Mobile dating app Tinder has been surging in popularity in recent months – it was a hit at the Olympic village in Sochi, and it recently made its first match in Antarctica – but it's also had a flaw that could allow someone with "rudimentary Web coding skills" to locate users' exact location since at least October, according to security researchers. Employees of Include Security, the white hat hacking company that found the flaw, suggested developers should be more careful in their program design, noting that the problem could occur in many mobile applications.
In a blog post on the Include Security website, researcher Max Veytsman explained that the flaw differed from a privacy vulnerability in Tinder from July 2013, which pinpointed the user's exact latitude and longitude. That issue was fixed, but the fix is likely the source of the new problem, which is that the app is still returning very specific distance data on users, enabling triangulation of a user's location to within 100 feet. While Tinder's API is no longer returning exact GPS coordinates, it does have a field that shows the user's distance in miles from another user to 15 decimal places.
With this information, someone could create three dummy profiles to triangulate the location of a specific user, Veytsman noted. He published a proof of concept in the blog post and a YouTube video. Include Security reported the issue to Tinder in October, and, in December, the Tinder team told them a fix was coming. However, no further updates were given, so the researchers decided to publish their findings.
Improving user privacy
The triangulation flaw could be dangerous in that it could easily enable a determined stalker to pursue an ex-girlfriend, for instance. For Tinder, this issue is particularly noteworthy since much of the app's success has been in convincing women it did not offer the creepiness of other online dating services, many sources have noted. But perceived privacy issues can affect the reputation of any app, Include founder Erik Cabetas told Bloomberg Businessweek.
"We want technology companies to remember that as they're moving a million miles an hour to innovate, they need to consider security and privacy as part of the value proposition they're selling their customers," he said. "Consumers tend to avoid use of applications, cloud services or websites that severely encroach on their privacy."
In that spirit, Include also offered several warnings about how common privacy flaws are in location-based apps. Veytsman detailed how developers might want to look to avoid similar flaws.
"The team's recommendation for remediation is to never deal with high-resolution measurements of distance or location in any sense on the client-side," he wrote. "These calculations should be done on the server-side to avoid the possibility of the client applications intercepting the positional information."
As mobile app vendors look to win over customers, developers can benefit from using tools like static analysis software to ensure they aren't leaving obvious privacy gaps in their apps. Code review during the development process can also help teams catch issues that could lead to privacy issues down the line. With Tinder's latest problem, location-based privacy should be a key concern for mobile developers.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.