1、Swipe Left for Identity TheftAn Analysis of User Data Privacy Risks on Location-based Dating AppsKarel Dhondt,Victor Le Pochat,Yana Dimova,Wouter Joosen,Stijn Volckaert234TINDER100MBADOO100MPOF50MMEETME50MTAGGED50MGRINDR50MTANTAN50MJAUMO50MLOVOO50MHAPPN10MBUMBLE10MHINGE10MHILY10MOKCUPID10MMEETIC10M5
2、1.438LBD apps elicit peculiar privacy behavior Users willingly share highly personal and sensitive data(including exact locations)Users expect others to share data Users share data with strangers6Sufficient(self-)disclosure Maintaining privacy 7What are the privacy risks in sharing personal data wit
3、h other users?Social privacy(institutional privacy)Our adversary focuses on collecting personal dataabout one or more other users of the LBD appusing only client-side interactions as a regular user8Adversary Intentions910What is the extent ofdata exposure&leaks in LBD apps?Data exposure&leaksUI Expo
4、surereadily visiblein the UI11Intended sharingData exposure&leaksUI Exposurereadily visiblein the UITraffic leakautomatically sent in API network trafficExfiltration leaksent after alteringtraffic or behavior12Intended sharingInadvertent sharingPrivate Data Leaks Three modes of data exposure&leaksUI
5、 Exposure:readily visible in the UITraffic Leak:automatically sent in API network trafficExfiltration Leak:sent after altering traffic or behavior14Personal dataSensitive data(GDPR art.9)App usage data15APIs leak data for all apps99 leaks in totalPersonal Data Leaks16Tinder:leak of non-binary gender
6、Sensitive Data Leaks17All apps:data reciprocity nearly always fails(hidden attributes)App Usage Data Leaks18Badoo,Bumble:exfiltration leaks of activity,filtersAll except OkCupid:fetch multiple profiles at onceAll apps:data reciprocity nearly always fails(hidden profiles)Location Data Leaks19Trilater