FYI.

This story is over 5 years old.

Tech

Tantan, the Tinder of China, Has a Basic Security Flaw

The app sends sensitive user data in plain text, a major violation of good security practices.
Photo: Shutterstock

Tantan, a Chinese clone of dating app Tinder, sends passwords, phone numbers, location data and more in plain text, Larry Salibra, founder and CEO of Pay4Bugs, a crowdsourced bug software testing program, has found.

In an age when anyone can sit in a Wi-Fi cafe and intercept communications, sending sensitive data such as locations and passwords unencrypted is regarded by the information security community as totally irresponsible. Encrypting private information during transit is a basic step of customer security.

Advertisement

Tantan is an app available for free on both iOS and Android platforms. It works in the same way as Tinder: users cycle through profiles of potential partners who are physically located nearby, swiping when they like someone. When both parties are interested in each other, they can start chatting.

"Much to my surprise, the information sent between my phone and Tantan's server somewhere on the other side of the Great Firewall deep in Mainland China was completely readable," Salibra wrote on his blog. "I could see the password I had just entered, my phone number and all the people I was being matched with. And if I could read it, that means any number of other people could as well."

This data could easily be entered into Google Maps to track someone's movements, he said

In other words, pretty much any communication between the app and the Tantan server in China is being sent unencrypted. This means that anyone intercepting those messages, such as someone sitting in a Wi-Fi cafe, can read them: this is one of the reasons other apps typically encrypt data to protect the privacy of their customers.

When Salibra set up a test account on the service, he was also asked for his gender, sexual orientation, partner age preferences, interests and hobbies. One can imagine that location and sexual preferences might be data that a user would want to keep relatively discreet. "All of this information was sent in cleartext, unencrypted, across the Internet," he wrote.

The Tantan app also sends unencrypted location data to the server, "which could be several times a minute." Salibra said this data could easily be entered into Google Maps to track someone's movements.

Tantan has said it is working on a solution to the problems, namely, adding HTTPS encryption to its apps' data. However, in an email to Salibra, Tantan CEO Yu Wang did not mention whether the company has informed its users.

In a similar case, several apps certified by the UK's National Health Service were recently found to be sending sensitive details across the internet in plain text.

It is not clear how many users are on Tantan. In February, the company raised $5 million in funding.