Using network interception or just traffic logging, an attacker, state, or your employer can look over your shoulder at the images that pop up inside the popular “nearby gay man finder” app. The profile photos on the gay dating app reveal more data than one might think.
Grindr presents its nearby users who are also using the app at the same time as a grid view of profile photos. These profile images are requested from Grindr’s server in the order of proximity to the user. As the local user is always the nearest, the user’s own profile photo is always downloaded first when the app launches; thus revealing the user’s face and appearance. Immediately followed by the picture of every other user who has the app open at the same time in the local area. As the order of the requested images implies distance, it’s even theoretically possible to triangulate the user’s rough physical location if you know where one or more of the men are physically located. (All of this is, of course, more easily accomplished by simply registering an account with the app and opening it like a normal user.)
On a small scale like a corporate, café, or airport network, this can be used to reveal any gay man nearby. On a wider scale, like say for example a nation-state that’s unfriendly to gay individuals like Russia or Egypt — who to varying degrees also have state-run Internet service provider monopolies — this can be used to profile and identify every user of the app. Ever wondered how the government built a list over the gay people in England in the 2005 dystopian thriller “V for Vendetta”? The approach outlined above would be the most effective means for gathering such a list (mobile cell tower geo-triangulation location data, IP addresses, and access times would be available to a nefarious state actor).
The app also reveals which other users the user finds the most interesting. Clicking-through to another users’ profile will send a slightly different formatted request for a larger version of the profile picture. A user might want to keep his exact preferences in men to themselves, but Grindr is leaking that information to anyone with network capturing abilities.
Below are some examples of unencrypted data downloaded by the Grindr app that can be captured on the local network or as it passes through the wider Internet. Each of the URLs refers to an image that can is opened by anyone who intercepts the addresses/images:
Intercepting these addresses on a network would also imply that the user’s IP address was available for capture at the same time. This is just the kind of in-the-clear communication that can be intercepted and help explain the below quote from Edward Snowden on the US government’s data collection capabilities.
Users who wants to save copies of private photos can also do so by connecting their phones to their PCs using the Android debugger (ADB). Grindr prints the URL to all photos accessed through the app to the developer log console (adb logcat).
Another interesting thing I observed is that photos users exchange in private chats aren’t deleted from Grindr’s servers even after being deleted from both the sender and recipient’s accounts. These privately exchanged images — ehm, dick pics — are also of the sort users would most care about being stolen. During my three-month testing period, I found that images that were deleted were still publicly accessible using the same image URLs three months after deletion.
Here are some simple steps Grindr needs to take to improve security and preserve their users’ privacy:
- Actually delete old photos or at least make them unavailable online
- Enable HTTPS encryption on their imaging server
- Stop using static and never changing URLs for images
- Add some randomness to the fetch order for images instead of always loading nearest people first
Grindr’s image server (cdns.grindr.com) is provided by the content delivery network Akamai Technologies, Inc. When asked, Akamai was completely uninterested in divulging any price information regarding how much it would cost to update from HTTP to HTTPS for a static image resource service like the one Grindr uses. It probably wouldn’t be cheap, but then choosing the cheap alternative isn’t a priority when choosing services from Akamai.
Tested on Grindr for Android version 2.2.8 and Grindr for iOS version 2.2.4 between 2015-05-24 and 2015-09-08. Grindr LLC, didn’t respond to requests for comments.