Naked Security Naked Security

Years on, third party apps still exposing Grindr users’ locations

A third party app can use Grindr’s distance data to pinpoint a users location down to a room within a house.

Grindr, the premium gay dating app, is exposing the precise location of its more than 3.6 million active users, in addition to their body types, sexual preferences, relationship status, and HIV status…
…Still.
On Thursday, the gay community blog Queer Europe reported that after five years of controversy over the app’s oversharing of highly personal data – data that can put gay men at risk of being stalked or arrested and imprisoned by repressive governments – anybody can still obtain exact locations of millions of cruising men, in spite of what Grindr has recently claimed.
Grindr itself isn’t giving away that information. Rather, it’s coming from a free, third-party app – “Fuckr” – that’s built on top of its API, without Grindr’s permission.
GitHub has been hosting Fuckr’s repository since it was released in 2015. Shortly after Queer Europe’s post, GitHub shut it down, citing the unauthorized access to Grindr’s API as the reason.
But neutering Fuckr didn’t negate the threat: as BuzzFeed News reported, as of Friday morning, there were still dozens of live forks – in other words, tweaks of the original app – out there:


Queer Europe also confirmed to BuzzFeed News that the Fuckr app is still working just fine, meaning that it can still make requests for up to 600 Grindr users’ locations at a time.
Fuckr locates Grindr users via a technique called trilateration: a mathematical way to determine the true position of a point by measuring the distance between a user and three or more different places near them.
Although Grindr isn’t deliberately exposing users’ locations, it hasn’t done much to keep them from being sucked up and misused by apps such as Fuckr. As far back as 2014, security researcher Patrick Wardle has cited Grindr as a case study in how location-aware apps can go wrong.
At the time, there were unconfirmed reports of gay individuals being identified by the Egyptian police using an information disclosure vulnerability found in Grindr that gave away any user’s location.
Grindr shares location-based data about users down to what Wardle called an “incredible high level of accuracy” – as in, accuracy that pinpoints someone within less than a foot.
In March, Grindr released a statement in which it claimed that malicious parties can’t obtain information transmitted via its app, given that it uses certificate pinning and encrypted communications.

“A square on an atlas”

Also, it said, it doesn’t give away exact user locations – rather, it’s “more akin to a square on an atlas – not exactly where you are.” It also turned off general location data in countries like Egypt, it said (though Queer Europe notes that it wasn’t turned off in many countries that heavily repress LGBTQ+ people, including Algeria, Turkey, Belarus, Ethiopia, Qatar, Abu Dhabi, Oman, Azerbaijan, China, Malaysia and Indonesia).
Any user, or anonymous attacker, can directly query the server to gain access to a user’s location data. Moreover, by spoofing locations, an attacker can gather information about any and all users in any location, Wardle said back in 2014. Little has changed, says Queer Europe.
What’s more, a “square on an atlas” turns out to be a lot more precise of a pinpoint than you’d want if you had reasons to keep your location from being revealed. From Queer Europe, which tested out Fuckr:

With the use of trilateration, I was able to locate users with a deviation of five to ten meters. But it was also possible to locate users even more accurately, by comparing the outcomes of several trilateration sessions. By doing so, and within a few seconds, I was able to locate cruising men with an accuracy of two to five meters, which is very precise, and accurate enough to determine in which house and room users are located. The reason why these locations can be determined so precisely, is that Grindr uses a geohash4 of 12 characters to locate users, which equals to a ‘square on an atlas‘ of 37×18 centimeters.

That finding was backed up by Robbie Techie: the user name of one of the developers who worked on Fuckr. He Tweeted this response to Grindr’s statement:
https://twitter.com/RobbieTechie/status/980342300973953024
Grindr president Scott Chen told BuzzFeed News that the app’s geolocation feature is “core to our platform and user experience,” but also acknowledged that “there are inherent challenges in the use of any app that utilizes or relies upon location information.”
He also stuck to the company’s assertion that the app isn’t pinpointing users’ locations:

We currently utilize a geohash system, which approximates, rather than ‘pinpoints,’ all location information.

Grindr will “continue trying to evolve and improve our platform,” he said, without going into details.
The author of the Queer Europe post, who asked BuzzFeed News to identify him only as S.P., got a friend’s permission to track him on a Saturday night. Using Fuckr, S.P. tracked his friend to the specific restaurants he ate in, cafes he drank at, nightclubs where he went dancing, the gay sauna he visited at 1 a.m., and the stranger’s house he wound up in at 3 a.m.
What S.P. told BuzzFeed News:

I was shocked by the accuracy with which I could follow and track his movements.

From S.P.’s article:

By making it so easy to track individuals with precision, Grindr makes its users extremely vulnerable to harassment and stalking.

S.P. also turned Fuckr on himself. It tracked him to the precise corner of his garden where he was sitting at the time.
There are simple means through which Grindr could protect users. Human rights advocacy group Article 19 says that one way would be for Grindr to show a less precise distance for users, inverse to a region’s population density. Figuring out an area’s population density might be tough for Grindr’s servers to discern, though, according to Article 19 security researcher Norman Shamas.


Another method would be to show users’ locations with far less precision, as Tinder did in 2014 after research showed that precise location data – as in, latitude and longitude – could be exploited.
But to date, the app hasn’t done any of that: likely because when it comes to dating apps, user tracking is as much an appealing feature as it is an inherently risky one.