├── README.md
├── screenshot-apptimize-1.PNG
└── screenshot-localytics-1.PNG


/README.md:
--------------------------------------------------------------------------------
 1 | # Grindr Privacy Leaks
 2 | 
 3 | SVT and SINTEF conducted an experiment the 7th of February 2018 to analyse privacy leaks in the dating application Grindr. This was realised for the Sweedish TV program "Plus granskar", that you [may watch online.](https://www.svtplay.se/video/17267438/plus-granskar/plus-granskar-ditt-karleksliv-en-handelsvara)
 4 | 
 5 | We discovered that Grindr contains many trackers, and shares personal information with various third parties directly from the application.
 6 | 
 7 | 
 8 | ## Grindr Shares Personal Information With Third-Parties
 9 | 
10 | |Data|Sent to third-parties using unsafe HTTP ⚠ and HTTPS|Sent to third-parties using HTTPS only|
11 | |----|--------------------------------|---------------------------|
12 | |Grindr (App Name)|Adrta, Google,Liftoff, Manage.com, Mobfox, Mopub, OpenX, Smatoo|AdColony, Adsafeprotected, Apple, AppsFlyer, Apptimize, Crashlytics, Facebook, Fqtag, Kochava, Localytics, Moatads, TreasureData
13 | |Precise GPS Position|Adrta,Liftoff, Mopub, Nexage, OpenX|Apptimize, Localytics, Treasure Data
14 | |Gender|Adrta, Mopub, Smatoo|Apptimize, Localytics
15 | |HIV Status||Apptimize, Localytics
16 | |Last Tested Date||Apptimize, Localytics
17 | |Email||Localytics
18 | |Age|Mopub, Smatoo|Apptimize, Localytics
19 | |Height||Apptimize, Localytics
20 | |Weight||Apptimize, Localytics
21 | |Body Type||Apptimize, Localytics
22 | |Position (sexual)||Apptimize, Localytics
23 | |Grindr Profile ID||AdColony, Apptimize, Crashlytics, Localytics, TreasureData
24 | |Tribe (Bear, Clean Cut, Daddy, Discreet, Geek, Jock, Leather, Otter Poz, Rugged, Trans, Unknown)|Mopub|Apptimize, Localytics
25 | |Looking For (Chat, Dates, Friends, Networking, Relationship, Right Now, Unkown)|Mopub|Apptimize, Localytics
26 | |Etchnicity|Mopub|Apptimize, Localytics
27 | |Relationship Status|Mopub|Apptimize, Localytics
28 | |Phone ID|Liftoff, Adrta, Mopub, Smatoo|AdColony, Kochava,
29 | |Advertising ID|Adrta,Liftoff, Mopub, Mopub, Nexage, OpenX, Smatoo|AdColony, Adsafeprotected, AppsFlyer, Apptimize, Facebook, Fqtag, Localytics, Maxads, TreasureData
30 | |Phone Characteristics|Adrta,Liftoff, Mopub, OpenX, Smatoo|AdColony, AppsFlyer, Apptimize, Facebook, Maxads, TreasureData
31 | |Language|Liftoff, Mopub, Nexage, Smatoo|AdColony, AppsFlyer, Apptimize, Facebook, Maxads, TreasureData
32 | |Activity||App-measurement, Apptimize, Facebook, TreasureData
33 | |Pictures|||
34 | |Messages content|||
35 | 
36 | ![](https://raw.githubusercontent.com/SINTEF-9012/grindr-privacy-leaks/master/screenshot-apptimize-1.PNG)
37 | ![](https://raw.githubusercontent.com/SINTEF-9012/grindr-privacy-leaks/master/screenshot-localytics-1.PNG)
38 | 
39 | ## Grindr Shares Personal Information Including HIV Status With Apptimize And Localytics
40 | 
41 | It is unnecessary for Grindr to track its users HIV Status using third-parties services. Moreover, these third-parties are not necessarily certified to host medical data, and Grindr's users may not be aware that they are sharing such data with them.
42 | 
43 | ## Grindr Shares Personal Information Without Security
44 | 
45 | Personal information is shared unencrypted, allowing people, companies, or governments to listen on a network to discover who is using Grindr, where they are precisely located during a day, how do they look, what do they like, what do they browse… By sharing such information in an unsafe way, Grindr is exposing its users.
46 | 
47 | ## Grindr Contains Trackers
48 | 
49 | By decompiling the Grindr Android source code, we discovered tracking software. Notably Facebook, Smatoop or Localytics. [This is also confirmed by the project Exodus.](https://reports.exodus-privacy.eu.org/reports/5323/)
50 | 
51 | ## Experiment Setup
52 | 
53 | We installed Grindr on a Samsung Galaxy running Android and on an iPhone running iOS. Two persons created a Grindr profile and started dating for a few minutes.
54 | 
55 | We analysed the Grindr network traffic by using a man-in-the-middle proxy recording HTTP and HTTPS exchanges, using a setup similar to the one described in the paper ["Who knows what about me? A survey of behind the scenes personal data sharing to third parties by mobile apps." (Zang, K., Dummit, J., Graves, P.L. and Latanya, S.  - Technology Science (2015)."](https://techscience.org/a/2015103001/download.pdf) 
56 | We used Wireshark to monitor all TCP/IP traffic, Fiddler to capture HTTP and HTTPS traffic, and APKTool to decompile the Android application.
57 | 
58 | 
59 | 
60 | 
61 | 


--------------------------------------------------------------------------------
/screenshot-apptimize-1.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SINTEF-9012/grindr-privacy-leaks/7af4dabe9db59b4d91b46233d8811c5a97c82250/screenshot-apptimize-1.PNG


--------------------------------------------------------------------------------
/screenshot-localytics-1.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SINTEF-9012/grindr-privacy-leaks/7af4dabe9db59b4d91b46233d8811c5a97c82250/screenshot-localytics-1.PNG


--------------------------------------------------------------------------------