Technology

Bumble, Hinge, and other apps had to fix privacy risk, study says

hand holding key, another hand emerging from smartphone with a lock

Dating apps require users to disclose vulnerable information — and not just someone’s romantic dreams. Most times, these apps require personal data like your name, age, and location. In the case of the latter, a new paper details that, for a time, several major apps left user locations able to be exposed by potential adversaries.

Dating app location vulnerabilities

In a new paper out of Belgian university KU Leuven, “Swipe Left for Identity Theft,” researchers break down potential privacy risks for 15 location-based dating apps (LBDs) with at least 10 million downloads. These days, dating apps are typically location-based in order to help users find matches physically close to them. By needing location, however, it opens users up to potential risks.

All apps except one used distance between users to measure location. (That exception, TanTan — an Asian dating app — used exact coordinates one-time at the point of matching, and only if they matched.) “However, lacking sufficient protections, the availability of distances can still lead to the inference of a user’s location,” the paper states. “This is done through trilateration.”

Trilateration is the process of determining location by measuring distances between three triangles (or circles, or spheres). There are different types of trilateration apps use to determine location. The authors — Karel Dhondt, Victor Le Pochat, Yana Dimova, Wouter Joosen, and Stijn Volckaert — found that they were able to pinpoint almost an exact location in six out of 15 apps, as TechCrunch reported.

Which dating apps had location vulnerabilities?

The most common vulnerability was through “oracle trilateration,” which the paper explains, “Adversaries use an oracle that indicates through a binary signal whether a victim is located within proximity, i.e., when they are within a defined ‘proximity distance’ from the attacker.”

Hinge, Bumble, Badoo (which is owned by Bumble), and Hily were susceptible to such trilateration.

A Hinge spokesman told Mashable:

At Hinge, the safety and privacy of our users is always a top priority. Our app is built with a privacy-by-design approach and strictly protects sensitive user data. We are proud of our state-of-the-art bug bounty program and our ongoing dialogue with researchers, which are designed to attract comments so we can make adjustments before any harm happens to our users. We reviewed the feedback from this research team when we received it in early 2023 and immediately took action where appropriate.

A Bumble spokesperson told both TechCrunch and Mashable, “We were made aware of these findings in early 2023, and swiftly resolved the issues outlined. As a global business with members in countries all over the world, we are committed to protecting our users’ privacy and have adopted a global approach to privacy compliance.”

This statement applies for Badoo as well, Bumble told Mashable.

Dmytro Kononov, CTO and co-founder of Hily, shared this statement with TechCrunch:

The findings indicated a potential possibility for trilateration. However, in practice, exploiting this for attacks was impossible. This is due to our internal mechanisms designed to protect against spammers and the logic of our search algorithm…Despite this, we engaged in extensive consultations with the authors of the report and collaboratively developed new geocoding algorithms to completely eliminate this type of attack. These new algorithms have been successfully implemented for over a year now.

Grindr was vulnerable to “exact distance trilateration.” This can be done when services reveal exact distances to other users. The authors were able to figure out user locations as close as 111 meters (around 364 feet). Exact distance trilateration was possible even when the distance was hidden, such as in Egypt where Grindr hides all user locations for safety reasons.

“The proximity Grindr offers to this community is paramount in providing the ability to interact with those closest to them, Grindr’s chief privacy officer Kelly Peterson Miranda told TechCrunch. “As is the case with many location-based social networks and dating apps, Grindr requires certain location information in order to connect its users with those nearby…Grindr users are in control of what location information they provide.”

Finally, the app happn was vulnerable to “rounded distance trilateration,” which can be done if an app utilizes a rounded location as a precaution. CEO and president of happn, Karima Ben Abdelmalek, told TechCrunch:

After review by our Chief Security Officer of the research findings, we had the opportunity to discuss the trilateration method with the researchers. However, happn has an additional layer of protection beyond just rounding distances…This additional protection was not taken into account in their analysis and we mutually agreed that this extra measure on happn makes the trilateration technique ineffective.

It appears that for apps with these vulnerabilities, the apps took measures to stop bad actors from determining user location using trilateration, with the exception of Grindr.

Which dating apps weren’t vulnerable?

According to the paper, Tinder and LOVOO used “grid snapping” to prevent trilateration. Grid snapping is a technique of dividing one’s location into a grid of squares. Coordinates (aka where users are) are moved to the center of these squares (Tinder) or the right side (LOVOO) and one’s distance is measured from there. Therefore, their actual distance is inaccurate and can’t be trilaterated.

Plenty of Fish and Meetic don’t access GPS locations. While MeetMe, Tagged, and OkCupid do access this information, they convert it to the nearest town. The authors couldn’t reverse engineer the information they needed for TanTan and Jaumo, so they couldn’t test this method to find user locations.

The paper shows the importance of caution when using dating apps. As the paper concludes, “We hope that the awareness that we bring of these issues will lead LBD app providers to reconsider their data gathering practices, protect their APIs [application programming interfaces] from data leaks, prevent location inference, and give users control of their data and therefore ultimately their privacy.”

Mashable