Problems highlight need to encrypt app traffic, importance of using secure connections for private communications
Be careful as you swipe left and right—someone could be watching.
Security researchers say Tinder isn’t doing enough to secure its popular dating app, putting the privacy of users at risk.
A report released Tuesday by researchers from the cybersecurity firm Checkmarx identifies two security flaws in Tinder’s iOS and Android apps. When combined, the researchers say, the vulnerabilities give hackers a way to see which profile photos a user is looking at and how he or she reacts to those images—swiping right to show interest or left to reject a chance to connect.
Names and other personal information are encrypted, however, so they are not at risk.
The flaws, which include insufficient encryption for data sent back and forth via the app, aren’t exclusive to Tinder, the researchers say. They spotlight a problem shared by many apps.
Tinder released a statement saying that it takes the privacy of its users seriously, and noting that profile images on the platform can be widely viewed by legitimate users.
But privacy advocates and security professionals say that’s little comfort to those who want to keep the mere fact that they’re using the app private.
Tinder, which operates in 196 countries, claims to have matched more than 20 billion people since its 2012 launch. The platform does that by sending users pictures and mini profiles of people they might like to meet.
If two users each swipe to the right across the other’s photo, a match is made and they can start messaging each other through the app.
According to Checkmarx, Tinder’s vulnerabilities are both related to ineffective use of encryption. To start, the apps don’t use the secure HTTPS protocol to encrypt profile pictures. As a result, an attacker could intercept traffic between the user’s mobile device and the company’s servers and see not only the user’s profile picture but also all the pictures he or she reviews, as well.
All text, including the names of the individuals in the photos, is encrypted.
The attacker also could feasibly replace an image with a different photo, a rogue advertisement, or even a link to a website that contains malware or a call to action designed to steal personal information, Checkmarx says.
In its statement, Tinder noted that its desktop and mobile web platforms do encrypt profile images and that the company is now working toward encrypting the images on its apps, too.
But these days that’s just not good enough, says Justin Brookman, director of consumer privacy and technology policy for Consumers Union, the policy and mobilization division of Consumer Reports.
“Apps really should be encrypting all traffic by default—especially for something as sensitive as online dating,” he says.
The problem is compounded, Brookman adds, by the fact that it’s very difficult for the average person to determine whether a mobile app uses encryption. With a website, you can simply look for the HTTPS at the start of the internet address instead of HTTP. For mobile apps, though, there’s no telltale sign.
“So it’s more difficult to know if your communications—especially on shared networks—are protected,” he says.
The second security issue for Tinder stems from the fact that different data is sent from the company’s servers in response to left and right swipes. The data is encrypted, but the researchers could tell the difference between the two responses by the length of the encrypted text. That means an attacker can figure out how the user responded to an image based solely on the size of the company’s response.
By exploiting the two flaws, an attacker could therefore see the images the user is looking at and the direction of the swipe that followed.
“You’re using an app you think is private, but you actually have someone standing over your shoulder looking at everything,” says Amit Ashbel, Checkmarx’s cybersecurity evangelist and director of product marketing.
For the attack to work, though, the hacker and victim must both be on the same WiFi network. That means it would require the public, unsecured network of, say, a coffee shop or a WiFi hot spot set up by the attacker to lure people in with free service.