SINTEF-9012/grindr-privateness-leaks

Partager

recordsdata image

SVT and SINTEF conducted an experiment the seventh of February 2018 to analyse privateness leaks in the dating application Grindr. This used to be realised for the Sweedish TV program « Plus granskar », that you just would possibly gaze online.

We stumbled on that Grindr contains many trackers, and shares private recordsdata with hundreds of 1/three parties at the moment from the application.

Grindr Shares Non-public Data With zero.33-Parties

Recordsdata Despatched to third-parties the spend of unsafe HTTP ⚠ and HTTPS Despatched to third-parties the spend of HTTPS only
Grindr (App Name) Adrta, Google,Liftoff, Take care of.com, Mobfox, Mopub, OpenX, Smatoo AdColony, Adsafeprotected, Apple, AppsFlyer, Apptimize, Crashlytics, Facebook, Fqtag, Kochava, Localytics, Moatads, TreasureData
Right GPS Plight Adrta,Liftoff, Mopub, Nexage, OpenX Apptimize, Localytics, Love Recordsdata
Gender Adrta, Mopub, Smatoo Apptimize, Localytics
HIV Living Apptimize, Localytics
Closing Tested Date Apptimize, Localytics
Electronic mail Localytics
Age Mopub, Smatoo Apptimize, Localytics
Top Apptimize, Localytics
Weight Apptimize, Localytics
Physique Form Apptimize, Localytics
Plight (sexual) Apptimize, Localytics
Grindr Profile ID AdColony, Apptimize, Crashlytics, Localytics, TreasureData
Tribe (Endure, Clear Cleave, Daddy, Discreet, Geek, Jock, Leather, Otter Poz, Rugged, Trans, Unknown) Mopub Apptimize, Localytics
Having a gaze For (Chat, Dates, Guests, Networking, Relationship, Appropriate Now, Unkown) Mopub Apptimize, Localytics
Etchnicity Mopub Apptimize, Localytics
Relationship Living Mopub Apptimize, Localytics
Phone ID Liftoff, Adrta, Mopub, Smatoo AdColony, Kochava,
Advertising and marketing ID Adrta,Liftoff, Mopub, Mopub, Nexage, OpenX, Smatoo AdColony, Adsafeprotected, AppsFlyer, Apptimize, Facebook, Fqtag, Localytics, Maxads, TreasureData
Phone Traits Adrta,Liftoff, Mopub, OpenX, Smatoo AdColony, AppsFlyer, Apptimize, Facebook, Maxads, TreasureData
Language Liftoff, Mopub, Nexage, Smatoo AdColony, AppsFlyer, Apptimize, Facebook, Maxads, TreasureData
Job App-measurement, Apptimize, Facebook, TreasureData
Photos
Messages screech material


Grindr Shares Non-public Data Along side HIV Living With Apptimize And Localytics

It is pointless for Grindr to track its customers HIV Living the spend of 1/three-parties services and products. Moreover, these 1/three-parties are no longer necessarily licensed to host scientific recordsdata, and Grindr’s customers would possibly no longer endure in mind that they’re sharing such recordsdata with them.

Grindr Shares Non-public Data With out Security

Non-public recordsdata is shared unencrypted, allowing folk, companies, or governments to listen to on a network to appear for who is the spend of Grindr, the build they are precisely positioned at some stage in a day, how construct they gaze, what construct they take care of, what construct they browse… By sharing such recordsdata in an unsafe blueprint, Grindr is exposing its customers.

Grindr Comprises Trackers

By decompiling the Grindr Android source code, we stumbled on monitoring system. Significantly Facebook, Smatoop or Localytics. Here is additionally confirmed by the project Exodus.

Experiment Setup

We build in Grindr on a Samsung Galaxy operating Android and on an iPhone operating iOS. Two folk created a Grindr profile and started dating for a immediate time.

We analysed the Grindr network web site web site visitors by the spend of a individual-in-the-center proxy recording HTTP and HTTPS exchanges, the spend of a setup equivalent to the one described in the paper « Who knows what about me? A gape of in the motivate of the scenes private recordsdata sharing to third parties by cell apps. » (Zang, Okay., Dummit, J., Graves, P.L. and Latanya, S. – Expertise Science (2015). »
We extinct Wireshark to show screen all TCP/IP web site web site visitors, Fiddler to decide on HTTP and HTTPS web site web site visitors, and APKTool to decompile the Android application.

Raw Recordsdata

You’re going to gain this experiment’s HTTP and HTTPS raw recordsdata in this repository.

Read Extra

(Visité 2 fois, 1 aujourd'hui)

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *