Some dating apps require the users to allow them access to their location and, according to security researchers from the Pen Test Partners firm, these apps can also track the real-time location of the users by employing just the use of their username and official API.
According to Pen Test Partners, some previous tests on Grindr showed that it was possible to trilaterate user location. Trilateration is not very different from triangulation, it just also takes into account altitude. It’s the algorithm that GPS uses to determine location.
Many dating profiles on these apps feature profiles that show the estimated distance within the UI. By supplying these locations, it’s not difficult to get the estimated distances to these profiles from different points and then either triangulate or trilaterate the data in order to get the location of a person.
The location data the apps store is quite precise – 8 decimal places of latitude or longitude.
The firm got to work and created a tool that put together a number of dating apps into one single bird’s eye view. By using it, they can locate users of Grindr, Romeo, Recon and 3fun – altogether some 10 million users located all over the world.
By knowing someone’s user name, the firm was able to track them everywhere, almost in real-time from home to work and even find out where they enjoy hanging out. They even managed to pinpoint that a dating app user works at 10 Downing Street in London, home to the Prime Minister of the UK.
The firm redacted their usernames of course, but this example did nothing but further show the users are very vulnerable when it comes to location-based dating apps.
For example, LGBT+ people could easily be located in countries where they have little to no rights and get arrested, detained or, in some places, even executed.
Pen Test Partners contacted some app makers to get some answers about the situation. Romeo was the fastest to reply and mentioned that their app does have a feature which allows the users to move from a nearby position instead of relying on the GPS. However, this setting doesn’t come as a default and the users have to do it themselves manually.
Recon replied a few days later mentioning they will address and fix the issue (which they eventually did). Grindr on the other hand did not reply and 3fun – well, suffice to say that it leaked locations, photos and other personal details in the mean time.
So next time you’re thinking about downloading a dating app, dig a little deeper, just to make sure you’re as safe as you can be.