Check Point Research (CPR) recently analyzed several popular dating applications with over 10 million downloads combined in order to understand how safe they are for users. As dating apps traditionally utilize geolocation data, offering the opportunity to connect with people nearby, this convenience feature often comes at a cost. Our research focuses on a specific app called “Hornet” that had vulnerabilities, allowing the precise location of the user, which presents a major privacy risk to its users.

Key Findings

  • Techniques like trilateration allow attackers to determine user coordinates using distance information
  • Despite safety measures, the Hornet dating app – a popular gay dating app with over 10 million downloads – had vulnerabilities, allowing precise location determination, even if users disabled the display of their distances. We developed a method that allowed us to achieve location accuracy within 10 meters in reproducible experiments
  • The Hornet developers have implemented new measures to minimize potential risks, which have resulted in a decrease in location accuracy to 50 meters.

Overview

CPR discovered that the Hornet app sends precise coordinates to the server. Hornet’s creators are aware of the potential risks of user positioning, as mentioned on their website. Nevertheless, they claim to protect user locations by randomizing the distance displayed in the application, making it, in their opinion, impossible to determine the exact location. However, this is not the case.

At the time of our research, the measures taken by Hornet were insufficient to protect user coordinates, allowing for the determination of user locations with very high accuracy.

Following the responsible disclosure process, we attempted to contact the Hornet team, providing them with the results of our research. Just before this publication, we reexamined the Hornet application. Despite not receiving a response to our inquiry, Check Point Research can confirm that the developers have already implemented necessary measures to significantly reduce the accuracy of users’ coordinate determination. Since the specified responsible disclosure deadlines have passed, we are publishing the results of our research.

Understanding Geolocation & Possible Dangers:

Geolocation is a technology that uses data acquired from an individual’s computing device (such as a smartphone, tablet, or laptop) to identify or estimate the real-world geographic location of that device. This information can range from very precise location details (such as a specific address or location coordinates) derived through GPS (Global Positioning System) to less precise location data obtained via IP address, Wi-Fi, cellular networks, or Bluetooth beacons.

Geolocation technology, while beneficial, presents several risks, especially when it comes to privacy and security within apps. These include potential privacy breaches from unauthorized data access, unintended sharing of location data with third-party entities, risks of tracking and surveillance, and security vulnerabilities like location spoofing. This information could be exploited by stalkers, burglars, or other malicious actors.

Methodology for determining distance

In Hornet and similar applications, users in the search results are sorted in ascending order of distance. If we find two users in the search results who allow the display of their distance, and the target user is located between them in the search results, we can determine the approximate distance to the target user as an average value of two known distances:

Figure 1 – Estimating the approximate distance to the user based on known distances to neighbors

However, the presence of users near the target is not a necessary condition. To determine the distance to the user, it is required to register an additional account, the coordinates of which can be controlled.

You can determine the distance between two users by iteratively dividing the range in half and positioning an additional account at the midpoint. By analyzing the search results and refining the search based on the presence of the target user, progressively narrowing down the distance between the target and the additional account, we can achieve the desired precision.

Figure 2 – Technique for determining the distance to the user using the positioning of an auxiliary account

Trilateration methodology

We used two-step trilateration: first, we performed trilateration using two reference points to obtain two possible candidate locations (intersection points of the circles). Then, we used the distance information from the third reference point to select the correct solution.

Let’s assume that we know the area where the target account is located, with a diameter of 10 km. For example, this could be a small town. Around this area, we randomly generated 30 sets of reference points in a ring with an inner radius of 5 km and an outer radius of 10 km.

As a result of trilateration for each group of reference points, we obtained a set of possible coordinates for the target point. The maximum error in geolocation was 350 meters, and the minimum was only 2 meters. We calculated the mean value of latitude and longitude for all points. The distance between the mean value and the target point appeared to be 24 meters.

With a 95% probability, the geolocation accuracy was within 200 meters.

Improving geolocation accuracy

Being able to determine the approximate location, we generated reference points at a distance of 1 to 2 kilometers around the region where the target was supposed to be located. Applying our method, we obtained many estimates of the target location. The geolocation errors were distributed almost uniformly, with a minimum of 1.5 meters and a maximum of 70 meters. We also calculated the average latitude and longitude for the results. The resulting average point was less than 5 meters away from the target point:

Figure 3 – The final location estimate has an error of less than 5 meters

By repeating the experiment many times for different target points, we consistently obtained location accuracy within 10 meters.

Conclusion

When it comes to dating applications, exposing user geolocation poses significant risks to privacy. Our experiments revealed potential vulnerabilities in the Hornet dating application, which has over 10 million downloads. The developed distance estimation methodology, combined with trilateration using a large number of reference points, demonstrated a very high accuracy in determining user locations.

Hornet developers applied changes to mitigate the risks, reducing the location accuracy to 50 meters. This improvement, while significant, still allows a motivated attacker to determine approximate coordinates.

CPR strongly advises users to be vigilant about the permissions they grant to apps and to stay informed about the potential risks and best practices for protecting privacy and security when dealing with geolocation data. By disabling location services, users can prevent apps from tracking their whereabouts and gathering information about their movements. This measure can effectively safeguard user privacy and thwart the sharing of personal data with external entities.

You may also like