Tinder may be known primarily as a millennial hookup app but thanks to a little pressure from a 69-year-old, married Baby Boomer senator, the dating service is more secure. Tinder parent company Match Group announced this week in a letter to Oregon Democrat Ron Wyden that it will finally encrypt photos uploaded by its users.
The change, which has been in effect for a while but was made without any fanfare from Tinder itself, provides a bit more confidence for users who are worried about their privacy while not requiring any direct action. You can now rest easy that your photos will be encrypted as they are transmitted between the app and Tinder’s servers.
According to the letter spotted by The Verge sent from Jared Sine, general counsel for Match Group, Tinder actually started encrypting photos on February 4th, 2018. That change came after a number of reports that highlighted the lack of security measures taken to protect the data of Tinder users.
Back in January, researchers at Isreali security firm Checkmarx found that Tinder failed to perform basic encryption on photos. Theoretically, an attacker could perform a man-in-the-middle attack by connecting to the same Wi-Fi network as someone using Tinder and intercepting the images that came through the app. That includes images of potential matches. An attacker could even inject their own photos into the app, which could lead to some very awkward meetups when a person’s match looks nothing like their photo.
At the time, the researchers also pointed out how easy it would be for an attacker to determine exactly what a Tinder user is doing by looking at encrypted data, including how they swiped. While the data packets that contain that information were encrypted, they were transmitted at different numbers of bytes that were relatively easy to discern from one another. Per Wired, a swipe left to reject a potential make was 278 bytes, a right swipe was 374 bytes, and a match was 581 bytes.
That too has been fixed, per Match Group. In the letter addressed to Senator Wyden, the company’s counsel said that as of June 19th, 2018, swipe data and other actions have been padded so they all appear the same size when being transferred, thwarting any sort of snooping that was previously possible.
Wyden, a regular advocate of better security practices, hounded Tinder to make the changes back in February. He noted in a letter sent to the company that Tinder already utilized HTTPS encryption on its website and should extend the protection to its app, which is far more popular.