights records carries a high risk of arrest, detention, or even execution. We were able to locate the users of these apps in Saudi Arabia for example, a country that still carries the death penalty for being LGBT+.
It should be noted that the location is as reported by the person’s phone in most cases and is thus heavily dependent on the accuracy of GPS. However, most smartphones these days rely on extra data (like phone masts and Wi-Fi networks) to derive an augmented position fix. In our testing, this data was sufficient to show us using these data apps at one end of the office versus the other.
The location data collected and stored by these apps is also very precise – 8 decimal places of latitude/longitude in some cases. This is sub-millimetre precision and not only unachievable in reality but it means that these app makers are storing your exact location to high degrees of accuracy on their servers. The trilateration/triangulation location leakage we were able to exploit relies solely on publicly-accessible APIs being used in the way they were designed for – should there be a server compromise or insider threat then your exact location is revealed that way.
We contacted the various app makers on 1st June with a 30 day disclosure deadline:
- Romeo replied within a week and said that they have a feature that allows you to move yourself to a nearby position rather than your GPS fix.
This is not a default setting and has to be found enabled by digging deep into the app: https://www.planetromeo.com/en/care/location/
- Recon replied with a good response after 12 days. They said that they intended to address the issue “soon” by reducing the precision of location data and using “snap to grid”. Recon said they fixed the issue this week.
- 3fun’s was a train wreck: Group sex app leaks locations, pics and personal details. Identifies users in White House and Supreme Court
- Grindr didn’t respond at all. They have previously said that your location is not stored “precisely” and is more akin to a “square on an atlas”. We didn’t find this at all – Grindr location data was able to pinpoint our test accounts down to a house or building, i.e. exactly where we were at that time.
We think it is utterly unacceptable for app makers to leak the precise location of their customers in this fashion. It leaves their users at risk from stalkers, exes, criminals, and nation states.
Contrary to Romeo’s statement (https://www.planetromeo.com/en/care/location/), there are technical means to obfuscating a person’s precise location whilst still leaving location-based dating usable.
- Collect and store data with less precision in the first place: latitude and longitude with three decimal places is roughly street/neighbourhood level.
- Use “snap to grid”: with this system, all users appear centred on a grid overlaid on a region, and an individual’s location is rounded or “snapped” to the nearest grid centre. This way distances are still useful but obscure the real location.
- Inform users on first launch of apps about the risks and offer them real choice about how their location data is used. Many will choose privacy, but for some, an immediate hookup might be a more attractive option, but this choice should be for that person to make.
- Apple and Google could potentially provide an obfuscated location API on handsets, rather than allow apps direct access to the phone’s GPS. This could return your locality, e.g. “Buckingham”, rather than precise co-ordinates to apps, further enhancing privacy.
Dating apps have revolutionised the way that we date and have particularly helped the LGBT+ and BDSM communities find each other.
However, this has come at the expense of a loss of privacy and increased risk.
It is difficult to for users of these apps to know how their data is being handled and whether they could be outed by using them. App makers must do more to inform their users and give them the ability to control how their location is stored and viewed.