Dating apps are supposed to be about getting to know other people and having fun, not handing out personal data left, right and center. Unfortunately, when it comes to dating services, there are security and privacy concerns. At the MWC21 conference, Tatyana Shishkova, senior malware analyst at Kaspersky, presented a report about online dating app security. We discuss the conclusions she drew from studying the privacy and security of the most popular online dating services, and what users should do to keep their data safe.
Dating app security: what’s changed in four years
Our experts previously carried out a similar study several years ago. After researching nine popular services in 2017, they came to the bleak conclusion that dating apps had major issues regarding the secure transfer of user data, as well as its storage and accessibility to other users. Here are the main threats revealed in the 2017 report:
- Of the nine apps studied, six did not hide the user’s location.
- Four made it possible to find out the user’s real name and locate other social network accounts of theirs.
- Four allowed outsiders to intercept app-forwarded data, which could contain sensitive information.
We decided to see how things had changed by 2021. The study focused on the nine most popular dating apps: Tinder, OKCupid, Badoo, Bumble, Mamba, Pure, Feeld, Happn and Her. The lineup differs slightly from that of 2017, since the online dating market has changed a bit. That said, the most used apps remain the same as four years ago.
Security of data transfer and storage
Over the past four years, the situation with data transfer between the app and the server has significantly improved. First, all nine apps we researched this time around use encryption. Second, all feature a mechanism against certificate-spoofing attacks: on detecting a fake certificate, the apps simply stop transmitting data. Mamba additionally displays a warning that the connection is insecure.
As for data stored on the user’s device, a potential attacker can still gain access to it by somehow getting hold of superuser (root) rights. However, this is a rather unlikely scenario. Besides, root access in the wrong hands renders the device basically defenseless, so data theft from a dating app is the least of the victim’s problems.
Password emailed in cleartext
Two of the nine apps under study — Mamba and Badoo — mail the newly registered user’s password in plain text. Since many people don’t bother to change the password immediately after registration (if ever), and tend to be sloppy about mail security in general, this is not a good practice. By hacking the user’s mail or intercepting the e-mail itself, a potential attacker can discover the password and use it to gain access to the account as well (unless, of course, two-factor authentication is enabled in the dating app).
Mandatory profile photo
One of the problems with dating services is that screenshots of users’ conversations or profiles can be misused for doxing, shaming and other malicious purposes. Unfortunately, of the nine apps, only one, Pure, lets you create an account without a photo (i.e., not that easily attributable to you); it also handily disables screenshots. Another, Mamba, offers a free photo-blurring option, allowing you to show your pictures only to users you choose. Some of the other apps also offer that feature, but only for a fee.
Dating apps and social networks
All of the apps in question — aside from Pure — allow users to register through a social network account, most often Facebook. In fact, this is the only option for those who don’t want to share their phone number with the app. However, if your Facebook account isn’t “respectable” enough (too new or too few friends, say), then most likely you’ll end up having to share your phone number after all.
The problem is that most of the apps automatically pull Facebook profile pics into the user’s new account. That makes it possible to link a dating app account to a social media one simply by the photos.
In addition, many dating apps allow, and even recommend, users to link their profiles to other social networks and online services, such as Instagram and Spotify, so that new photos and favorite music can be automatically added to the profile. And although there is no surefire way to identify an account in another service, dating app profile information can certainly help in finding someone on other websites.
Location, location, location
Perhaps the most controversial aspect of dating apps is the need, in most cases, to give your location. Of the nine apps we investigated, four — Tinder, Bumble, Happn and Her — require mandatory geolocation access. Three let you manually change your precise coordinates to the general region, but only in the paid version. Happn has no such option, but the paid version allows you to hide the distance between you and other users.
Mamba, Badoo, OkCupid, Pure and Feeld do not require mandatory access to geolocation, and let you manually specify your location even in the free version. But they do offer to automatically detect your coordinates. In the case of Mamba especially, we advise against giving it access to geolocation data, since the service can determine your distance to others with a frightening accuracy: one meter.
In general, if a user allows the app to show their proximity, in most services it is not hard to calculate their position by means of triangulation and location-spoofing programs. Of the four dating apps that require geolocation data to work, only two — Tinder and Bumble — counteract the use of such programs.
From a purely technical viewpoint, dating app security has improved significantly in the past four years — all the services we studied now use encryption and resist man-in-the-middle attacks. Most of the apps have bug-bounty programs, which assist in the patching of serious vulnerabilities in their products.
But as far as privacy is concerned, things are not so rosy: the apps have little motivation to protect users from oversharing. People often post far more about themselves than is sensible, forgetting or ignoring the possible consequences: doxing, stalking, data leakage and other online woes.
Sure, the problem of oversharing is not limited to dating apps — things are no better with social networks. But due to their specific nature, dating apps often encourage users to share data that they are unlikely to post anywhere else. Moreover, online dating services usually have less control over who exactly users share this data with.
Therefore, we recommend all users of dating (and other) apps to think more carefully about what and what not to share.