When I think about security and privacy, I often focus on sophisticated attacks and exotic exploits, or on user error and social engineering. A recent report about the security design of Tinder reminds me that we need to also keep an eye out for someone just leaving the door unlocked and wide open.
Tinder does not encrypt the connection between your phone and its servers when sending photos back and forth. Anyone in a position to see your network traffic, like on a public WiFi, could see and potentially modify those photos. Additionally, even the encrypted communications leave patterns that an attacker can recognize. The messages for "left swipes" and “right swipes” are different in size, so the observer not only knows which profile you viewed, but also what you thought about it.
The company that discovered the attack, Checkmarx, has even created fully functional demonstration of the attack.
Doubtless there are many other apps with similar vulnerabilities that testers have not gotten around to examining. It is deeply frustrating that many developers put so little effort into protecting the privacy and security of their users, who are the whole reason the business has value.
Fortunately there is a way to defend against at least this particular vulnerability, VPNs. By encrypting all of your traffic before it leaves your device you can ensure that anyone sniffing on the local network or WiFi is prevented from reading any of the content. It also keeps them from knowing what services you are visiting, and mixes together all of your different activities over the same channel.