Researchers analyzed 15 popular location-based dating (LBD) apps to assess user privacy risks, finding that these apps expose a large amount of personal data, including sensitive information like sexual orientation, through both the user interface and API traffic leaks.
They recommend that LBD apps give users more control over data sharing and improve API security to mitigate these privacy risks by responsibly disclosing their findings to the app vendors, leading to improvements in user privacy.
The privacy leaks of location-based dating (LBD) apps were discovered by selecting popular LBD apps from the Google Play Store and crawling metadata, descriptions, and ranking information.
The analysis aimed to identify what private information an adversary can learn about other users, and it is assumed to be a regular user who can access information through the app interfaces and network traffic.
Three levels of technical sophistication for the adversary were considered: observing the user interface, inspecting network traffic, and modifying network traffic. The authors created multiple accounts on the apps to collect data while mimicking real user behavior and ethical considerations.
They disclosed their research purpose, avoided interacting with real users, focused on data leakage through the app interfaces and did not involve social network analysis or privacy leaks due to user-uploaded content.
Stricter requirements like mandatory phone number verification and face verification make it harder for anonymous users to stay hidden (institutional privacy) and avoid detection by other users (social privacy).
The same requirements can also expose the personal data of legitimate users. For example, all apps require a profile photo, and some even require face verification, which can be bypassed by uploading a fake photo. Overall, the level of anonymity an adversary can achieve varies depending on the specific LBD app.
Authors examine three categories of data exposure: UI exposure (data revealed in the user interface), traffic leaks (data revealed in network traffic), and exfiltration leaks (data extracted by the adversary through manipulating app functionalities).
Analysis involves examining app functionalities, capturing network traffic, and crafting requests to extract additional data by assessing the leakage of EXIF data embedded in uploaded photos.
The paper investigates privacy leaks in Location-Based Dating (LBD) apps as well as the privacy policies of 15 LBD apps and finds that most apps collect user data, including location data and some sensitive data, which may leak user data through insecure APIs.
It has been recommended that LBD apps harden their APIs, implement location cloaking techniques, and increase friction for data gathering by adversaries. It is also believed that LBD apps should give users more control over what data they share with others.
The authors made a responsible disclosure of their findings to the developers of the 15 applications, and nine of those developers acknowledged receiving the fixes and implementing them.