Read his email and my response. Chinese Tinder clone Tantan is endangering young women and men by failing to use encryption and exposing private data like that Asian male screwing white female public in the Ashley Madison hack. China is well ahead of the curve when it comes to social acceptance of meeting people online.
Conditioned by three decades of incredibly fast-paced social change, normal, every day folks have been making friends and meeting future spouses online since the early days of QQ.
Dating apps are particularly interesting from an information security perspective because of the sensitivity of the behavior they protect.
Publicly broadcasting your latest love adventures can get you in trouble with friends and family. Behavior changes when using dating apps.
Offered the possibility of meeting a cute new boy or girl, people who otherwise care about their privacy or security of their online accounts throw their good senses to the wind. Early this year, a new player arrived on the Chinese dating app scene called Tantan. Asian male screwing white female friend, who will remain nameless, excitedly told me about the app and the cute people that were on it.
I had to check it out, I was told. Tantan is essentially a Tinder clone. On the surface, the iPhone app seems to be smoother and more refined then Asian male screwing white female app it copies.
Unlike Tinder, which uses Facebook to log in, Tantan asks you for a phone number to verify you and then has you select a password.
As part of the on-boarding process, it asks for the usual social network profile information and asks for permission to use your location so that it can find people to match you with nearby. Later, I would find out that I was very glad I made that decision. I was impressed by how well Tantan functioned compared to Tinder.
It was smoother and more user-friendly. Also Asian male screwing white female missing was the poor user experience of jumping between apps that comes from Tinder being built on Facebook. The nearest users seemed to be in Shenzhen. After playing around with the app for a few minutes, I decide to investigate if the beauty of the app was for real Asian male screwing white female only skin deep.
The console log is a scrolling window of text - think of it as a Twitter feed for the apps running on your phone. It lets you know what your phone and the apps on it are doing and helps you track down and fix software bugs. However, professionally written apps usually turn off many these messages when they submit their app to the App Store for performance reasons and to prevent possibly sensitive information from ending up in logs and potentially escaping the device.
The list of the words is written in a code called Unicode which makes it very easy to look up. Quartz deciphered them for you!
Only platonic or marriage-bound relationships to see here. Looking up bad words is fun and all, but there were better, more exciting things to see. Scrolling on, I saw the names and addresses of their servers and information about the requests the app was making flashing by. It seemed strange that an app that appeared so well-written on the surface would be so sloppy Asian male screwing white female.
Next up, I decided to see what sort of information the app was sending and how well it was protected. I could see the password I had just entered, my phone number and all the people I was being matched with. And if I could read it, that means any number of other people could as well. My next step was to fire up Wireshark to get a better view of what was happening. Seeing all this nicely structured information flowing back and forth Asian male screwing white female my interest in learning more about just what types of data Tantan was collecting from its users and then leaking to the world.
The first thing I noticed was they stored a fixed password in the app that the app must provide to its server before the app is even allowed to connect to sign up a new user or log in an existing user.
This password, or shared secret, is static and stored in every copy of Tantan downloaded from the App Store.
Next, I went the process of creating a new user.
Unleashed asian male screwing white female xxx videos
Tantan asked me to share my country and phone number before it sent me a code by text message allowing me to continue. All of this information was sent in cleartext, unencrypted, across the Internet.
During the sign up process, after creating an account, new users are prompted to share their contacts with Tantan. Tantan promises to hide you from the people in your contacts list.
One imagines this is to avoid the potential, umm, social awkwardness, of showing up as a potential match to a coworker, ex-boyfriend or current wife. Think Ashley Madison meets Tinder. Boy was I glad that I made that decision when I found out that sharing your contact book with Tantan results Asian male screwing white female details of all the people stored in your phone flying around the Internet for all to see.
By continuing to look at the unprotected data Tantan is sending us with tcpdumpwe can see that the service sends our phone several possible matches with request. With each potential match comes a lot of fun data about the user. And since our connection is not encrypted, so can anyone else! When you first download Tantan, the app asks for permission to track your location. This is because it matches you with people who are nearby.
But what does this really mean? Asian male screwing white female does it do with your location? But still…it probably just asks for you location once in a while? Headers are named as such because they are at the very top, or head, of the request.
In Tantan, your location is sent via a header in each request called Geolocation. As you can see, our latitude and longitude is sent along with a number indicating how certain of the location your phone is.
For example, someone using Tantan on an iPhone in Shenzhen might send the Geolocation header geo: Since the connection is unencrypted, we or anyone on the Internet between our phone and Tantan can change our location. This is useful as a way to meet people in other places. Asian male screwing white female fact, Tinder actually sells this ability as a premium feature on its service. While spoofing your location to meet people in another location is fun, it is also useful for less noble pursuits.
You can use it to find the location of and track anyone that matches with you.
Remember how I showed you earlier how matches also include a number that tells us far the match is from our current location? You can use that information, location spoofing, and some basic high school math to pinpoint the location of your Romeo or Juliet. You simply need to take note of the how far Juliet is from you at three different places and calculate her location.
This makes Tantan incredibly handy if you want to show up outside of her balcony in the middle of the night…creepy might be a better word. I reached out to the company via both email and Weibo to get in touch with someone with whom I could report these security and privacy problems.
I only decided to publish this post after no indication by the company that they either acknowledged the problem or plan to fix it. Destroying your own business from your irresponsibility is your problem. Destroying the lives of your unsuspecting and trusting users is both immoral and unethical.
Want to talk more about how to properly use encryption?
Tweet at me or get in touch! A technical walk-through of adding Blockstack ID support to the Discourse forum software. Slack made platform changes that let you steal the identities of other users. How to build a simple Ethereum wallet using Blockstack.
China clone army strikes again Tantan is essentially a Tinder clone. Chat in Chinese dating apps is just as boring as Tinder.
I must be doing it wrong. Perhaps I should ask about Bitcoin? Behind the scenes After playing around with the app Asian male screwing white female a few minutes, I decide to investigate if the beauty of the app was for real or only skin deep.
Superficial beauty Looking up bad words is fun and all, but there were better, more exciting things to see. Intercepted Next up, I decided to see what sort of information the app was sending and how well it was protected.