Researchers in the UK have demonstrated that Grindr, the most popular dating app for gay men, continues to reveal its users' location data, putting them at risk from stalking, robbery and gay-bashing.
Cyber-security firm Pen Test Partners was able to precisely locate users of four popular dating apps—Grindr, Romeo, Recon and the polyamorous site 3fun—and says a potential 10 million users are at risk of exposure.
"This risk level is elevated for the LGBT+ community who may use these apps in countries with poor human rights where they may be subject to arrest and persecution," a post on the Pen Test Partners site warns.
Most dating app users know some location information is made public—it's how the apps work. but Pen Test says few realize how precise that information is, and how easy it is to manipulate.
"Imagine a man shows up on a dating app as '200 meters [650ft] away.' You can draw a 200m radius around your own location on a map and know he is somewhere on the edge of that circle. If you then move down the road and the same man shows up as 350m away, and you move again and he is 100m away, you can then draw all of these circles on the map at the same time and where they intersect will reveal exactly where the man is."
Pen Test was able to produce results without even going outside—using a dummy account and a tool to provide fake locations and do all the calculations automatically.
Grindr, which has 3.8 million daily active users and 27 million registered users overall, bills itself as "the world's largest LGBTQ+ mobile social network." Pen Test demonstrated how it could easily track Grind users, some of whom are not open about their sexual orientation, by trilaterating their location of its users. (Used in GPS, trilateration is similar to triangulation but takes altitude into account.)
"By supplying spoofed locations (latitude and longitude) it is possible to retrieve the distances to these profiles from multiple points, and then triangulate or trilaterate the data to return the precise location of that person," they explained.
As the researchers point out, in many U.S. states, being identified as gay can mean losing your job or home, with no legal recourse. In countries like Uganda and Saudia Arabia, it can mean violence, imprisonment or even death. (At least 70 countries criminalize homosexuality, and police have been known to entrap gay men by detecting their location on apps like Grindr.)
"In our testing, this data was sufficient to show us using these data apps at one end of the office versus the other," researchers wrote. In fact, modern smartphones collect infinitesimally precise data—"8 decimal places of latitude/longitude in some cases," researchers say—which could be revealed if a server was compromised.
Developers and cyber-security experts have know about the flaw for some years, but many apps have yet to address the issue: Grindr didn't respond to Pen Test's queries about the danger of location leaks. But the researchers dismissed the app's previous claim that users' locations aren't stored "precisely."
"We didn't find this at all—Grindr location data was able to pinpoint our test accounts down to a house or building, i.e. exactly where we were at that time."
Grindr says it hides location data "in countries where it is dangerous or illegal to be a member of the LGBTQ+ community," and users elsewhere always have the option of "hid[ing] their distance information from their profiles." But it's not the default setting. And scientists at Kyoto University demonstrated in 2016 how you could easily find a Grindr user, even if they disabled the location feature.
Of the other three apps tested, Romeo told Pen Test it had a feature that could move users to a "nearby position" rather than their GPS coordinates but, again, it's not the default.
Recon reportedly addressed the issue by reducing the precision of location data and using a snap-to-grid feature, which rounds individual user's location to the nearest grid center.
3fun, meanwhile, is still dealing with the fallout of a recent leak revealing members locations, photos and personal details—including users identified as being in the White House and Supreme Court building.
"It is difficult to for users of these apps to know how their data is being handled and whether they could be outed by using them," Pen Test wrote. "App makers must do more to inform their users and give them the ability to control how their location is stored and viewed."
Hornet, a popular gay app not included in Pen Test Partner's report, told Newsweek it uses "sophisticated technical defenses" to protect users, including monitoring application programming interfaces (APIs). In LGBT-unfriendly countries, Hornet stymies location-based entrapment by randomizing profiles when sorted by distance and using the snap-to-grid format to avoid triangulation.
"Safety permeates every aspect of our business, whether that's technical security, protection from bad actors, or providing resources to educate users and policy makers," Hornet CEO Christof Wittig told Newsweek. "We use a vast array of technical and community-based solutions to deliver this at scale, for millions of users every day, in some 200 countries around the world."
Concerns about security leaks at Grindr, in particular, came to a head in 2018, when it was revealed the company was sharing users' HIV status to third-party vendors that tested its performance and features. That same year, an app called C*ckblocked allowed Grindr members who gave their password to see who blocked them. But it also allowed app creator Trever Fade to access their location data, unread messages, email addresses and deleted photos.
Also in 2018, Beijing-based gaming company Kunlin completed its acquisition of Grindr, leading the Committee on Foreign Investment in the United State (CFIUS) to determine that the app being owned by Chinese nationals posed a national security risk. That's mainly because of concern over personal data protection, reports Tech Crunch, "specifically those who are in the government or military."
Plans to launch an IPO were reportedly scratched, with Kunlun now expected to sell Grindr instead.
UPDATE: This article has been updated to include a statement from Hornet.
