Gay dating apps still leak user location
Three researchers from Kyoto University have presented a method to determine the location of users of gay dating apps like Grindr. This method differs slightly from previous similar techniques that allowed location determination.
This method is based on a technique known as trilateration, where a particular location can be determined from distances to three different points. In 2014, following another investigation, Grindr had already taken additional security measures to prevent such an attack. For example, the app introduced the option to disable the distance measurement function and the company did this as standard in countries such as Russia, Egypt and Sudan. The comparable apps Hornet and Jack’d also implemented similar measures, Wired writes.
The Japanese scientists’ research is based on a variant of the existing attacks called colluding-trilateration. In addition, it is necessary to create two additional accounts, in the case of the researchers this was done on a virtual computer in combination with a simulated GPS location. In the case of Grindr, this app displays people nearby in a grid, regardless of whether the distance feature is turned on. By positioning the two fake accounts in the grid on either side of the victim, it is possible to determine the limits of the distance to the victim and thus also his location. This method only uses publicly available information.
The apps Jack’d and Hornet use a slightly different way to protect users, but in these cases too, the researchers were able to track down users’ locations. Grindr and Jack’d were also found to transfer internet traffic unencrypted, in the case of Grindr this also involved photos, which made it possible to trace the original image. Spokespersons for the three companies told Wired that they will take measures, although it was not clear what these consist of.
According to the researchers, the problem is not easy to solve. Further obscuring the location of users could negatively affect usability. A real remedy is therefore only to use the apps in combination with a tool that simulates a GPS location.