In 2018, you'd be forgiven for assuming that any sensitive app encrypts its connection from your phone to the cloud, so that the stranger two tables away at the coffee shop can't pull your secrets off the local Wi-Fi. That goes double for apps as personal as online dating services. But if you assumed that basic privacy protection for the world's most popular dating app, you'd be mistaken: As one application security company has found, Tinder's mobile apps still lack the standard encryption necessary to keep your photos, swipes, and matches hidden from snoops.
On Tuesday, researchers at Tel Aviv-based app security firm Checkmarx demonstrated that Tinder still lacks basic HTTPS encryption for photos. Just by being on the same Wi-Fi network as any user of Tinder's iOS or Android app, the researchers could see any photo the user did, or even inject their own images into his or her photo stream. And while other data in Tinder's apps are HTTPS-encrypted, Checkmarx found that they still leaked enough information to tell encrypted commands apart, allowing a hacker on the same network to watch every swipe left, swipe right, or match on the target's phone nearly as easily as if they were looking over the target's shoulder. The researchers suggest that lack of protection could enable anything from simple voyeuristic nosiness to blackmail schemes.
"We can simulate exactly what the user sees on his or her screen," says Erez Yalon, Checkmarx's manager of application security research. "You know everything: What they’re doing, what their sexual preferences are, a lot of information."
To demonstrate Tinder's vulnerabilities, Checkmarx built a piece of proof-of-concept software they call TinderDrift. Run it on a laptop connected to any Wi-Fi network where other connected users are tindering, and it automatically reconstructs their entire session.
To fix its vulnerabilities, Checkmarx says Tinder should not only encrypt photos, but also "pad" the other commands in its app, adding noise so that each command appears as the same size or so that they're indecipherable amid a random stream of data. Until the company takes those steps, it's worth keeping in mind: any tindering you do could be just as public as the public Wi-Fi you're connected to.
What's HTTPS encryption? The key to giving baseline security to the internet
If the world's biggest porn site can go all-in on encryption, surely Tinder can too
Read all about Google's noble mission to shame non-HTTPS sites into getting with the program
