The great location leak: Privacy risks in dating apps
In today’s digital age, geolocation features in many apps offer undeniable convenience. Just before writing this blog, I needed to locate some materials for a DIY project, and using the ‘click and collect’ feature I immediately established the closest store that has stock.
However, in the case of social media, dating apps, gaming, and many other online services we may be willing to share our general location but likely want to avoid sharing our exact location.
A research team from Belgium demonstrated at Black Hat USA last week how location data was being inadvertently leaked by some dating apps, and in this scenario sharing location could clearly be problematic.
Before you stop reading this blog and rush to delete a profile or remove apps note that the researchers responsibly disclosed the issue to the numerous dating apps concerned and the issue has been resolved. Saying that, it’s a chilling reminder of how your seemingly harmless habits might put your privacy at risk.
The dark side of location sharing
When we allow an app to use our location, such as in a dating app, its reasonable to assume that the location is generalized, for example – ‘located in Tampa 23 miles away’. With a population of around 400,000, pinpointing someone's exact location should feel like finding a needle in a haystack – or so we think.
However, the presenters demonstrated how to take the ’X miles away’ data to triangulate an exact location. Select a target profile, and then draw a circle with your location in the center, out to the distance of 23 miles – this provides a starting point. Now spoof you location to be in another location, repeat the process and you now have two circle that overlap at some point, spoof to a third location and repeat then the three circles meet at a specific point, and now we have the data of exact location without the profile owner being aware that we know their exact location. Scary stuff!
The same technique can be used when location boundaries are set; for example, show me ‘all profiles 5 miles away’. Repeat the process above and the location of a profile can be identified. Only apps or services that use the exact location have this issue, if location is rounded to being within, for example, a mile then the exact location cannot be identified using this method.
The researchers examined 15 dating apps for privacy issues, such as the one described above, while also looking at their API interfaces, privacy policies and other data. Their research, which is detailed in this white paper, looked specifically at dating apps, but location is used by many services and apps in the same way. For example, in gaming apps, you may wish to find other players of the same game that are near you.
Highlighting the issue using dating apps as the example makes for eye-catching headlines as we all understand the issue of stalkers and predators that maybe using those platforms. However, it’s important that all apps and services revisit their use of location to ensure that they are obscuring enough of the location data to make someone’s precise location impossible to calculate.
Keeping your location private
So, what can you do to protect yourself? The good news is that you can take steps to mitigate the issue and limit how precisely your location is shared.
When an app requests your permission to use location on install, you can later change the permission to disable precise location sharing. On iOS this uses a location to within three kilometers of your precise location, which is enough of a variant to stop someone triangulating your position as described above.
On Apple devices, go to ‘Settings’, ‘Privacy & Security’ and then to ‘Location Services’ – each app and its corresponding permission can be displayed and edited as needed.
If you use an Android device, tap and hold the app icon, under ‘App info’ there is ‘Permissions’, including ‘Location’, where you can select the appropriate option.
source: WeLiveSecurity
Free security scan for your website
Top News:
Attackers are exploiting 2 zero-days in Palo Alto Networks firewalls (CVE-2024-0012, CVE-2024-9474)
November 18, 2024CWE top 25 most dangerous software weaknesses
November 21, 2024Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor
November 21, 2024Microsoft rolls out Recall to Windows Insiders with Copilot+ PCs
November 23, 2024Download: CIS Critical Security Controls v8.1
August 8, 2024Hackers now use AppDomain Injection to drop CobaltStrike beacons
August 24, 2024