Read his email and my response. Chinese Tinder clone Tantan is endangering young women and men by failing to use encryption and exposing private data like that made public in the Ashley Madison hack.
China is well ahead of the curve when it comes to social acceptance of meeting people online. Conditioned by three decades of incredibly fast-paced social change, normal, every day folks have been making friends and meeting future spouses online since the early days of QQ.
Dating apps are particularly interesting from an information security perspective because of the sensitivity of the Asian male screwing white female they protect. Publicly broadcasting your latest love adventures can get you in trouble with friends and family.
Behavior changes when using dating apps. Offered the possibility of meeting a cute new boy or girl, people who otherwise care about their privacy or security of their online accounts throw their good senses to the wind. Early this year, a Asian male screwing white female player arrived on the Chinese dating app scene called Tantan.
Astounding asian male screwing white female adult videos
A friend, who will remain nameless, excitedly told me about the app and the cute people that were on it. I had to check it out, I was told. Tantan is essentially a Tinder clone. On the surface, the iPhone app seems to be smoother and more refined then the app it copies.
Unlike Tinder, which uses Facebook to log in, Tantan asks you for a phone number to verify you and then has you select a password. As part of the on-boarding process, it asks for the usual social network profile information and asks for Asian male screwing white female to use your location so that it can find people to match you with nearby.
Later, I would find out that I was very glad I made that decision. I was impressed by how well Tantan functioned compared to Tinder. It was smoother and more user-friendly. Also happily missing was the poor user experience of jumping between apps that comes from Tinder being built on Facebook. The nearest users seemed to be in Shenzhen.
After playing around with the app for a few minutes, I decide to investigate if the beauty of the app was for real or only skin deep. The console log is a scrolling window of text - think of it as a Twitter feed for the apps running on your phone.
It lets you know what your phone and the apps on it are doing and helps you track down and fix software bugs. However, professionally written apps usually turn off many these messages when they submit their app to the App Store for performance reasons and to prevent possibly sensitive information from ending up in logs and potentially escaping the device.
The list of the words is written in a code called Unicode which makes it very easy to look Asian male screwing white female. Quartz deciphered them for you! Only platonic or marriage-bound relationships to see here. Looking up bad words is fun and all, but there were better, more exciting things to see.
Scrolling on, I saw the names and addresses of their servers and information about the requests the app was making flashing by. It seemed strange that an app that appeared so well-written on the surface would be so sloppy underneath. Next up, I decided to see what sort of information the app was sending and how well it was protected. I could see the password I had just entered, my phone number and all the people I was being matched with.
And if I could read it, that means any number of other people could as well.
My next step was to fire up Wireshark to get a better view of what was happening. Seeing all this nicely structured information flowing back and forth piqued my interest in learning more about just what types of data Tantan was collecting from its users and then leaking to the world.
The first thing I noticed was they stored a fixed Asian male screwing white female in the app that the app must provide to its server before the app is even allowed to connect to sign up a new user or log in an existing user. This password, or shared secret, is static and stored in every copy of Tantan downloaded from the App Store.
Next, I went the process of creating a new user. Tantan asked me to share my country and phone number before it sent me a code by text message allowing me to continue.
All of this information was sent in cleartext, unencrypted, across the Internet. During the sign up process, after creating an account, new users are prompted to share their contacts with Tantan. Tantan promises to hide you from the people in your contacts list. One imagines this is to avoid the potential, umm, social awkwardness, of showing up as a potential Asian male screwing white female to a coworker, ex-boyfriend or current wife.
Think Ashley Madison meets Tinder.
Boy was I glad that I made that decision when I found out that sharing your contact book with Tantan results personal details of all the people stored in your phone flying around the Internet for all to see. By continuing to look at the unprotected data Tantan is sending us with tcpdumpwe can see that the service sends our phone several possible matches with request.
With each potential Asian male screwing white female comes a lot of fun data about the user. And since our connection is not encrypted, so can anyone else!
When you first download Tantan, the app asks for permission to track your location. This is because it matches you with people who are nearby. But what does this really mean? What does it do with your location? But still…it probably just asks for you location once in a while?
Headers are named as such Asian male screwing white female they are at the very top, or head, of the request. In Tantan, your location is sent via a header in each request called Geolocation.
As you can see, our latitude and longitude is sent along with a number indicating how certain of the location your phone is. For example, someone using Tantan on an iPhone in Shenzhen might send the Geolocation header geo: Since the connection is unencrypted, we or anyone on the Internet between our phone and Tantan can change our location.
This is useful as a way to meet people in other places. In fact, Tinder actually sells this ability as a premium feature on Asian male screwing white female service. While spoofing your location to meet people in another location is fun, it is also useful for less noble pursuits. You can use it to find the location of and track anyone that matches with you. Remember how I showed you earlier how matches also include a number that tells us far the match is from our current location?
You can use that information, location spoofing, and some basic high school math to pinpoint the location of your Romeo or Juliet.