
So I reverse engineered two dating apps - libertylocked
https://push32.com/post/dating-app-fail/
======
Melting_Harps
This reminds me of a recent NPR story-telling guest from a PhD student at UCLA
who hacked one of the major dating apps (match or eharmony?) matching
algorithm and he was going into detail of his exploits; he used the Lab to run
tons of simulations of desirable answers to the profile questions to garner
the attention of women in his surrounding area and on the site
internationally.

In the process revealing how erroneously so many put stock in matching via a
system with a very clearly vulnerable system (compatibility rating algorithm)
and went out of his way to optimize the system further with less than
desirable results: he was the most desired Male profile and was going out on
several dates a day and rejecting women he'd have coffee dates with in more
and more absurd ways as he got more and more requests.

It was really funny, albeit cautionary, and I only caught like 65% of it, so
if anyone finds it can you post it here?

Jack Dorsey's recent interview on the AI podcast hinted at how perilous this
could be, too. The 'why' part of Machine learning/data Science/AI has to be
just as tightly examined as the optimization development when deployed into
Society.

~~~
lordgrenville
Probably this? [https://themoth.org/stories/data-mining-for-
dates](https://themoth.org/stories/data-mining-for-dates)

And here's an article [https://www.wired.com/2014/01/how-to-hack-
okcupid/](https://www.wired.com/2014/01/how-to-hack-okcupid/)

~~~
croissants
Not to throw this into standard male internet complaining about dating, but
it's funny that the Wired article waits until almost the end to mention that
the dude is over six feet tall with blue eyes (and per the photo at the
beginning, not bad-looking!). I wonder if this kind of gaming would have
worked if he wasn't already in a highly desired male demographic. It's
possible that just _being noticed_ is a big marginal benefit when you're
already in that demographic.

~~~
globular-toast
Of course it wouldn't. Why would women suddenly find a man attractive just
because some app brings up a match? The matching algorithms are not there to
show you who you find attractive, they are there to filter out the 95% (for
women), or 50% (for men) of people you definitely don't find attractive.

~~~
ses1984
If 95% of women reject your profile, would you get more matches if your
profile was in front of 10 women or 10,000?

~~~
MagnumOpus
Generally it’s not 95% of women rejecting a given profile, but all women (or
near enough to make no difference) rejecting mostly the same 95% of profiles
and not rejecting the rest.

I.e. boosting visibility probably brings proportionate benefits to the most
desirable men, but little additional benefit to the ugly/short/older guy.

~~~
whatshisface
Source? With 51.5% of American men presently married I have a hard time
believing 95% of men are consistently rejected by every woman!

~~~
Izkata
It's probably a misremembering of actual findings:

At least on OKCupid, women rate 80% of men as below-average attractiveness,
while men rate women at right about 50% as below-average and 50% as above-
average [0].

OKCupid has since deleted the post with their findings [1], but references to
it still exist all over, as does an archived copy [2].

[0] [https://techcrunch.com/2009/11/18/okcupid-inbox-
attractive/](https://techcrunch.com/2009/11/18/okcupid-inbox-attractive/)

[1] [https://theblog.okcupid.com/your-looks-and-your-
inbox-8715c0...](https://theblog.okcupid.com/your-looks-and-your-
inbox-8715c0f1561e)

[2]
[http://web.archive.org/web/20100324074028/http://blog.okcupi...](http://web.archive.org/web/20100324074028/http://blog.okcupid.com/index.php/2009/11/17/your-
looks-and-online-dating/)

~~~
dorgo
Maybe men just answer the question more literal and find the real average
(50%). Women understand the question more figuratively. Below average is what
they don't like and they don't like 80% of men.

Why even ask for above/below average ratings? What people like/don'tlike is
more interesting.

~~~
closeparen
Maybe he most attractive men in the population aren't on dating apps.

------
thdrdt
Leaking data is one of the issues with all those CRUD framework tutorials.

It is nice marketing: look how easy it is to output entities with our
framework!

The problem is: you almost never want to output complete entities. You want to
output data based on the user's role/rights and on the context. I wish
frameworks would put more focus on this.

~~~
silviogutierrez
This is a major problem with REST / API / SPA-based applications. When you
build around the concept of resources, you either get lazy or forget to build
individual endpoints for each object.

That is, it's not just "/api/people/" that shows everything. You'd need:
"/api/people/matched/" with a few fields, and /api/people/before-match/" etc.
One end point _per_ use case. Almost like one endpoint per... screen.

Suddenly, the old school MVC starts to make more sense. Your view dictates
what data you need only for _that_ view. Across resources. And it factors in
entitlements. Often, people think this means no AJAX or SPA. That's not quite
right, they are orthogonal.

What you really want is a data-on-the-wire protocol but with RPC calls that
are still domain based rather than resource based. Everything should be its
own endpoint. Django Forms and Formsets, and the Rails and Laravel equivalents
are much closer to this than REST (even if they can be RESTful themselves).
Think "UpdateProfile" instead of "UserResource". The UpdateProfile may have a
lot more fields, some which don't even belong on the User database table.

