Usually when you think of “privacy,” that comprises ideas like, say, other people not knowing who you are, or being able to locate you down to the nearest meter. And yet that last bit seems to have been grossly overlooked by the developers of certain dating and hookup apps, which, it turns out, leak your exact location even if you have location-based services turned off.
As Wired reports, that’s the flaw security researchers recently found Grindr, a well-known app for men seeking men, and it appears in competing apps Jack’d and Hornet, too.
It works like this: the apps have a feature that can indicate how far away someone is from another user’s location. So when it comes to planning and timeliness, you can see if someone is within a half-mile of you and likely to be able to meet quickly, or thirty miles away and maybe setting up a date for tomorrow is a better idea.
Users can disable that feature for privacy’s sake, but the problem is, it appears not to matter. Even with the location-sharing disabled, security researchers were quickly and easily able to pinpont subjects’ exact location — including the Wired reporter: Within fifteen minutes, Hoang [the researcher] had identified the intersection where I live. Ten minutes after that, he sent me a screenshot from Google Maps, showing a thin arc shape on top of my building, just a couple of yards wide. “I think this is your location?” he asked. In fact, the outline fell directly on the part of my apartment where I sat on the couch talking to him.
So how do you get from “how far away is this guy?” to, “I can see your couch from here?” It’s called a trilateration attack, and it’s basically a modern variation on the ancient tech of triangulation: establish distance from three points, and you can figure out what the common dot in the middle is.
All the researchers had to do to come up with increasingly narrow radii where other users had to be located was to control two other accounts of their own, and adjust their locations incrementally until they hit the sweet spot.
The flaw is particularly alarming given the apps’ content. Acceptance of same-sex encounters and relationships is still far from universal, and a man outed by his phone could find everything from his job to his personal safety at risk. Likewise, the apps are used globally, and users living in officially repressive, dangerous regimes could become targets of the state.
A Gridr rep told Wired that they take their users safety and privacy extremely seriously and said, “we are working to develop increased security features for this app.”
An executive for Jack’d said much the same, adding, “We encourage our members to take all necessary precautions with the information they choose to display on their profiles and properly vet people before meeting in public.”
But if others can figure out your location even though you haven’t chosen to display that information on your profile, well, that kind of leaves users up a creek.
The research team also points out that although this study was focused on one kind of app, it’s hardly going to be the only one out there with this problem. Plenty of other apps and services list fellow users in your area of proximity, too.