A pair of hands holding up a smartphone with the Grindr app icon on the screen.

Photos on the gay dating app Grindr are by no means private

Update (): You can download Grindr high-resolution photos from profiles and messages by accessing the service through the web browser on your computer. Just visit web.grindr.com.

Update (): The topic in this article has been mitigated by Grindr migrating to using encrypted connections and disabling the developer console logging method mentioned here. The original article remains unchanged.

Using network interception or just traffic logging, an attacker, state, or your employer can look over your shoulder at the images that pop up inside the popular “nearby gay man finder” app. The profile photos on the gay dating app reveal more data than one might think.

Grindr presents its nearby users who are also using the app at the same time as a grid view of profile photos. These profile images are requested from Grindr’s server in the order of proximity to the user.

As the local user is always the nearest, the user’s own profile photo is always downloaded first when the app launches; thus revealing the user’s face and appearance. Immediately followed by the picture of every other user who has the app open at the same time in the local area.

As the order of the requested images implies distance, it’s possible to triangulate the user’s rough physical location if you know where one or more of the men are physically located. All of this is, of course, more easily accomplished by simply registering an account with the app and opening it like a normal user.

On a small scale like a corporate, café, or airport network, this can be used to reveal any gay man nearby. On a wider scale, like say for example a nation-state that’s unfriendly to gay individuals like Russia or Egypt — who to varying degrees also have state-run Internet service provider monopolies — this can be used to profile and identify every user of the app.

Ever wondered how the government built a list over the gay people in England in the 2005 dystopian thriller “V for Vendetta”? The approach outlined above would be the most effective means for gathering such a list (mobile cell tower geo-triangulation location data, IP addresses, and access times would be available to a nefarious state actor).

The app also reveals which other users the user finds the most interesting. Clicking-through to another users’ profile will send a slightly different formatted request for a larger version of the profile picture. A user might want to keep his exact preferences in men to themselves, but Grindr is leaking that information to anyone with network capturing abilities.

Below are some examples of unencrypted data downloaded by the Grindr app that can be captured on the local network or as it passes through the wider Internet. Each of the URLs refers to an image that can is opened by anyone who intercepts the addresses/images:

http://cdns.grindr.com/images/thumb/<width>x<height>/<unique-id>
http://cdns.grindr.com/images/profile/<width>x<height>/<unique-id>
http://cdns.grindr.com/grindr/chat/<unique-id>

Intercepting these addresses on a network would also imply that the user’s IP address was available for capture at the same time. This is just the kind of in-the-clear communication that can be intercepted and help explain the below quote from Edward Snowden on the US government’s data collection capabilities.

Anyone who wants to save copies of private photos can also do so by connecting their phones to their PCs using the Android debugger (ADB). Grindr prints the URL to all photos accessed through the app to the developer log console (adb logcat).

The good news is there’s no program named The Dick Pic Program. The bad news is they’re still collecting everybody’s information including your dick pics.

Former NSA contractor Eward Snowden

Another interesting thing I observed is that photos users exchange in private chats aren’t deleted from Grindr’s servers even after being deleted from both the sender and recipient’s accounts. These privately exchanged images — ehm, dick pics — are also of the sort users would most care about being stolen. During my three-month testing period, I found that images that were deleted were still publicly accessible using the same image URLs three months after deletion.

Grindr will retain Profile Information and Instant Messages in the Grindr App or on the servers for the Grindr Service, for as long as needed to provide the Grindr Service and to comply with our legal obligations, resolve disputes and enforce our agreements.

Grindr’s vague privacy policy.

Here are some simple steps Grindr needs to take to improve security and preserve their users’ privacy:

  • Actually delete old photos or at least make them unavailable online
  • Enable HTTPS encryption on their imaging server
  • Stop using static and never changing URLs for images
  • Add some randomness to the fetch order for images instead of always loading nearest people first

Grindr’s image server (cdns.grindr.com) is provided by the content delivery network Akamai Technologies, Inc. When asked, Akamai was completely uninterested in divulging any price information regarding how much it would cost to update from HTTP to HTTPS for a static image resource service like the one Grindr uses. It probably wouldn’t be cheap, but then choosing the cheap alternative isn’t a priority when choosing services from Akamai.

Grindr stores the images in an app-sandboxed folder on Android and iOS. This means you can’t find the pictures saved by the app on your phone. However, you can use the above method to save pictures from the app. You can also ask the sender to send you photos using another app that allows saving images directly.

Tested on Grindr for Android version 2.2.8 and Grindr for iOS version 2.2.4 between 2015-05-24 and 2015-09-08. Grindr LLC, didn’t respond to requests for comments.