The world of mobile apps is growing rapidly. Games, messengers, virtual assistants, apps that allow you to keep your Android ON, etc. are already common things. Online Dating is very popular, especially among young people. However, such services carry a lot of risks for users.
Using carefully calculated computer algorithms, these services compare our interests and preferences with other people who have similar tastes. Then the parties can agree on a date and, perhaps, this will be the beginning of great love.
But to find matches, each service collects a range of sensitive data, including sexual preferences, physical location, and even the way the app is used. This data allows the service provider to create a very detailed profile for each of its users.
Most users believe that this information is collected and protected by their dating application operator. And that is correct. For example, the current data protection legislation in Europe (General Data Protection Regulation, GDPR) requires service providers to treat personal information very carefully and to use it only for certain purposes.
However, security researchers have found that this is not entirely true. Popular dating apps such as Grindr, OKCupid, and Tinder share the personal information they collect with various third parties (such as marketing agencies).
What’s the problem?
From a legal point of view, the problem is not in the exchange of confidential data, but in the fact that users do not know what their information is being transmitted and to whom it is being transmitted. Worse, most of the apps tested don’t give users any control over how their data is used.
Researchers warn that the lack of control over personal data means that operators of Dating services are at risk of prosecution under the GDPR: they face a fine.
But there is also the human aspect of these data leaks. Some users will be rightly upset that their data is being sold to advertisers. Especially since some of the most sensitive information is a personal secret. This is especially true for users who may hide their sexual preferences from friends and family. Advertisers who use this information may inadvertently reveal their secrets through advertisements and emails that the user receives.
The disclosure of the identity and prosecution
The most harmless thing that hackers can do is to find a person’s profile from a Dating service on a social network. It turned out that this is very simple. For example, in Tinder, many people add information about their work or education — this gives a 60 percent chance of finding a user on the social network, even if they use an alias.
For example, you can find a Facebook user profile in the Happy app, even if they didn’t provide any information about themselves and use an alias. The service has a function for searching for people. If hackers modify the search query a little, you can find the names and surnames of any user on Facebook.
The Paktor service, for example, does not hide users’ emails well. To steal information, an attacker only needs to track application traffic – so you can find the mail of any person.
Attackers can use a social network profile, for example, for harassment.
Track a person
Some Dating apps allow you to find the location of a person from a dating service. For example, the WeChat messenger allows you to view the distance to the interlocutor. And the app of the Happn service shows not only the location of another person but also how many times you have been near them.
The user’s location can be used for looting or surveillance – this is dangerous.
Stealing messages and accessing the account
Many dating applications do not use a secure, encrypted data transfer protocol at all or hardly anymore. So if a person is using the public Internet, attackers can easily access a lot of data. For example, at Mamba, they can log into a victim’s account and view and write messages on their behalf. And in the Tinder application, you can capture the user’s photos.
You can also easily provide a fake certificate for most Android dating applications. To do this, it is enough to force the victim to install the certificate using deception. And then you can intercept a token from Facebook in Tinder, which makes it easy to get temporary access to your social network account.
Can you protect yourself?
Since the entry into force of the GDPR most applications now recognize the possibility to exchange data. But this is only because they are legally obliged to do so. Information is usually hidden somewhere in long, complex terms of service that most of us don’t read. Even worse, some applications (such as Grindr) refer users to third-party terms and conditions where the full scope of data exchange is discussed.
This means that the only way to truly protect your data is to read the terms and conditions carefully and not use any Dating apps until you have an urgent need for them. And also until you have a clear idea of how your data will be used.