Seek sex, find grief
With online security (or lack of it) in the news again, how’s this for a tale of what can go wrong if app devs don’t think things through…
My regular readers will know that I have written before about web security and how, at heart, nobody cares about it. Not even you.
Have you, for instance, pulled your “adult” pics off of iCloud after the megaceleb-nude-misogyny-fest of August 2014? No, of course you haven’t.
How about if it could get you into real trouble, though? A less publicised recent coding fail related to the gay, ahem, “chat” app Grindr. This allows chaps who wish to “chat” with other chaps to find them in the local area. It’s an IM app with a strong geolocation element, basically.
Last month, somebody messaged me on Grindr to point out a security flaw in it. Not just me – the hacker was mass-mailing users.
The flaw: Grindr reveals your distance from FUNnow57, or whoever you may be lining up for a good, hard chatting; that’s its USP. However, with a bit of ingenious coding, you can ping FUNnow57 from several locations at once. Via the miracle of triangulation, you now know exactly where he is. And why do you know that? Because Grindr’s geolocation data is both reasonably accurate and totally unencrypted.
Sure enough, following the link the mystery white hat had shared in his message, I could view a map overlaid with the location of every local Grindr user, including, more or less, my own location – it was within 20 metres or so, anyway.
I must admit my initial thought was, “That’s neat – Gaygle Maps!”
However, not every user of the app lives in a Western idyll where nobody much cares about sexual orientation – or if they do, they’re polite enough to put up with it so long as it’s not “shoved down their throats”. Yup.
Grindr, though, has a slightly more nuanced use in certain other countries: it lets gays find other gays without the threat of harassment, assault or having the Saudi religious police kick their door down in the morning. Or, at least, that’s what users in those countries thought it did.
I’m sure Grindr’s devs never considered this when they built the app. Just getting it to work without crashing, while showing you an advert every 15 f**king seconds, seems to be the limit of their ambitions/skill. The global nature of smartphone connectivity means an app meant for one place and purpose ends up being used in ways it was never intended. That’s not their fault.
You’ve got to say, though, they didn’t exactly cover themselves in glory after their security hole was pointed out. Subsequent updates didn’t appear to fix the exploit, but they did seem to try to stop anyone sending mass messages on their system. Ones saying, for instance, “Hey, Iranian guy! Using this app could get you killed!” So that’s nice.
Now, will actual danger to life and liberty cause Grindr users to take their online security seriously? I hope so, I really do. But if not, my original point is proved, I’d say.