Risky romance: Dating apps can expose users to malicious location tracking

A new study published by the University of KU Leuven in Belgium analyzed 15 popular dating apps to assess the risks of location-based services on users’ personal and sensitive data.

Location-based dating (LBD) intends to facilitate match-making by pairing up people in proximity to each other. However, the study “Swipe Left for Identity Theft” has identified six dating apps that might be putting users at risk by compromising their personal information. And in the world of dating, safety is paramount.

In evaluating intended and inadvertent sharing, researchers found that location-based services “expose large amounts of personal data to other users, enabling the extraction of sensitive personal traits as the apps request information such as age, sexual orientation, and exact location.”

The first-ever extensive privacy analysis of dating apps

After selecting the most popular dating apps, the KU Leuven team conducted what they believe to be the first comprehensive privacy analysis of its kind.

First, the researchers evaluated how easily someone with malicious intent could create an account and extract user data. Next, they measured the personal data shared by these apps, including sensitive attributes, dating-sensitive data, and users’ exact locations. Finally, they examined “how privacy policies of these apps discuss the collection and potential leaking of personal data.”

What users choose to share — their age and sexual orientation— is one data set they took into consideration. However, inadvertent sharing represents the “most severe violations” as users might be unaware of what information could be leaked in a dating world that values choice, open communication, and protection.

Six apps in particular — Badoo, Grindr, happn, Bumble, Hinge, and Hily — expose users to three forms of trilateration, according to Tech Crunch.

The dark side of location services

As they report, trilateration, a technique used by GPS, locates a user using a three-point system by creating three circles around them.

“Exact distance trilateration,” according to Engadget , identifies its target to “at least 111m by 111m square (at the equator).” “Rounded distance trilateration” provides an estimate, but loopholes in the system can be exploited. “Oracle trilateration” utilizes an oracle that uses a binary signal to find an approximate location. However, the study stated that an attacker can feasibly move, and the interface will update accordingly, allowing someone with malicious intentions to determine the location of their target.

As reported by Engadget , Grindr was “susceptible to exact distance trilateration.” Happn exposes its users to the risk of “rounded distance trilateration,” while the remaining four, including Bumble, would fall under the “oracle trilateration” category. However, they highlighted that Hinge and Hily conceal the distances of their users.

Karel Dhondt, one of the researchers, told TechCrunch , “It was somewhat surprising that known issues were still present in these popular apps.”

“I’d say 2 meters is close enough to pinpoint the user,” Dhondt said, considering the personal information users upload to the platform, including photographs.

Dating apps respond promptly to address the problem

Several dating apps have publicly responded to the questions surrounding their protection policies.

“We were made aware of these findings in early 2023 and swiftly resolved the issues outlined. As a global business with members in countries all over the world, we are committed to protecting our users’ privacy and have adopted a global approach to privacy compliance,” a Bumble spokesperson told Mashable .

Dmytro Kononov, CTO and co-founder of Hily, acknowledged, “The findings indicated a potential possibility for trilateration. However, in practice, exploiting this for attacks was impossible.”

Meanwhile, CEO and president of happn, Karima Ben Abdelmalek, told TechCrunch that they reviewed the findings. “However, happn has an additional layer of protection beyond just rounding distances…This additional protection was not taken into account in their analysis and we mutually agreed that this extra measure on happn makes the trilateration technique ineffective.”

The dating apps investigated took action on a positive note and have adjusted their distance filters to avoid any trilateration, as TechCrunch reported.

The privacy policies of these apps state what data they process, and some even acknowledge the risk of leaks, including locations, but they mostly place the responsibility on users. However, to conclude, the study noted that researchers could retrieve multiple profiles and “permanently request one user’s profile at any time, and easily create accounts.”

In the age of scams, even, this robust investigation is a solid preventative measure that suggests that apps should reduce data gathering and improve their privacy settings.