Top iOS dating apps are exposing your personal life to hackers
[This story originally published in WIRED and was written by Matt Burgess. I conducted the investigative research for this article]
Looking for love online is complicated. Ghosting and Tinder etiquette make dating apps a social minefield, but they can also be a security one.
A WIRED investigation, with the support of an American security researcher, found that some of the UK’s most popular iOS dating apps are leaking Facebook identities, location data, pictures and more. The apps we analysed — Happn, HotOrNot, Tinder, Match.com, Bumble, AnastasiaDate, Once, HookUp Now, MeetMe and AffairD — are used by millions of people worldwide.
During testing, four of the free apps exposed customer information by not fully securing data sent from the app’s owners to customers’ phones. These were Happn, Hookup Now, AnastasiaDate, and AffairD. The analysis also highlighted the amount of personal data being collected by MeetMe and specific location data being gathered by Once. HotOrNot, Tinder, Match.com, and Bumble passed the tests and no vulnerabilities were found.
All of the apps studied, with the exception of AffairD, were selected because they were in the UK’s highest-grossing list at the time of the investigation, according to AppAnnie.
“It is pretty clear some of the apps have significant consumer privacy issues,” the researcher, who wishes to remain anonymous, told WIRED. “I don’t think any of these apps have bad intentions but some of them have negligent security practices that would allow an attacker or a person who has bad intentions to find out information about users the app doesn’t intend.”
‘Sniffing’ the apps
During the work, the researcher, from a leading US university, used a passive packet sniffing method to analyse data being sent to a phone from the apps’ servers. Within the unsecured data, personal details could be seen.
The technique — a man-in-the-middle attack — involves inspecting information sent to a device during an app’s normal usage. In this instance, the Mitmproxy software was used. During the investigation, the man-in-the-middle attack was performed by the researcher on himself — or to be more precise, on the apps installed on his phone. There is also no evidence any of the apps have been hacked or customer data compromised.
“Passive attackers listen to what’s being transmitted, while active attackers will try to interfere with and tamper with the messages being sent back and forth”, Greig Paul, an electronic and electrical engineering researcher at the University of Strathclyde, told WIRED.
The technique was recently used to find security flaws in fitness trackers. Another study found 110 Google Play store and Apple App store apps sharing data with third parties — an issue that could be problematic with data protection laws. Separately, a paper from the Worcester Polytechnic Institute and AT&T Labs research used a similar method of attack to discover 56 per cent of 100 popular websites leak visitors’ personal data.
App analysis firm verify.ly has also conducted MITM attacks against 76 popular iOS applications and found it possible to intercept data being moved from a server to a device. It found 33 applications had low risk problems, 24 medium risk issues and 19 of the apps allowed access to financial or medical credentials.
Happn
France-based dating app Happn, which has more than ten million customers, lets members find people they have crossed paths with in real life. It’s supposed to only reveal a person’s first name, but technical analysis of data packets showed it also leaks a person’s Facebook ID. Using this ID, it’s possible to view a full profile page and identify the person.
Happn acknowledged there was a flaw when approached by WIRED and said: “We are working on a solution where Happn would act as a proxy, preventing users from being able to identify other users’ Facebook IDs in the future.”
Once
Once was shown to be gathering highly specific location data — in some instances a person’s location was gathered to an accuracy of under one metre. The company told WIRED it would evaluate whether it needed to collect close location data and remove this feature if it wasn’t required.
“We don’t want to leave any stone unturned,” Jean Meyer, the CEO and founder of Once told WIRED.
AnastasiaDate — an app that connects men with women from Eastern Europe — allows for a person’s date of birth to be visible, despite not being displayed on their profile. Birthdates, accompanied by a person’s full name, have the potential to be used to commit identity fraud.
The company initially responded to WIRED’s request for comment but after being given specific details of the flaw, failed to reply to three follow-up emails.
Hookup Now
Hookup Now promises customers a ‘flirty online dating adventure that could easily become a real date’. Unbeknown to those seeking soulmates on the app, their private details are also being leaked.
The app is free to download but comes with in-app purchases, starting at £7.99 for a month’s worth of messages or to view pictures beyond the public profile image. During the investigations, private photos could be seen without customers paying, URLs of the photos were exposed, and the weight of a person, if shared with the app, could be viewed in data packets.
The app has no accompanying website, and links on the app store page point customers to a one-page service agreement. There is also no clearly-visible way to delete a user account from within Hookup Now. During our investigation, version 1.0 of the app vanished from Apple’s App Store (Apple did not comment) but a new version (1.1) has appeared with the description “bug fix”. Reviews are a mix of five stars, posted to give the reviewer free access to the paid content, and one star calling HookUp Now a scam. WIRED was unable to contact the company.
MeetMe
MeetMe is a social networking app to find people nearby. People answer a series of questions and are matched with compatible members in the local area. During analysis, MeetMe sent data to one advertiser “110 times during a five-minute period while clicking different buttons in the app”, according to our source. Much of this data was sent when an in-app button was pressed.
