Leakage of personal data, geolocation attacks, unsafe connections … Finding a soul mate on a mobile dating app is not necessarily safe.
To meet people through his mobile, users are spoiled for choice. But this search for the soul mate is not necessarily confidential, as one might think. Security researchers at Kaspersky Lab inspected the security level of nine dating applications, namely Tinder, Bumble, OK Cupid, Badoo, Mamba, Zoosk, Happn, WeChat and Paktor. Conclusion: none is perfectly secure.
Leakage of personal data
Some applications allow you to add information that goes beyond age or first name / nickname, which is not necessarily a good idea. On Tinder Gratuit, Happn and Bumble, one can for example specify his job and his level of studies. “In 60% of cases, this information was sufficient to identify users on a social network like Facebook or LinkedIn, and get their full names,” the researchers said. A malicious person could start harassing someone, even if they were stuck on the dating app.
Sometimes it is not necessary to cross-check information. When viewing a profile on Happn, the application automatically receives an ID number that can be intercepted and is linked to the Facebook account. It can then be easily identified. For its part, the Paktor application sends out the email address of the profile consulted. Too easy.
We can locate the users
Most applications are vulnerable to geolocation attacks. Indeed, dating applications indicate the distance at which the profiles consulted are, without more precision. But it is possible to send fake coordinates to the servers of the apps, and so to turn around a target in a virtual way and thus to locate it. According to the researchers, these attacks work particularly well with Tinder, Mamba, Zoosk, WeChat and Paktor.
In July 2016, Synacktiv researchers demonstrated this type of attack during the Night of Hack. They even managed to deploy a network of virtual surveillance agents that could be alerted as soon as a target entered a given area.
Not always secure connections
Generally, dating apps communicate with their servers over HTTPS. But this is not always the case, opening the way for the interception of data, for example when connected to an unsecured public hotpot. Thus Tinder, Paktor and Bumble send the photos in HTTP. On the Android version of Paktor, it is also possible to intercept the user’s name, date of birth and GPS coordinates. With Mamba, it’s even worse. The iOS version sends everything in HTTP. A pirate around can intercept everything and change on the fly. He can also obtain identifiers to log on to the account. A similar flaw was detected on the Zoosk app, but only when the app downloads photos or videos.
Kaspersky – Summary of Vulnerabilities (+/- means possible / impossible)
Finally, researchers report that most applications do not check for received HTTPS certificates. They are therefore vulnerable to interception and decryption attacks. However, this type of attack is more complicated to mount. The hacker must not only be on the same network, but also have the user install his fake certificate. On iOS, it’s almost impossible to do.
In the end, researchers recommend using dating apps with caution. It is best not to fill in too much information, avoid public hotspots and activate a VPN.