Therefore I reverse engineered two dating apps.

October 29, 2020

Therefore I reverse engineered two dating apps.

And I also got a session that is zero-click along with other enjoyable weaknesses

On this page I reveal several of my findings through the engineering that is reverse of apps Coffee Meets Bagel as well as the League. I’ve identified a few critical vulnerabilities throughout the research, each of which happen reported into the affected vendors.


During these unprecedented times, greater numbers of individuals are escaping to the digital globe to handle social distancing. Over these right times cyber-security is much more essential than in the past. From my experience that is limited few startups are mindful of security guidelines. The firms accountable for a range that is large of apps are no exclusion. We began this little research study to see just just exactly how secure the latest relationship apps are.

Accountable disclosure

All severity that is high disclosed in this article have already been reported into the vendors. Because of the period of publishing, matching patches have now been released, and I also have actually individually confirmed that the repairs come in destination.

I am going to perhaps perhaps not offer details within their proprietary APIs unless appropriate.

The prospect apps

We picked two popular dating apps available on iOS and Android os.

Coffee Suits Bagel

Coffee satisfies Bagel or CMB for brief, established in 2012, is well known for showing users a number that is limited of each and every day. They are hacked as soon as in 2019, with 6 million reports taken. Leaked information included a name that is full current email address, age, enrollment date, and sex. CMB was popularity that is gaining the last few years, and makes an excellent prospect because of this task.

The League

The tagline for The League application is intelligently” that is“date. Launched a while in 2015, it really is an app that is members-only with acceptance and fits centered on LinkedIn and Twitter pages. The application is much more costly and selective than its options, it asian dating sites is protection on par with all the cost?

Testing methodologies

I take advantage of a mixture of fixed analysis and analysis that is dynamic reverse engineering. For fixed analysis we decompile the APK, mostly utilizing apktool and jadx. For powerful analysis an MITM is used by me system proxy with SSL proxy capabilities.

Most of the assessment is performed in the rooted Android emulator operating Android os 8 Oreo. Tests that want more capabilities are done on a proper Android os unit operating Lineage OS 16 (considering Android os Pie), rooted with Magisk.

Findings on CMB

Both apps have large amount of trackers and telemetry, but i suppose this is certainly simply their state regarding the industry. CMB has more trackers compared to the League though.

See whom disliked you on CMB using this one simple trick

The API includes a pair_action industry in just about every bagel item which is an enum aided by the following values:

There is an API that offered a bagel ID returns the object that is bagel. The bagel ID is shown when you look at the batch of day-to-day bagels. Therefore should you want to see if some one has refused you, you can decide to try the next:

This really is a safe vulnerability, however it is funny that this industry is exposed through the API it is unavailable through the software.

Geolocation information drip, although not really

CMB shows other users’ longitude and latitude up to 2 decimal places, which can be around 1 square mile. Luckily this given info is maybe perhaps not real-time, and it’s also just updated whenever a person chooses to upgrade their location. (we imagine this is employed by the application for matchmaking purposes. We have maybe perhaps not verified this theory.)

But, this field is thought by me might be hidden through the reaction.

Findings on The League

Client-side produced verification tokens

The League does one thing pretty unusual inside their login flow:

The UUID that becomes the bearer is totally client-side generated. Worse, the host doesn’t confirm that the bearer value is a real legitimate UUID. It may cause collisions as well as other problems.

I would suggest changing the login model and so the token that is bearer generated server-side and delivered to the client when the host gets the proper OTP through the customer.

Contact number drip with an unauthenticated API

When you look at the League there is certainly an unauthenticated api that accepts a contact quantity as question parameter. The API leaks information in HTTP reaction code. If the contact number is registered, it comes back 200 okay , but once the true quantity is certainly not registered, it returns 418 we’m a teapot . Maybe it’s mistreated in a ways that are few e.g. mapping all the true figures under a place rule to see that is in the League and that is maybe perhaps not. Or it could cause possible embarrassment whenever your coworker realizes you’re regarding the application.

It has because been fixed if the bug ended up being reported into the merchant. Now the API merely returns 200 for many demands.

LinkedIn task details

The League integrates with LinkedIn to demonstrate a user’s job and employer title to their profile. Often it goes a bit overboard gathering information. The profile API comes back job that is detailed information scraped from LinkedIn, such as the start 12 months, end 12 months, etc.

Although the software does ask user authorization to see LinkedIn profile, an individual most likely doesn’t expect the position that is detailed become contained in their profile for everyone to see. I actually do perhaps maybe not believe that type or types of info is required for the app to operate, and it may oftimes be excluded from profile information.