Lot of rambling here, but I've been meaning to consolidate this in a blog
post.

Some related thoughts here:
[https://news.ycombinator.com/item?id=21875331](https://news.ycombinator.com/item?id=21875331)

~~~
derangedHorse
I agree with you up to the point of RPC calls. In general it doesn't matter
what specific technology is used, as long as each data source is structured
around the use-case and not around backend details like how entity models are
actually stored. A lot of these ideas are captured well by Robert Martin
("Uncle Bob") in his book Clean Architecture

~~~
sixdimensional
I mentioned the Onion Model above, I saw your comment about Clean
Architecture, which is a refinement of the Onion Model.

I think we might already have all the architectural solutions we need, we just
haven't put together how to express the architectures we want in the new
technologies we have.

Some combination of the onion model/clean architecture, CQRS, APIs, data
federation like GraphQL and microservices is probably how it can all go
together. I know I am mixing implementations and patterns together in this
sentence, but am just trying to express patterns and examples of things that
have pieces of those patterns implemented.

------
paultopia
The most shocking thing about this is that "the league" still exists. I had
thought that business would collapse out of sheer pretentiousness within six
months!

~~~
chengiz
Doesnt help that it brings to mind that stupid movie starring old farts, The
League of Extraordinary Gentlemen.

------
sbmthakur
> The majority of the testing is done inside a rooted Android emulator running
> Android 8 Oreo. Tests that require more capabilities are done on a real
> Android device running Lineage OS 16 (based on Android Pie), rooted with
> Magisk.

I don't have much experience with such things. Can such an analysis be done
with a non-rooted device?

~~~
Rebelgecko
It sounds like they're doing at least some reverse engineering via the Xposed
framework, which requires root. However you could probably get similar
findings by just sniffing your own network traffic.

~~~
ChadMoran
Unfortunately with modern iOS/Android you need a rooted device.

Modern iOS/Android have something called SSL Pinning. Which means if you want
to use a self-signed cert to Man in the Middle the HTTPS traffic it won't
work. So you need to patch the network stack to allow this. I have a spare
iPhone I keep rooted for this reason.

~~~
raverbashing
Do all apps use cert pinning? I think it got popular some years ago but I
remember some downsides existing

(I know things like Google Apps and such use it, but I'm not sure about less
popular ones)

~~~
dewey
In my experience only a very small percentage of the apps where I look at the
traffic using Charles Proxy have the certificates pinned. Usually it's the
stock apps from Apple that are all cert pinned.

~~~
jsjohnst
Same experience for me across a wide category of iOS and Android apps.

------
actuator
Even I wouldn't recommend generating your bearer tokens client side if they
are actually doing it, but collision thing is a bit far fetched. Any randomly
generated UUID like UUID4 has a randomness in space of 2^122(ignoring pre
determined bits). For practical purposes this is almost unique, you will need
to generate ~2^61 ids for 0.5 probability of a collision happening.

~~~
sweeneyrod
I think the issue is that a hacked client could send a bad "UUID", not that
properly randomly generated tokens would collide.

~~~
actuator
What will that accomplish though? The way he described their auth APIs, you
will be able to set an auth token generated by you for an account that you
anyway have the user credentials for.

------
hobbescotch
Is there really any way to securely host static assets in a cloud bucket? If
you host profile images, etc... locally you can easily give or deny access to
static assets without having to obfuscate the file path. From what I read
here, the dating app was using UUIDs in the URL paths of the images to
obfuscate their identity (I’ve done this sort of thing before but afaik it’s
not considered secure?). Is it possible to set up ACLs for bucket objects
though? From my limited experience with Google Cloud Buckets are object can be
simply public or private.

~~~
0xcoffee
In Azure at least it's possible to set the blobs to private, then generate
time limited tokens which can be appended to the URL which will grant access.

~~~
rantwasp
you can do this with s3. it’s called presigned urls

------
xwdv
How feasible is it to go from doing software development to stuff like this
for a living without a decrease in earning potential? I find reverse
engineering interesting, but never really know who exactly is paying for stuff
like this. Maybe this is more of a side gig?

~~~
f0rfun
Livelihood aside, how the heck do you go from being a dev to becoming
proficient in reverse engineering? Are these stuff all self-taught through
years of tinkering/interest before it becomes a profession?

I can already imagine the amount of technical barrier and knowledge gap one
needs to fill even before getting started..

Holy shiet. It's impressive.

~~~
nickmooney
I do a bit of reverse engineering both professionally and for fun, and the two
bits of “proper” education that have helped the most were my Hardware/Software
Interface and Intro to Operating Systems classes in undergrad.

Learning how this stuff works in the forward direction makes spotting patterns
a whole lot easier. It’s a lot easier to start RE when you’re already familiar
with stuff like calling conventions or memory layout (for example).

