Dating app “RAW” unexpected RAWDOGS user location data, personal information

The dating app announced this week that the creepy new wearable device has been found to have been publicly exposed user data. Data are granular and personal, including their approximate locations.

The app (RAW) says it is committed to promoting “real and unfiltered love” through its unique user interface, which is similar to Bereal (which utilizes the front and rear cameras of the phone), but wants to date. Raw also recently announced a weird new hardware called Raw Ring, a ring designed to allow users to track their lovers’ locations to make sure they don’t cheat (can’t cause a problematic situation, right?). Unfortunately, it seems that Raw also promotes other content in an “unfiltered” way: user data.

TechCrunch reports that RAW unexpectedly opens public inspections of users’ personal information due to the lack of basic digital security protection. Indeed, by this week, anyone with a web browser will have access to detailed application user information, including their date of birth, display name, sexual preferences, and fairly specific “street level” location data.

TechCrunch said it found security flaws in brief testing of company applications. Download the RAW onto a virtualized Android device, and the TC worker then uses a network monitoring tool to observe the data transmitted with the application. Analysis shows that personal data is not protected by any form of identity verification barrier. TC said it found problems in the first “minutes” of using the app. TC also noted that while RAW claims to protect users through end-to-end encryption, no evidence of E2EE exists was found. They decomposed security vulnerabilities like this:

When we first loaded the app, we found that it extracted the user’s profile information directly from the company’s server, but the server did not use any authentication to protect the returned data. Actually, this means that anyone can access the private information of any other user by using a web browser to access the URL of the exposure server – api.raw.app/users/ Then there is the only 11-digit number corresponding to another application user. Changing the number to correspond to the 11-bit identifier of any other user, private information is returned from that user’s profile (including its location data). This vulnerability is called an insecure direct object reference, or a bug that allows someone to access or modify data on another’s servers because of the lack of proper security checks for users to access the data.

Gizmodo contacts RAW for more information. As of Wednesday, security issues have been patched, according to a statement to TechCrunch. Marina Anderson, co-founder of Raw Dating App, told The Outlet, “All previously exposed end points have been protected and we have implemented additional safeguards to prevent similar issues.”

It is not uncommon for companies to have poor security of user data. It sounds strange that security is not a particularly huge priority in the software industry. This can be time consuming, expensive, and can slow down other parts of production, so many companies don’t have to worry about it at all. But using dating apps (a business dedicated to handling users’ closest (literally) and sensitive data, it obviously takes more time to lock things up. As they say: wrap it up before tapping.