It turned out that most apps (five out of nine) are vulnerable to MITM attacks because they do not verify the authenticity of certificates.
And almost all of the apps authorize through Facebook, so the lack of certificate verification can lead to the theft of the temporary authorization key in the form of a token.
Tokens are valid for 2–3 weeks, throughout which time criminals have access to some of the victim’s social media account data in addition to full access to their profile on the dating app.
Regardless of the exact kind of data the app stores on the device, such data can be accessed with superuser rights.
Over the past year, a huge amount of attention has been paid to government snooping, and the bulk collection and storage of vast amounts of raw data in the name of national security.
What most of you don't know, or are just beginning to realize, is that a much greater and more immediate threat to your privacy is coming from thousands of companies you've probably never heard of, in the name of commerce. Bryan Kennedy: What we've done is we've collected the data into categories, into the basic information that is meaningful and understandable to a consumer.
The analytics module used in the Android version does not encrypt data about the device (model, serial number, etc.), and the i OS version connects to the server over HTTP and transfers all data unencrypted (and thus unprotected), messages included.
Our experts studied the most popular mobile online dating apps (Tinder, Bumble, Ok Cupid, Badoo, Mamba, Zoosk, Happn, We Chat, Paktor), and identified the main threats for users.
We informed the developers in advance about all the vulnerabilities detected, and by the time this text was released some had already been fixed, and others were slated for correction in the near future.
If someone wants to know your whereabouts, six of the nine apps will lend a hand.
Only Ok Cupid, Bumble, and Badoo keep user location data under lock and key.