Grindr, the popular gay dating app for men, has reportedly been exposing its users’ locations for years. What’s worse is the developer has known about this for some time, but has done nothing about it.
The app, which has been downloaded more than 10 million times and offers both a free or paid premium service, was reported via a post on Queer Europe. They discovered the app had been exposing the locations of millions of users using an app called Fuckr, which employs a technique called “trilateration” to find users.
Let’s make this clear, though: Fuckr is in no way related to nor affiliated with Grindr and is built on top of unauthorized access to Grindr’s private API, or “application programming interface,” which basically provides Fuckr with information in Grindr’s database.
Applications designed to locate Grindr users are publicly available online, and give anyone access to a virtual map on which you can travel from city to city, and from country to country, while seeing the exact location of cruising men that share their distance online. pic.twitter.com/0IumD6laAE
— Queer Europe 🏳️🌈 (@QueerEurope) September 13, 2018
Furthermore, it is important to note that Grindr is not deliberately revealing the locations of its users. However the issue basically comes down to incredibly high level precision of the distance location data Grindr collects, shares and allows apps like Fuckr to pinpoint users’ whereabouts according to security researcher Patrick Wardle and his study into the Dos and Donts of Location Aware Apps.
Of course, this isn’t the first time Fuckr has been in trouble. GitHub, which originally hosted the Fuckr repository since it was released in 2015, disabled public access to the app shortly after the Queer Europe post published, citing Fuckr’s unauthorised access to the Grindr API. Queer Europe has also spoken and confirmed to BuzzFeed that the Fuckr app remains operational and can still make requests for up to 600 Grindr users’ locations at a time.
In a statement to BuzzFeed News, Grindr President and CEO, Scott Chen, stated that the app’s geolocation feature is “core to our platform and user experience,” but also acknowledged that “there are inherent challenges in the use of any app that utilises or relies upon location information.”
“Additionally, we currently utilise a geohash system, which approximates, rather than ‘pinpoints,’ all location information.” He also said that Grindr “will continue trying to evolve and improve our platform,” but did not specify how.es or relies upon location information.” Chen did not give specifics of the improvements the company was intending to implement nor a timeline given.
So how can you make it harder to track your location through Grindr?
There is no official fix yet coming from the company and this should be a priority for them. However, until then, here is what you can do to reduce the potential for being tracked:
- Don’t use a VPN – I know, sounds weird but according to Article 19’s Rigot and Shamas, who stated that “A lot of research shows that people are using differing methods to obscure their geo-location, including using a VPN, which doesn’t actually work.”
- Disable Grindr’s “Show Distance” feature. To do this, open the app and go to your profile, then tap the Settings gear (Located at the top right of the screen), then scroll down to “Show Distance” and tap the slider to disable. By doing this, it will prevent “[x] feet away” from appearing on your profile, and prevent people from locating you through trilateration.
- If you’re somewhere you’d rather not disclose, temporarily turn off Location Services for Grindr. To to this for Android users (9.0 and up), go to Settings and in the search bar, type “App permissions.” In the App permissions menu, tap Location and next to Grindr, tap the slider to disable. For iOS users, simply open Settings, then scroll down to Privacy, select Location Services, scroll down to Grindr, and select Never.
Of course these steps are only a stop gap measure. Grindr will need to address the flaws in their API to prevent this kind of information from leaking out.
Do you use Grindr? Would you consider deleting the app all together because of this breach in the apps’ security? Let us know your thoughts in the comments section below.
This article is riddled with errors/mistakes. Is there no QC checks before posting articles here? “A million of users” – you mean millionS of users “comes down to incredibly high level of precision” – you mean high levelS or ‘THE incredibly high level of precision’ “Chen did not give exact specific of the improvements” – you mean specificS and even then it is redundant as ‘exact’ means the same thing in this case. “till” is written as ’til or ‘until’. “here is what we have been to assist at least reduce the potential for being tracked” erm, what?? “Of course… Read more »
If you’d like to join our team as a sub editor, you’re welcome to. Believe it or not, these things do get missed because of the sheer volume of information flying around. It’s not an excuse, it’s just what happened.
Not entirely sure if your first sentence was sarcasm, but I could be interested actually. I’m an ex journo, so mistakes tend to jump out at me 😉
Sounds like a Bumr
I know I will get flamed for this. But… Duh! The whole point of this app is to find your next FB near you for instant hookups. Without the location service, the app is basically useless other than messaging within the app, which other messaging services will do just as well with better data security. Anyone who uses this type of app should be aware that your mobile is advertising where you are loud and clear all the time. Even when the app is in the background. Otherwise, you will not appear in other users’ screen, which defeats the whole… Read more »
Wow, that isn’t cool; I wonder why/how Grindrs location API is any different to other services that use a similar system – could someone build a location finder fro them or is Grindr just terrible at security?
This could spell a lot of trouble for anyone in less tolerant countries, if someone were to find out they could do this and use it maliciously 🙁