Personal data entered on the app includes a person’s religion, ethnicity, age, geo-location to within inches (based on the number of decimal places in the data packets), sexual preferences and more. MeetMe said it provides anonymous advertising IDs to firms, which are widely used across the industry, and that it doesn’t share personally identifiable information with advertisers.
“MeetMe takes the security and privacy of our users very seriously,” a spokesperson for the company told WIRED. “As we note in our privacy policy, we use and share certain information for marketing and advertising purposes. We do this in accordance with our privacy policy and consistent with industry standards.”
AffairD
Separate analysis of the AffairD dating app highlighted a further, significant flaw — unencrypted data packets. AffairD (designed as a “Discreet Affair Dating Site for No Strings Attached”) transmits user details through unencrypted HTTP packets, rather than HTTPS. The latter is a secure version of data transfer and is represented in browsers by a padlock key in web browsers. The Electronic Frontier Foundation is calling for every website (not just those handling personal information) to use the protocol.
“Passwords and emails are sent in the clear, which means if I was sitting in a café and a person on the same Wi-Fi network as me was using Affair Dating, I could [capture that information] and log into their account,” the researcher said. “I assume people using this app want secrecy but there’s no secrecy here. It’s essentially like having an affair in a public park, anyone could see it.”
AffairD also has a more problematic flaw. Due to user IDs being “sequential” (e.g. user number 5123, 5124, 5125 etc) and user data being available, a mass pull of information could theoretically take place. “Someone could create a website where a spouse uploads a picture of their husband or wife and asks ‘is my husband or wife is on this database?’ The website would match this picture against everything on the service to reveal if they are using it or not.”
Bumble similarly uses incremental IDs but puts strong security protection on who can access them. Bumble works by only allowing women to make the first contact when a match has been made.
WIRED attempted, on multiple occasions, to contact AffairD’s creator but did not receive a response. The app was not within the UK’s top-grossing dating apps but selected as a lower ranking app for comparison.
The big data problem
These leaks form part of a wider problem. The more personal data a company has on its customers, the bigger the risk if it is hacked. Customer information drawn from applications and websites, such as those highlighted in the course of our investigation, is often transferred to massive data centres.
“The general practice means holding and capturing every little piece of information you can in case you could potentially use them in the future,” Nico Sell, the cofounder and co-chairperson of encrypted messenger app Wickr, told WIRED. This makes the data vulnerable to hackers: TalkTalk, Yahoo!, Carphone Warehouse, DailyMotion and Tesco Bank are just some of the many companies who suffered from customer data breaches within the past 12 months.
“There’s almost nothing you can do about how [the apps] have set-up their backend security,” Chris Wysopal, chief technology officer and co-founder of Veracode told WIRED. “Once the data gets to them you are relying on them following best practices.”
If you’re concerned, there are restrictions you can place on apps and services. “You can [stop the app] using your location,” said Wysopal. Both iOS and Android operating systems grant people certain powers over what an app knows about them and permissions must be explicitly given for an app to use particular settings.
Plugging the holes
Beyond actions customers can take to protect themselves, apps can similarly shield against man-in-the-middle attacks. Sell said companies should give users more control of the data and metadata being transmitted. “Adding expiration dates to data and conversations is also very important,” he argued. “The less information you have about them and the less time it lives, the safer it is in general.” Apps are also being encouraged to introduce an ‘encrypted channel’ within the data packets transmitted.
One initial protection is certificate pinning, Strathclyde University’s Paul added. “By configuring the app to only accept the actual certificate their app uses, it won’t be possible for an attacker to swap out the certificate and monitor traffic.”
An ongoing issue?
This investigation is not the first time dating apps have had their security and privacy practices questioned, and is unlikely to be the last. For some, Facebook IDs and birthdates being leaked is not seen as a high-level concern, but there are potentially deadly consequences for those looking for love online. Freedom of Information Act requests have revealed Tinder and Grindr were linked to 523 crimes across England and Wales in the past five years. In 2016, Stephen Port was jailed after killing four men who he met and groomed via dating apps.
Dating site Ashley Maddison had 33 million customer account details stolen in 2015, and 339 million Adult Friend Finder accounts were exposed in a data breach in November 2016. Fallout from the Ashley Maddison breach included deaths linked to the exposure of personal details. People within the leaked Ashley Maddison database were also subject to online harassment about their personal lives.
In the US, spoof Grindr accounts are alleged to have been used to bully an innocent user. In 2015, Meet, the firm behind the MeetMe app and website, settled a privacy related lawsuit with the San Francisco City Attorney, after which the firm introduced “groundbreaking steps” to improve its privacy practices.
And Happn was criticised by the Norwegian Consumer Council in February 2016 for allegedly sharing “key user data” with tracking company UpSight. A statement from the Council said information from users’ Facebook accounts including names, ages, workplace, and gender were being shared.
Each of these reports serves to highlight not only how much data we’re sharing, but also the need for further security standards across the web. That way, a failed relationship is the only thing at risk when searching for love online.
Keep your data safe and secure with WIRED’s selections of the best iOS and Android.
Originally published at www.wired.co.uk.
