Your neighbors are my spies: Location and other privacy concerns in dating apps

Trilateration has recently become one of the well-known threat models to the user's location privacy in location-based applications (aka: location-based services or LBS), especially those containing highly sensitive information such as dating applications. The threat model mainly depends on the distance shown from the targeted victim to the adversary to pinpoint the victim's position. As a countermeasure, most of location-based applications have already implemented the "hide distance" function to protect their user's location privacy. The effectiveness of such approach however is still questionable. Therefore, in this paper, we first investigate how popular location-based dating applications are currently protecting their user's privacy by testing the two most popular GLBT-focused applications: Jack'd and Grindr. As one of our findings, we then demonstrate how an adversary can still figure out the location of the targeted victim even when the "hide distance" function is enabled. Our threat model is simply an enhanced version of the trilateration model. Without using sophisticated hacking tools or complex attack techniques, the model is still very effective and efficient at locating the targeted victim, and of course in a so-called "legal" manner since we only utilize the information that can be obtained just as same as any other ordinary user. In addition, we also introduce a potential side channel attack fashion due to the current design of Jack'd. Our study thus raises an urgent alarm to those location-based applications' users in general, and especially to those GLBT-focused dating application's users about their privacy. Finally, the paper concludes by suggesting some possible solutions from the viewpoints of both the provider and the user considering the implementation cost and the trade-off of utility.