The pandemic and the restrictions that came with it have led to an increase in the popularity of dating apps. For example, the total number of swipes on Tinder increased by 11% last year, with the daily number of swipes surpassing the 3 billion mark for the first time as early as March 2020. This is hardly surprising when you consider that many places where people used to meet and go on dates were shut down repeatedly in 2020 and at the beginning of 2021.
The increased activity on dating apps could be accompanied by increased associated risks for their users. Users may face some of the following threats:
- Identification of the user by third parties. Strangers can gain access to a user’s personal data, including their real name and information about where they live, work or This information can then be used for stalking or doxing.
- Theft of login credentials.
- Some of the most popular scams include asking users to transfer money under various pretexts, asking for “nudes” to be sent which are then used as blackmail in “sextortion scams”, as well as sending links to phishing websites, where users are tricked into entering their bank card details.
Whether a user will fall victim to any of these scams is largely dependent on the security measures that are implemented in the app and the kind of vulnerabilities it has. In 2017, we analyzed nine popular dating apps and revealed the following:
- Six apps allowed people to pinpoint a user’s location.
- Four apps made it possible to find out a user’s real name and track down their social media accounts.
- Four apps allowed an adversary to intercept potentially sensitive information they transfer.
We decided to see whether the situation has improved in 2021, so we looked at the apps with the most users around the world, as well as ones which received high ratings in publications such as CNET, PC Mag and Tom’s Guide. The resulting sample included both generic dating apps and niche apps for LGBT dating, polyamorous relationships etc.:
- Tinder — one of the world’s most popular dating apps. Downloaded more than 100 million times from Google Play.
- OkCupid — downloaded more than 10 million times from Google Play.
- Badoo — another very popular dating app. Downloaded more than 100 million times from Google Play.
- Bumble — an application where women make the first move. Downloaded more than 10 million times from Google Play, with 42 million monthly active users during the third quarter of 2020.
- Mamba — downloaded more than 10 million times from Google Play.
- Pure — an app for casual hookups and anonymous dating. Downloaded more than 1 million times from Google Play.
- Feeld — an app which allows you to search for partners in polyamorous relationships. Downloaded more than 1 million times from Google Play.
- Happn — an application for dating with random people you cross paths with. Downloaded over 50 million times from Google Play.
- Her — a dating app catering to LGBTQ+ women. More than 1 million downloads from Google Play.
Most of the apps that were analyzed ask users to provide a phone number for account verification when they sign up to send them an SMS message with a confirmation code. Accounts created using numbers provided by free online services for receiving SMS messages without a phone are quickly banned, which makes creating fake profiles a little more difficult.
All the services apart from Pure also have the option of signing up using a Facebook login or through another social network. When an existing social media account is used for registration, some apps don’t require a phone number for account verification, as long as no suspicions are raised by the date when the social media account was created, the number of friends or other account information.
All the profile photos from the Facebook page are added to the dating profile by default in most of the apps when a user signs up using Facebook.
Registration on Mamba
Most of the services analyzed make it optional for users to enter where they study and/or work, as well as to connect their Instagram and Spotify accounts. Those who choose to do so will have their latest photos and favorite music pulled from their accounts and added to the dating profile. There are no direct links to a user’s social media accounts, even if such account is used to log in to the app, but information displayed on the profile such as a person’s name and age, their photos and information about where they study and work is often enough to track someone down on different sites.
Depending on how the user has configured their privacy settings on social media, individuals with sinister intentions may be able to gain access to a wealth of private information about their dating matches, such as their home addresses and personal photos. This leaves users vulnerable to cyberstalking and doxing (when private information is made public with the intent of shaming or harming the individual).
Determining the user’s location
Mamba, Badoo, OkCupid, Pure and Feeld don’t require mandatory access to location data. You can enter your location manually instead to find matches in your area. If you grant the app access to your GPS to search for nearby matches, it’ll show your approximate distance from other users. Different services calculate this distance to varying degrees of accuracy. The app with the smallest margin of error is Mamba, which is accurate to the nearest meter. At the same time, the service allows you to set a fake GPS location using third-party programs. This can be exploited by sinister individuals, who can “move around” on the map to more or less pinpoint the location of a person they’re interested in.
Mamba: your distance from other users to the nearest meter
This is how it can be done: although the app doesn’t show which direction you need to move in to find another user, you can draw the circle from where you’re located on the map if you know how far away from you they are. By moving to different locations on the map and receiving new distance info in each place, a stalker can find the point where these circles intersect. The margin of error prevents ill-intentioned users from obtaining another user’s exact coordinates in this way, but an approximate location may be enough to roughly determine where a person works or studies, which could then help the malicious user find the person’s other social media accounts or even go after them offline.
