Looking up bad words is fun and all sorts of, but there have been better, more exciting what to see. Scrolling on, we saw the true names and details of these servers and details about the needs the application had been making blinking by.
It seemed strange that the application that showed up so well-written on top could be therefore underneath that is sloppy. I became interested to appear much deeper to discover if, like many of individuals you meet on dating apps, TantanвЂ™s initial beauty had been just mirage.
Upcoming up, I made a decision to see what type of information the software ended up being delivering and just how well it was protected.
The ssh was used by me for connecting to my house router and fired up the tcpdump program to see just what kind of data had been flying around between your Tantan operating on my phone and TantanвЂ™s server. I seemed within the internet protocol address of TantanвЂ™s host after which began viewing and gathering traffic making use of this demand:
Data delivered between an application and a host is encrypted so your dozen or maybe more computers it passes through on its journey over the internet canвЂ™t see clearly. Therefore, obviously, we likely to see a number of encrypted, unreadable data moving through my router between my phone and TantanвЂ™s server.
Much to my shock, the given information delivered between my phone and TantanвЂ™s host someplace on the other hand associated with the Great Firewall deeply in Mainland Asia ended up being entirely readable. I really could start to see the password I experienced simply entered, my contact number and all sorts of the individuals We was being matched with. And it, that means any number of other people could as well if I could read.
My step that is next was turn up Wireshark getting an improved view of that which was occurring.
The server is being asked by the Tantan app for lots more individuals to swipe. Will The One maintain this request?
Seeing all of this well structured information flowing forward and backward piqued my fascination with learning more info on exactly what forms of information Tantan had been collecting from the users after which dripping to your globe.
If your provided secret is not key
Frequently whenever reverse engineering an undocumented API to find out how it operates, youвЂ™d need certainly to just take a couple of minutes setting some tools up to decode the encrypted content. However, TantanвЂ™s security failings managed to make it trivial to observe how their software and host interact and keep in touch with one another.
First thing we noticed ended up being they stored a hard and fast password when you look at the software that the app must definitely provide to its host ahead of the software is also permitted to hook up to join a brand new individual or sign in a current individual. This password, or shared key, is stored and static in most copy of Tantan downloaded through the App shop.
The username can be seen by us for connecting to TantanвЂ™s verification host, 100002 , and also the matching password. If you would like keep one thing key, you should utilize encryption.
Basically, the purpose of this provided key is always to prevent alternative party apps from linking into the Tantan server, but without encryption the secret had beennвЂ™t extremely secret.
Tantan stocks you utilizing the world
Next, I went the entire process of making an user that is new. Tantan asked us to fairly share my nation and contact number before it delivered me a code by text enabling us to carry on.
Tantan utilizes your telephone number as being a username like WhatsApp.
After going into the code, it prompted me to decide on an enter and password details about:
All this given information ended up being submitted cleartext, unencrypted, over the online.
Congratulations! Your intimate preferences are now actually information that is public! Isn’t transparency great?
Selling out friends and family
Through the subscribe procedure, after producing a merchant account, brand brand new users are prompted to fairly share their associates with Tantan. Tantan guarantees to full cover up you against the individuals in your associates list. One imagines this can be in order to avoid the possibility, umm, social awkwardness, of turning up as a possible match to a coworker, ex-boyfriend or wife that is current. Think Ashley Madison satisfies Tinder.
Friends and business associates trust you along with their individual contact information. Maybe you have offered them away by sharing it with an app that is untrustworthy?