From there, there isn’t a ton of formal education as far as I’ve seen. I am
really fond of Smash the Stack’s IO wargame if you’re interested in CTF-style
challenges. I also spent a good bit of time compiling my own small programs
and then using them to learn the tools. When you’re starting off, RE is a lot
easier when you know what you’re looking for.

------
thehappypm
“When the phone number is registered, it returns 200 OK, but when the number
is not registered, it returns 418 I'm a teapot.“

Good reminder that fun little Easter eggs like using the bizarre 418 return
code can bite you. I’d hate to be the engineer defending that decision after
this vulnerability was discovered.

------
sopromo
I have a question because recently I had to implement a way to expire static
assets and I would like to hear creative/new ideas.

For example, I have all my static assets on S3 and I want to generate a link
that will make data available for a long time (let's say 1 year) but with S3
signing you can only generate a link available for a week max.

How would you go about doing this without relying on another server?

I think this is what happened with the public bucket. They thought about how
to deliver static assets without relying on a server and the only way they
found is to make the bucket public.

~~~
jniedrauer
I actually had to solve this exact problem recently. I set up a lifecycle
policy for a known prefix in the bucket, so any item with that prefix is
deleted after N amount of time. Then, when a link is requested to a static
asset (which is stored at rest with a private ACL), it gets copied into the
prefix, with a random name and a public ACL, and the new link gets served to
the client.

So far I haven't seen any big drawbacks. It does mean storing the same objects
multiple times in S3. But S3 storage is relatively cheap unless you have a
huge amount of data. If bandwidth was ever a problem, it would be simple
enough to wrap the transient prefix in a CDN.

------
fastball
I actually got a bug bounty off of Tinder for a pretty serious issue I found
years ago.

Never made a blog post. Maybe I should.

~~~
behnamoh
Where did you report it to?

~~~
fastball
Via email.

------
xfitm3
Sounds like a quick run through burp suite

------
kootling
> I think startups could certainly offer bug bounties. It is a nice gesture,
> and more importantly, platforms like HackerOne provide researchers a legal
> path to the disclosure of vulnerabilities.

Unfortunately most startups are obsessed with growth and don't really care
about security, privacy, etc.

~~~
lquist
Unfortunately I think that is because customers and investors broadly don't
prioritize security + privacy.

~~~
sandov
And that's because users broadly don't prioritize security + privacy.

~~~
ssss11
I think users have no idea what’s involved in software development, but that
they expect any company takes care of the important things in order to bring a
product to market.. that includes security and privacy. the “users don’t care”
argument, i believe, is a cop out to make ourselves feel good.

~~~
vecter
> the “users don’t care” argument, i believe, is a cop out to make ourselves
> feel good.

Strongly disagree. It's just the simple reality that most users don't care
about security. The vast majority of potential consumers in the world don't
choose digital products based on security. I always see this security angle
touted on Hacker News, but I'm quite frankly shocked that people here don't
have the self-awareness to realize that we live in an uber-tech geek's echo
chamber.

Have you ever met an "average" Facebook user? They really, truly, do not
understand or care about security. I'm very confident that even if you sat one
down and walked them through all of the implications of what poor security
even means, they would walk away and not change their behavior whatsoever.

~~~
canada_dry
The whole "users don't care" is really ignoring consumer's cognitive
dissonance on security.

Adopting the stance that _" vast majority of potential consumers in the world
don't choose digital products based on security"_ time-and-time again bites
organizations in the ass when there's a breach.

~~~
MattGaiser
> time-and-time again bites organizations in the ass when there's a breach.

The bite isn't very hard though. The largest data breach of the 21st century
in terms of users was Adobe and it cost them just 2 million in legal.

The only painful data breach I can think of financially has been Equifax.
Everyone else just sent out a "reset your password" email, paid for a couple
lawyers and PR people, and went on with their companies.

Can you name a company killed by a data breach? I can't think of one.

------
canada_dry
> ...identified several misconfigured S3 buckets...

For the love of all that is holy... have your AWS, Azure, etc. cloud service
setup/config wire-brushed by a 3rd party expert before deploying!

That, or perhaps these cloud services need a _clippy_ like wizard: _" Are you
sure these files should be 777? Perhaps you want 644?"_.

~~~
csunbird
If you are using the AWS console, S3 actually asks you if you want the bucket
to be public and gives you an option to create non public buckets.

~~~
d33
Thing is, S3 ACL is pretty ugly. UX is unpleasant and testing is terrible. It
could be some accidental catch-all rule letting everyone in. I guess that the
only lesson here is to set up an automated test that verifies whether the
resource you wanted to block is actually blocked.

------
xenospn
Sounds like you can greatly decrease your chances of being hacked by simply
not offering an android app.

~~~
marticode
...and restricting yourself to the 14% market share that iOS has worlwide

~~~
xenospn
These are apps that sell subscriptions for revenue. Losing Android won't be a
big loss.

