A few days ago, I warned my wife that the experiment I was about to engage in was entirely non-sexual, lest she glance over my shoulder at my iPhone. Then I installed the gay hookup app Grindr. I set my profile photo as a cat, and carefully turned off the "show distance" feature in the app's privacy settings, an option meant to hide my location. A minute later I called Nguyen Phong Hoang, a computer security researcher in Kyoto, Japan, and told him the general neighborhood where I live in Brooklyn. For anyone in that neighborhood, my cat photo would appear on their Grindr screen as one among hundreds of avatars for men in my area seeking a date or a casual encounter.

Within fifteen minutes, Hoang had identified the intersection where I live. Ten minutes after that, he sent me a screenshot from Google Maps, showing a thin arc shape on top of my building, just a couple of yards wide. "I think this is your location?" he asked. In fact, the outline fell directly on the part of my apartment where I sat on the couch talking to him.

Hoang says his Grindr-stalking method is cheap, reliable, and works with other gay dating apps like Hornet and Jack'd, too. (He went on to demonstrate as much with my test accounts on those competing services.) In a paper published last week in the computer science journal Transactions on Advanced Communications Technology, Hoang and two other researchers at Kyoto University describe how they can track the phone of anyone who runs those apps, pinpointing their location down to a few feet. And unlike previous methods of tracking those apps, the researchers say their method works even when someone takes the precaution of obscuring their location in the apps’ settings. That added degree of invasion means that even particularly privacy-oriented gay daters—which could include anyone who perhaps hasn't come out publicly as LGBT or who lives in a repressive, homophobic regime—can be unwittingly targeted. "You can easily pinpoint and reveal a person," says Hoang. "In the US that's not a problem [for some users,] but in Islamic countries or in Russia, it can be very serious that their information is leaked like that."

A New Twist

A map showing a basic trilateration attack, in which learning the distance from three points to a target allows the victim "V" to be pinpointed.

The Kyoto researchers’ method is a new twist on an old privacy problem for Grindr and its more than ten million users: what’s known as trilateration. If Grindr or a similar app tells you how far away someone is—even if it doesn’t tell you in which direction—you can determine their exact location by combining the distance measurement from three points surrounding them, as shown in the the image at right.

In late 2014, Grindr responded to security researchers who pointed out that risk by offering an option to turn off the app’s distance-measuring feature, and disabling it by default in countries known to have “a history of violence against the gay community,” like Russia, Egypt, Saudi Arabia and Sudan. Hornet and Jack’d have options to obscure the exact distance between users’ phones, adding noise to obscure that trilateration attack.

The lingering issue, however, remains: All three apps still show photos of nearby users in order of proximity. And that ordering allows what the Kyoto researchers call a colluding trilateration attack. That trick works by creating two fake accounts under the control of the researchers. In the Kyoto researchers' testing, they hosted each account on a virtualized computer—a simulated smartphone actually running on a Kyoto University server—that spoofed the GPS of those colluding accounts’ owners. But the trick can be done almost as easily with Android devices running GPS spoofing software like Fake GPS. (That's the simpler but slightly less efficient method Hoang used to pinpoint my location.)

To respond to Grindr's obscuring of the exact distance between some users, the Kyoto researchers' used a "colluding" trilateration attack. They spoofed the location of accounts under their control and placed those fake users in positions that reveal narrow bands in which the victim "V" must be located.

By adjusting the spoofed location of those two fake users, the researchers can eventually position them so that they’re slightly closer and slightly further away from the attacker in Grindr's proximity list. Each pair of fake users sandwiching the target reveals a narrow circular band in which the target can be located. Overlap three of those bands—just as in the older trilateration attack—and the target’s possible location is reduced to a square that’s as small as a few feet across. "You draw six circles, and the intersection of those six circles will be the location of the targeted person," says Hoang.

Grindr's competitors Hornet and Jack'd offer differing degrees of privacy options, but neither is immune from the Kyoto researchers' tricks. Hornet claims to obscure your location, and told the Kyoto researchers that it had implemented new protections to prevent their attack. But after a slightly longer hunting process, Hoang was still able to identify my location. And Jack'd, despite claims to "fuzz" its users' locations, allowed Hoang to find me using the older simple trilateration attack, without even the need to spoof dummy accounts.

In a statement to WIRED responding to the research, a Grindr spokesperson wrote only that "Grindr takes our users safety extremely seriously, as well as their privacy," and that "we are working to develop increased security features for the app.” Hornet chief technology officer Armand du Plessis wrote in a response to the study that the company takes measures to make sure users" exact location remains sufficiently obfuscated to protect the user’s location." Jack'd director of marketing Kevin Letourneau similarly pointed to the company's "fuzzy location" feature as a protection against location tracking. But neither of the companies' obfuscation techniques prevented Hoang from tracking WIRED's test accounts. Jack'd exec Letourneau added that "We encourage our members to take all necessary precautions with the information they choose to display on their profiles and properly vet people before meeting in public."1

Hoang advises that people who truly want to protect their privacy take pains to hide their location on their own.

The Kyoto researchers' paper has only limited suggestions about how to solve the location problem. They suggest that the apps could further obscure people's locations, but acknowledge that the companies would hesitate to make that switch for fear of making the apps far less useful. Hoang advises that people who truly want to protect their privacy take pains to hide their location on their own, going so far as to run Grindr and similar apps only from an Android device or a jailbroken iPhone with GPS spoofing software. As Jack'd notes, people can also avoid posting their faces to the dating apps. (Most Grindr users do show their faces, but not their name.) But even then, Hoang points out that continually tracking someone's location can often reveal their identity based on their address or workplace.

Even beyond location leaks, the Kyoto researchers found other security problems in the apps, too. Grindr and Jack'd both fail to encrypt data that reveals the user is running the app by name, leaving that sensitive data open to any snoop on the same Wi-Fi network. Grindr, according to their paper, fails to even encrypt the photos it transmits to and from phones.

All these bugs and leaks, Hoang says, likely aren't limited to gay dating apps. The location tracking attack in particular would seem to work with any app that lists users' locations in order of proximity. Tinder also tracks users' locations, for instance, though the one-photo-at-a-time interface it shows daters instead of Grindr's page full of ordered pictures makes a colluding trilateration attack more difficult, Hoang says.

But Hoang says the Kyoto team focused on gay dating apps in part because of the vulnerability of the LGBT population to online surveillance. Their paper points to Syrian gay men lured into "dates" by members of ISIS, who are then arrested and stoned to death. In Russia, too, gay men have similarly been trapped and beaten by thugs in countless incidents. For the global LGBT community, they write, it's no hyperbole to state, as Apple's openly gay CEO Tim Cook did last year, that "privacy is a matter of life and death."

1Correction 5/20/2016 10:00am: An earlier version of the story didn't include a response from Hornet, and misattributed a Jack'd privacy feature to Hornet.