GPS-enabled phones have revolutionized how we travel, how we buy
things, and how we stay connected to the people we care about. But
location aware devices also made where you are at any given moment
potentially accessible to other people.
This week, we look at four apps that all can access your location
information. For all but one, it makes sense for the app to know where
you are, but the way they handle that information isn't fantastic.
Unfortunately, Android permissions don't have the fine-grain approach of
iOS for location data—it's all or nothing. So consider what you want
shared (and how) before downloading an app that knows where you are.
Tinder
Not quite a dating app, Tinder says that
it will pair you people nearby with (allegedly) similar interests. The
location is a key aspect of the app, since you can only see (and can
only be seen) by people who are nearby. The idea is that physical
distance will give you some level of anonymity, but apparently it can be
circumvented.
Appthority told SecurityWatch that other Tinder users can see the
last time you updated your location and an "approximate" distance
between you any other Tinder users viewing your profile. You'd think
that this approximation is handled on Tinder's servers, but when you
look at someone's Tinder profile the exact distance between you and them
is sent to your phone and then obfuscated.
"For a technically savvy Tinder user, they can view this information
and use a geolocation tracking technique to determine the exact
geolocation with just the exact distance away number," said Appthority.
"This involves spoofing their current geolocation, looking again to see
how far away the target Tinder user is, then repeatedly spoofing their
geolocation until they get closer to the target and the target Tinder
user shows 0.0 miles away." Note that this spoofing technique also
allows users to view any profile they like, by pretending to be in
different locations.
Beyond your location data, Appthority says that Tinder also shares
your birthday; which in itself is not too scary but could be combined
with other information to steal your identity. Tinder also shares your
Facebook ID, which someone could use to pull down more information from
Facebook.
Skout
Similar to Tinder, Skout is designed to
connect you with people nearby. Unfortunately, Appthority says that it
has many of the same privacy issues as Tinder.
As with Tinder, with Skout you can see the last time a user updated
their location, but you can also see their exact distance from your
current position without having to dig around in the app. Using the same
spoofing method described above, you could potentially figure out the
exact location for any Skout user.
Also troubling is that geolocation information for images (including
profile pictures) is also transmitted by Skout, giving you even more
information about a Skout user and their movements.
Most troubling is that Skout sends users' exact geolocation
information to not one, but several ad networks. According to
Appthority, this information is transmitted unencrypted. While ad
networks make it possible for developers to give away apps for free, the
amount of information transmitted can be unsettling to say the least.
Flirt
As for Skout and Tinder, Flirt (or Cheeky
Lovers, another app which is effectively identical to Flirt) lets you
see people nearby and, well, flirt with them. Flirt, however, seems even
more cavalier with your information.
Appthority reports that Flirt is tied to "aggressive spamware" and
transmits private information from your phone to several ad networks. It
also harvests information like exact geolocation and email address from
your device and transmits it via an unencrypted connection.
While Skout and Tinder required complex tricks to figure out a user's
exact location, Flirt doesn't bother. Appthority says that the Flirt
"shares the specific latitudinal and longitudinal geolocation of all
users with public profile seen by potential matches."
Kids Memory Game
A bonus app this week from Bitdefender,
Kids Memory Game is a cheaply thrown-together tile-matching game
featuring the (no doubt illegal) visage of Woody Woodpecker. It's
included here because even though it's not a dating app, it can see your
location while the app is running. Unfortunately, it's not the only app
targeted at kids we've seen with these kinds of risky behaviors.
It can also access your browser history and connect to the Internet,
which is especially odd since the app has no online functions.
No comments:
Post a Comment