Popular gay dating app Grindr has been criticized for revealing the locations of its users in more detail than they might be expecting, and for allowing the identity of message senders to be spoofed.
A post on Pastebin provides details of how easy it is to leverage the app’s nearby-user-locator to figure out the exact location of a given user.
For any user with location services enabled, a simple request to Grindr’s servers will return a distance value. Using three such values taken from different spots, the position of the targeted user can be pinned down (assuming of course they don’t move around too much while you’re taking your three measurements).
The same poster also describes a weakness in the app’s messaging system, wherein the sender information attached to a message is adjustable and may not necessary tally with the user ID.
This is much like email, where “From” and “Sender” headers are routinely tweaked by spammers and legitimate mailers alike for a range of purposes, but is perhaps an even less desirable feature in a dating app.
The anonymous poster claims “officials at Grindr have been informed several times within the past months about these issues”, and suggests the issues may put users in oppressive regimes in danger.
Grindr representatives responded to the claims, telling the Huffington Post:
As part of the Grindr service, users rely on sharing location information with other users as core functionality of the application and Grindr users can control how this information is displayed.
Grindr has also suggested to users living in or visiting less gay-friendly places that it might be wise to disable the location monitoring, by turning the app’s “Show Distance” setting to “Off”.
Proximity-based apps are, invariably and by design, not intended for anyone concerned about privacy.
Whether you’re trying to find friendly blokes, amiable ladies, fellow lasagne-lovers or others who share your appreciation of Rick Astley nearby, when you join that community and start asking who in the group is near you, you’re always going to leak some information on where you are.
Location information is beloved of all sorts of people, perhaps the keenest being the marketers and advertisers seeking to milk every morsel of information they can find about potential ad targets for all it’s worth.
Thanks to this value being put on the information, apps come up with all sorts of ways to persuade you to let them read your location so they can earn the big bucks from the advertisers.
Apps whose sole purpose is telling people where you are have hit a home run in this regard, whether they’re proximity-based dating apps or even simpler location-boasting services such as Foursquare, which made some privacy vs. functionality headlines of its own recently.
Even when location tracking isn’t done in a horribly insecure fashion, any location information you share is likely to be open to abuse, especially when combined with other personal information of the kind routinely shared on social networking and dating services.
To repeat once again one of Paul Ducklin’s many top tips:
Turn geolocation services off. Giving out regular and precise updates of your whereabouts is convenient - but you should consider your location to be a form of PII (personally identifiable information).
Grindr may not be as well-secured as it could possibly be, it has had security problems in the past and the messaging openness could perhaps be made a little less straightforward to spoof, but no-one using it or anything that has access to your location should expect much privacy.
If you don’t want someone to know something about you, don’t shout it from any rooftops, and don’t share it with any apps.