Therefore I reverse engineered two dating apps.

And I also got a session that is zero-click along with other enjoyable weaknesses

In this post I reveal several of my findings through the reverse engineering regarding the apps Coffee Meets Bagel therefore the League. We have identified a few critical weaknesses through the research, all of these have already been reported towards the vendors that are affected.


In these unprecedented times, increasing numbers of people are escaping to the electronic globe to deal with social distancing. Of these times cyber-security is more essential than ever before. From my experience that is limited few startups are mindful of security recommendations. The firms accountable for a big array of dating apps are no exclusion. We began this small research study to see just how secure the latest dating apps are.

Accountable disclosure

All severity that is high disclosed in this article have already been reported into the vendors. By the time of publishing, matching patches are released, and I also have individually confirmed that the repairs come in destination.

I shall maybe maybe not offer details in their APIs that is proprietary unless.

The prospect apps

We picked two popular apps that are dating on iOS and Android os.

Coffee Suits Bagel

Coffee matches Bagel or CMB for brief, established in 2012, is renowned for showing users a number that is limited of each and every day. They’ve been hacked as soon as in 2019, with 6 million records stolen. Leaked information included a name, current email address, age, enrollment date, and gender. CMB is gathering popularity in modern times, and makes a beneficial prospect with this project.

The League

The tagline for The League software is intelligently” that is“date. Launched time in 2015, it really is an app that is members-only with acceptance and fits according to LinkedIn and Twitter pages. The application is more selective and expensive than its options, it is protection on par utilizing the price?

Testing methodologies

I personally use a mix of fixed analysis and powerful analysis for reverse engineering. For fixed analysis I decompile the APK, mostly utilizing apktool and jadx. For powerful analysis an MITM is used by me system proxy with SSL proxy capabilities.

A lot of the assessment is performed in the Android that is rooted emulator Android os 8 Oreo. Tests that need more capabilities are done on an actual Android os unit lineage that is running 16 (predicated on Android os Pie), rooted with Magisk.

Findings on CMB

Both apps have complete great deal of trackers and telemetry, but i suppose that is simply their state regarding the industry. CMB has more trackers compared to the League though.

See whom disliked you on CMB using this one simple trick

The API carries a pair_action industry in just about every bagel item and it’s also an enum aided by the values that are following

There is certainly an API that offered a bagel ID returns the bagel item. The bagel ID is shown within the batch of day-to-day bagels. Therefore you, you could try the following if you want to see if someone has rejected:

That is a vulnerability that is harmless however it is funny that this industry is exposed through the API it is unavailable through the app.

Geolocation information drip, not actually

CMB shows other users’ longitude and latitude up to 2 decimal places, that is around 1 mile that is square. Happily this info is perhaps perhaps perhaps not real-time, which is just updated whenever a person chooses to upgrade their location. (we imagine this is employed by the application for matchmaking purposes. We have maybe maybe not confirmed this theory.)

But, this field is thought by me might be hidden through the reaction.

Findings on The League

Client-side produced verification tokens

The League does one thing pretty unusual within their login flow:

The UUID that becomes the bearer is totally client-side generated. even Worse, the host will not validate that the bearer value is a real UUID that is valid. It may cause collisions along with other dilemmas.

I would suggest changing the login model and so the bearer token is created server-side and delivered to the client after the host gets the proper OTP through the customer.

Contact number drip through an unauthenticated API

Within the League there is certainly an unauthenticated api that accepts a contact quantity as question parameter. The API leakages information in HTTP response code. If the contact number is registered, it comes back 200 okay , but once the true number just isn’t registered, it comes back 418 we’m a teapot . It may be mistreated in a couple of means, e.g. mapping all the true figures under a place rule to see who’s in the League and that is perhaps not. Or it could result in embarrassment that is potential your coworker realizes you’re on the application.

It has because been fixed once the bug ended up being reported towards the merchant. Now the API merely returns 200 for many needs.

LinkedIn task details

The League integrates with LinkedIn to demonstrate a user’s manager and work name to their profile. Often it goes a bit overboard collecting information. The profile API comes back detail by detail work position information scraped from LinkedIn, such as the begin 12 months, end 12 months, etc.

Whilst the application does ask individual authorization to see LinkedIn profile, an individual probably will not expect the position that is detailed become contained in their profile for everybody else to look at. I really do maybe not genuinely believe that form of info is required for the application to work, and it will oftimes be excluded from profile information.