Comment: Yes, somebody can easily find your exact location on geo apps

Illustrated rainbow pride flag on a white background.

Software developer Chris Ward writes on rumours that a security breach allowed hackers to pinpoint users’ locations to clarify that the so-called “breach” is possible by exploiting the geo software itself.

PinkNews article yesterday reported that a “whistleblower” at Grindr leaked a “security breach” whereby people are able to work out your exact location.

Well, it’s not quite a “security breach”, in fact nothing of the sort. And somebody sending “unsolicited messages” to people (this is Grindr, remember) can hardly be considered a “whistleblower” in the same vain as somebody working in the higher echelons of the Grindr offices. I’ll ignore the slightly unfair comments made by some that if you use a geo-app, you’re hardly concerned about your own privacy, but I thought it’d be helpful to explain exactly how somebody can work out your location.

First, a simple rule: If you provide the distance you are from an individual, that individual can find out where you are. This isn’t “hacking”, or some sort of “breach”. So long as somebody can ascertain their distance from you at three different points, they can work out your location (within the GPS accuracy range of course) through triangulation. Retrieving those three key distance points can be done in the following ways:

1. By sending HTTP requests to the app’s web server.

This is what the above article has reported as happening. If you know exactly what the server will be expecting (and it shouldn’t be too difficult to find out if you’re a software developer) you can send a POST request updating your location and then a GET requesting the distance of the same person. You’ll need to do this three times (or two if you already have his/her distance at your current location). This system isn’t a “security breach” as PN reported, but it is simply the way the app on your device communicates with Grindr’s servers.

2. By using a location spoofer

iOS devices don’t allow you to spoof your location (at least not easily). However, Android devices do so and you can download a simple location spoofer app for free. This way you can spoof your location two times in addition to your actual location, refresh the page on the app and record the new distance from the person in question.

3. By walking to two additional points

This last method makes any attempt to deal with “abuse” quite impossible. Returning to our simple rule, if you provide your distance to anybody that can be requested at any point, you are giving a determined person your location.

What can I do to protect my location?

It seems odd that if you want to reap the benefits of geo-apps that you should want to hide your distance from somebody. However, some apps will place you in the distance-ordered photo-matrix but will allow you to hide your exact distance. If you do that, you may be able to prevent somebody finding your exact location. Of course, if the two people either side of you in the photo matrix are providing their location, it doesn’t prevent a determined person from being able to make an educated guess as to the vicinity.

In hostile areas, you may find people willing to use the app maliciously. Geo apps have revolutionised the way we meet people discreetly and have in many ways helped those in less gay-friendly areas meet those who are like-minded, but of course there is always a risk. You can help mitigate that with how you conduct yourself on the app and who you meet up with, e.g. make sure you meet up in a public place first. The answer is simple. If you don’t want somebody to know your location, don’t provide your distance or don’t use geo apps at all.

This blog first appeared on Chris Ward’s website.