All these bugs and leaks, Hoang says, likely aren't limited to gay dating apps.The location tracking attack in particular would seem to work with any app that lists users' locations in order of proximity.If Grindr or a similar app tells you how far away someone is—even if it doesn’t tell you in which direction—you can determine their exact location by combining the distance measurement from three points surrounding them, as shown in the the image at right.In late 2014, Grindr responded to security researchers who pointed out that risk by offering an option to turn off the app’s distance-measuring feature, and disabling it by default in countries known to have “a history of violence against the gay community,” like Russia, Egypt, Saudi Arabia and Sudan.Grindr's competitors Hornet and Jack'd offer differing degrees of privacy options, but neither is immune from the Kyoto researchers' tricks.Hornet claims to obscure your location, and told the Kyoto researchers that it had implemented new protections to prevent their attack.
That added degree of invasion means that even particularly privacy-oriented gay daters—which could include anyone who perhaps hasn't come out publicly as LGBT or who lives in a repressive, homophobic regime—can be unwittingly targeted.(Most Grindr users do show their faces, but not their name.) But even then, Hoang points out that continually tracking someone's location can often reveal their identity based on their address or workplace.Even beyond location leaks, the Kyoto researchers found other security problems in the apps, too.But after a slightly longer hunting process, Hoang was still able to identify my location.And Jack'd, despite claims to "fuzz" its users' locations, allowed Hoang to find me using the older simple trilateration attack, without even the need to spoof dummy accounts.(That's the simpler but slightly less efficient method Hoang used to pinpoint my location.)To respond to Grindr's obscuring of the exact distance between some users, the Kyoto researchers' used a "colluding" trilateration attack.