Your dating life may not be so secret, after all

Nov 17, 2015 16:38 GMT  ·  By

Tantan, the Chinese Tinder clone, does not use HTTPS to encrypt traffic and exposes almost all the user's personal data in its traffic, as reported by Larry Salibra, Founder & CEO of Pay4Bugs, a crowd-sourced pay-per-bug software testing platform.

Mr. Salibra analyzed the app, intrigued by its close resemblance to Tinder, but also by the app's UI and UX, which were far superior when compared to Tinder's interface.

Searching to see if the app's backend was as clean and well polished as its frontend, he connected his iPhone to his computer, and using Xcode, he took a look at what was happening under the hood.

Debug messages and passwords in cleartext

Surprisingly, the first thing he noticed was a slew of debug messages spewed towards Xcode's console. These messages are generally hidden by most other apps to avoid accidental data leaks of private user information.

Connecting to his home router and running a basic TCP dump command, the second thing he noticed was a complete lack of encryption for the app-server communications.

While he saw a password-looking string being exchanged in the beginning, he later discovered that it was a static, hardcoded app-based identification token. He didn't have to wait long to see his real password, though. Just after authenticating, Mr. Salibra saw his password in cleartext as well as a bunch of other information being sent via an unprotected channel.

After interacting with the app in a natural way, his investigation revealed that Tantan discloses almost everything about its users, sending the data via unprotected HTTP channels, which can easily be intercepted, logged, and stolen via the servers this information passes through.

The revealed data includes the user's real name, password, dating preferences, sexual orientation, left/right swipes, hobbies, interests, chat messages, and location.

Malicious parties can stalk Tantan users if they want to

But the app's buggy privacy doesn't only put its user at risk. Malicious actors can easily detect the location of others just by matching up with them.

Because for each match the Tantan app also discloses the distance to the matched person, a user would only need to get the distance to one of their targets from three different points.

The attacker can then use their three different geographical coordinates, pass them through the triangulation method, and get a match's location with a high degree of accuracy. And voila, a simple way to spy or stalk your love interest.

Tantan promises improved security

If there's something the Ashely Madison hack showed us, it is that people take their dating life seriously, with some of the persons exposed in the data breach ending up taking their lives as a result.

Mr. Salibra made all these discoveries in March 2015. He contacted the app's maker, but after countless unanswered emails, he decided to go public.

After Mr. Salibra published his investigation, Tantan's CEO and Co-founder, Yu Wang, contacted Mr. Salibra and promised to fix some of the app's security issues in upcoming versions.

Geolocation data exposed via Tantan iOS app
Geolocation data exposed via Tantan iOS app

Photo Gallery (2 Images)

Tantan, Chinese dating app, modeled after Tinder
Geolocation data exposed via Tantan iOS app
Open gallery