Security experts have demonstrated an exploit in Grindr that allows people’s exact location to be determined – even if they have ‘location privacy’ on.
In 2014, web security tipsters first went public with fears that anti-LGBT governments or vigilantes could exploit the hook-up app to find men’s exact locations – after it saw a boom in popularity around the world.
As the app shows the precise distance between two users by default, any stationary app user with location enabled can be easily triangulated using simple school-level maths – a calculation so simple it can be done with a physical map, compass and ruler.
Grindr now allows men to lock down location data and employs countermeasures in some countries to ensure men’s privacy; but in a paper this week, security experts at Kyoto University warned an enhanced version of the exploit means that even ‘private’ profiles can be tracked down to within a few metres.
From Kyoto, researcher Nguyen Phong Hoang was able to demonstrate the process by tracking down a Wired journalist on the app in New York – proving he was able to track down locations even if men enable privacy settings to make it private.
The journalist noted: “Within fifteen minutes, had identified the intersection where I live. Ten minutes after that, he sent me a screenshot from Google Maps, showing a thin arc shape on top of my building, just a couple of yards wide… the outline fell directly on the part of my apartment where I sat on the couch talking to him.”
The researchers outlined a “threat model that current approaches like location anonymization implemented by disabling the ‘show distance’ function still cannot effectively counter to” – spoofing their location and using a program to identify relative distances from users, even when some have their locations hidden.
The paper demonstrates their method can be used to build a map of users, and can also breach other location-based hook-up apps including Jack’d and Hornet – though Hornet employs some more stringent safeguards that weaken the exploit.
Due to the location-based nature of the apps, it is near-impossible to eradicate all forms of location attacks without removing location functionality entirely.
The paper also detail further exploits in Jack’d – which could even be used to obtain private sexual pictures that men trade via the app.
It warns: “For Jack‘d, it is very careless in handling its user‘s private photos, because even when a photo is sent in a private message, Jack‘d does not use any secure connection to protect the photo. Instead, Jack‘d sends it via HTTP which is an unsecure transmission protocol”.
The study authors wrote: “Through this study, we would like to particularly alert the users of Grindr, Jack’d, and Hornet as well as the users of other LBS [Location Based Service] in general about the risk of being located easily regardless of whether the recent location anonymization and location obfuscation approaches have been adopted.
“By investigating these three applications, we found a paradox that although there have been many attack models proposed by the privacy-preserving researchers, the user‘s location privacy has not been seriously taken in to consideration by the LBS provider and the user themselves.
“As far as we are concerned, the reason of this negligence derives from both sides. From the viewpoint of the LBS provider, it might cause overhead to implement those sophisticated solutions proposed by the research community, while the utility of the application is not really guaranteed, thus probably lead to the loss of its customer.
Ending with advice to men who want to use the apps but don’t want to be trackable, they added: “We suggest that the user should take a step ahead to protect their own privacy from those vulnerabilities mentioned in this study. That is to use Fake-GPS applications like the one that we use in this study (probably also used by most of the adversaries) to hide the real location to an acceptable extent.”
The paper continues: “The user should not register account to those highly sensitive applications under his real name or even a part of his real name.
“Instead, the user should use information that could not be used to link the account with his real-life personally identifiable information.”