Our experts studied the most popular mobile online dating apps (Tinder, Bumble, Ok Cupid, Badoo, Mamba, Zoosk, Happn, We Chat, Paktor), and identified the main threats for users.
We informed the developers in advance about all the vulnerabilities detected, and by the time this text was released some had already been fixed, and others were slated for correction in the near future.
Almost all online dating app servers use the HTTPS protocol, which means that, by checking certificate authenticity, one can shield against MITM attacks, in which the victim’s traffic passes through a rogue server on its way to the bona fide one.
The researchers installed a fake certificate to find out if the apps would check its authenticity; if they didn’t, they were in effect facilitating spying on other people’s traffic.
All of the other apps indicate the distance between you and the person you’re interested in.
By moving around and logging data about the distance between the two of you, it’s easy to determine the exact location of the “prey.” Happn not only shows how many meters separate you from another user, but also the number of times your paths have intersected, making it even easier to track someone down.
Tinder, Paktor, Bumble for Android, and Badoo for i OS also upload photos via HTTP, which allows an attacker to find out which profiles their potential victim is browsing.
When using the Android versions of Paktor, Badoo, and Zoosk, other details — for example, GPS data and device info — can end up in the wrong hands.
Dating apps are often privy to things of a rather intimate nature, including the occasional nude photo. Kaspersky Lab decided to put them through their security paces.That’s actually the app’s main feature, as unbelievable as we find it.Most apps transfer data to the server over an SSL-encrypted channel, but there are exceptions.It turned out that most apps (five out of nine) are vulnerable to MITM attacks because they do not verify the authenticity of certificates.And almost all of the apps authorize through Facebook, so the lack of certificate verification can lead to the theft of the temporary authorization key in the form of a token.This concerns only Android-based devices; malware able to gain root access in i OS is a rarity.The result of the analysis is less than encouraging: Eight of the nine applications for Android are ready to provide too much information to cybercriminals with superuser access rights.For example, Tinder, Happn, and Bumble let anyone see a user’s specified place of work or study.Using this information, it’s possible to find their social media accounts and discover their real names.The study showed that many dating apps do not handle users’ sensitive data with sufficient care.That’s no reason not to use such services — you simply need to understand the issues and, where possible, minimize the risks.