Our experts have studied the most popular online dating apps (Tinder, Bumble, OkCupid, Badoo, Mamba, Zoosk, Happn, WeChat, Paktor), and identified the main threats to users. We have informed developers in advance of all detected vulnerabilities and as of the date this text is published, some are already fixed and others should be corrected in the near future. However, not all developers have promised to fix the defects.
Threat 1. Who are you?
Our researchers have found that four of the nine apps they have researched allow criminals to determine who is behind a nickname based on the data provided by the users themselves. Tinder, Happn, and Bumble, for example, let everyone see the work or study location specified by a user. Using this information, it is possible to find their accounts on social networks and discover their real names. Happn, in particular, uses Facebook accounts for data exchange with the server. With very little effort, anyone can find the names and last names of Happn users and other info from their Facebook profiles.
And if someone intercepts the traffic of a personal device where Paktor is installed, he will be surprised to learn that he can see the e-mail addresses of other users of the application.
In the end, it is possible to identify Paktor and Happn users on other social networks 100% of the time (60% for Tinder and 50% for Bumble).
Online dating sites like Plenty of Fish are known to be safer. You can read a Plenty of Fish review for 2015 right here.
Threat 2. Where are you?
If anyone wants to know where you are, six of the nine apps will help him out. Only OkCupid, Bumble and Badoo keep locked user location data. All other applications indicate the distance between you and the person you are interested in. By moving and saving data on the distance between you, it is easy to determine the exact location of the “prey”.
Happn not only shows how many meters separate you from another user, but also the number of times your paths crossed; so it’s even easier to follow someone. Although it’s amazing, it’s the main feature of the app.
Threat 3. Unprotected data transfer
Most applications transfer data to a server over an SSL encrypted channel, but there are exceptions.
As our researchers have noted, one of the least secure applications is Mamba. The analytics module used in the Android version does not encrypt data about the device (model, serial number, etc.) and the IOS version connects to the server over HTTP and transfers all unencrypted data (and therefore not protected) messages included. This data can not only be viewed, but also modified. For example, it is possible for a third party to change a “How are you?” In a request for money.
Mamba is not the only application that lets you manage someone else’s account because of an unsecure connection. This is also the case with Zoosk. However, our researchers were only able to intercept Zoosk data when new photos or videos were uploaded – and the developers quickly solved the problem shortly after our notification.
Tinder, Paktor, Bumble for Android and Badoo for iOS also put pictures online via HTTP, allowing an attacker to find out which profiles their potential victim is viewing.
When using Android versions of Paktor, Badoo and Zoosk, other details like GPS data and device information can land in the wrong hands.
Threat 4. Attack of the middleman (HDM)
Almost all online dating application servers use the HTTP protocol, which means that by verifying the authenticity of the certificate, it is possible to protect against HDM attacks where victim traffic passes through a server “thug” before to arrive at the legitimate server. The researchers installed a fake certificate to see if the applications would verify its authenticity; if they were not, they would actually be able to spy on other people.
It turned out that most applications (five out of nine) are vulnerable to HDM attacks because they do not verify the authenticity of the certificates. And almost all apps provide permissions through Facebook; failure to verify the certificate may lead to the theft of the temporary authorization key in the form of a token. The tokens are valid for 2 or 3 weeks during which criminals have access to some of the victim’s accounts data on the victim’s social networks in addition to having full access to their profile on the dating app.
Threat 5. Superuser rights.
Regardless of the exact type of data that the application stores on the device, it is possible to access this data through superuser rights. This only applies to devices based on Android; it is rare for malware to have root access in iOS.
The result of the analysis is not at all encouraging. Eight of the nine apps for Android is ready to provide too much information to cybercriminals with super-user access rights. Researchers have been able to obtain usage tokens for social networks from almost every application in question. The credentials were encrypted, but the encryption key was easy to extract from the application itself.
Tinder, Bumble, OkCupid, Badoo, Happn, and Paktor store all message history and user photos with their tokens. Thus, someone who has access privileges can easily access confidential information.
The study showed that many encryption applications do not handle sensitive user data cautiously enough. This is no reason not to use these services: you simply need to understand the issues and minimize the risks when possible.