In 2018, you'd be forgiven for assuming that any sensitive app encrypts its connection from your phone to the cloud, so that the stranger two tables away at the coffee shop can't pull your secrets off the local Wi-Fi. That goes double for apps as personal as online dating services. But if you assumed that basic privacy protection for the world's most popular dating app, you'd be mistaken: As one application security company has found, Tinder's mobile apps still lack the standard encryption necessary to keep your photos, swipes, and matches hidden from snoops.

On Tuesday, researchers at Tel Aviv-based app security firm Checkmarx demonstrated that Tinder still lacks basic HTTPS encryption for photos. Just by being on the same Wi-Fi network as any user of Tinder's iOS or Android app, the researchers could see any photo the user did, or even inject their own images into his or her photo stream. And while other data in Tinder's apps are HTTPS-encrypted, Checkmarx found that they still leaked enough information to tell encrypted commands apart, allowing a hacker on the same network to watch every swipe left, swipe right, or match on the target's phone nearly as easily as if they were looking over the target's shoulder. The researchers suggest that lack of protection could enable anything from simple voyeuristic nosiness to blackmail schemes.

View more

"We can simulate exactly what the user sees on his or her screen," says Erez Yalon, Checkmarx's manager of application security research. "You know everything: What they’re doing, what their sexual preferences are, a lot of information."

To demonstrate Tinder's vulnerabilities, Checkmarx built a piece of proof-of-concept software they call TinderDrift. Run it on a laptop connected to any Wi-Fi network where other connected users are tindering, and it automatically reconstructs their entire session.

[#video: https://www.youtube.com/embed/ZBTL1bmJ9o8

The central vulnerability TinderDrift exploits is Tinder's surprising lack of HTTPS encryption. The app instead transmits pictures to and from the phone over unprotected HTTP, making it relatively easy to intercept by anyone on the network. But the researchers used a few additional tricks to pull information out of the data Tinder does encrypt.

They found that different events in the app produced different patterns of bytes that were still recognizable, even in their encrypted form. Tinder represents a swipe left to reject a potential date, for instance, in 278 bytes. A swipe right is represented as 374 bytes, and a match rings up at 581. Combining that trick with its intercepted photos, TinderDrift can even label photos as approved, rejected, or matched in real time. "It's the combination of two simple vulnerabilities that create a major privacy issue," Yalon says. (Fortunately, the researchers say their technique doesn't expose messages Tinder users send to each other after they've matched.)

Checkmarx says it notified Tinder about its findings in November, but the company has yet to fix the problems.

'You know everything: What they’re doing, what their sexual preferences are, a lot of information.' Erez Yalon, Checkmarx

In a statement to WIRED, a Tinder spokesperson wrote that "like every other technology company, we are constantly improving our defenses in the battle against malicious hackers," and pointed out that Tinder profile photos are public to begin with. (Though user interactions with those photos, like swipes and matches, are not.) The spokesperson added that the web-based version of Tinder is in fact HTTPS-encrypted, with plans to offer those protections more broadly. "We are working towards encrypting images on our app experience as well," the spokesperson said. "However, we do not go into any further detail on the specific security tools we use, or enhancements we may implement to avoid tipping off would be hackers."

For years, HTTPS has been a standard protection for just about any app or website that cares about your privacy. The dangers of skipping HTTPS protections were illustrated as early as 2010, when a proof-of-concept Firefox add-on called Firesheep, which allowed anyone to siphon unencrypted traffic off their local network, circulated online. Practically every major tech firm has since implemented HTTPS—except, apparently, Tinder. While encryption can in some cases add to performance costs, modern servers and phones can easily handle that overhead, the Checkmarx researchers argue. "There's really no excuse for using HTTP these days," says Yalon.

To fix its vulnerabilities, Checkmarx says Tinder should not only encrypt photos, but also "pad" the other commands in its app, adding noise so that each command appears as the same size or so that they're indecipherable amid a random stream of data. Until the company takes those steps, it's worth keeping in mind: any tindering you do could be just as public as the public Wi-Fi you're connected to.

HTTPS All of the Things