To use Tinder and Bumble, you must grant these applications access to your geolocation. At the same time, both services prevent users from faking their coordinates via third-party programs. You can change the search area for potential partners in paid versions of the apps, but you can only select a region, not exact coordinates. This then makes it more difficult to work out where other users are located.
Her only allows paying users to set their location themselves, but third-party apps are allowed.
Happn is another app which needs to be granted access to the user’s location but allows you to use a third-party fake GPS VPN to change your location. This application has privacy settings which allow you to hide your distance from other users, age and “online” status, but these options are only available in the paid version.
Happn has another function that the other apps don’t offer: in addition to your distance from other users, you can also see how many times you’ve crossed paths with the same person and at what points. The app also shows who you’ve crossed paths with most often.
List of users you crossed paths with near a specific point
You can therefore easily work out who visits a given place on a regular basis, and that means it’s most likely a place where they live, work or study.
|App||Requires access to your device’s location||Allows setting the region manually in the free version||Allows setting the region manually in the paid version|
Unauthorized use of photos and messages
Of all the services analyzed, the only app that allows users to blur their profile pictures for free is Mamba. Once this option is activated, only users approved by the account owner will be able to see the original non-blurred picture.
This feature is also available in some other applications but only in their paid versions.
Pure is the only application that allows you to sign up to create an account without any profile picture, and also prohibits its users from taking screenshots of messages. The other applications don’t rule out the possibility of users saving screenshots of profiles and messages, which could then be used for doxing or blackmail.
All the apps that have been looked at use secure communication protocols for transfer of data. We also noted that the protection against certificate-spoofing man-in-the-middle (MITM) attacks has become much better compared to the results of the previous study. The apps stop exchanging data with the server if a fake certificate is detected, and Mamba even shows the user a warning message.
Data stored on the device
Similar to the results of the last study, the messages and cached images in most Android apps are stored on the user’s device. An attacker can gain access to them using a remote access Trojan (RAT) if the device has superuser (root) access rights. These devices can either be rooted by the user or by another Trojan which exploits Android OS vulnerabilities.
It’s worth noting that the risk of attackers gaining access to application data on the device is small, but it’s still a possibility.
Mamba and Badoo send an email with a generated cleartext password to log in to your account. This can hardly be deemed good practice in cybersecurity, as without two-factor authentication an attacker who intercepts the email will gain access to the account in the app.
Vulnerability disclosure & bug bounty programs
Since 2017, dating apps seem to have become more concerned with security. In 2017, we discovered several dating apps with critical vulnerabilities. In 2021, we see that most developers are investing in bug bounty programs that help keep the apps secure.
Badoo and Bumble were the most open about the vulnerabilities they’ve detected and eliminated. These apps also have a joint bug bounty program: https://hackerone.com/bumble. Similar programs are also implemented by Tinder, Mamba and OkCupid.
Launching initiatives like vulnerability disclosure and bug bounty programs doesn’t necessarily guarantee greater app security, but it’s an important step in the right direction for these companies to take, as it encourages researchers to find vulnerabilities in apps and allows developers to eliminate them efficiently.
Dating apps are here to stay. A study conducted by Stanford back in 2019 found online dating was already the most popular way for US couples to meet. And the pandemic led to a real boom in remote dating. The good news is that as these apps continue to grow more and more popular, efforts are made to increase their security, particularly on the technical side. For example, while four of the apps studied in 2017 made it possible to intercept sent messages, all nine apps we examined in 2021 used secure data transfer protocols.
Yet dating apps still leave significant amounts of users’ personal information vulnerable, including their approximate or exact location, social media accounts with any data they contain, photos and chats. It’s never a good thing to give someone access to that much private information. Not only does it put your privacy at risk, it leaves you vulnerable to things like doxing and cyberstalking. Some risks are unfortunately hard to avoid, as many of the apps are location-based, which means you have to share your location to find potential matches.
There’s still plenty of room for improvement, but the companies behind these dating apps are moving in the right direction if the past few years are anything to go by. These are our hopes and expectations for a future of safe and secure digital connections:
- One day, users will be able to hide both their photos and GPS locations from matches.
- Accounts will be verified to prove your potential match is who they say they are, not a criminal.
- Users will be able to restrict others from taking screenshots of their profiles and messages for free in any app.
- Users will be able to delete their chats.
- Apps will inform new users about the risks of sharing too much information.
- App developers will harness AI to protect users from fraud and stop abusive and/or sensitive content from being shared.
In the meantime, here are a few things you can do to stay safe while dating online:
- Don’t share too much personal information (your last name, employer, photos with friends, political views etc.).
- Enter your location manually where possible.
- Use two-factor authentication.
- Delete or hide your profile if you’ve stopped using the app.
This post appeared first on SecureList – Kaspersky Lab’s Cyberthreat Research and Reports
Author: Tatyana Shishkova