Any app that hands over user data is a concern, but leaky dating apps are especially worrying given the sensitivity of the data involved. A relatively new app called Raw that aims to rewrite the rules of dating is the latest to trip over its coattails by exposing user data to…well, anyone who asked for it.
Launched in 2023, Raw is a dating app that aims to solve some of the traditional problems in online dating, including fake or egregiously touched-up photos, and ghosting (where one person goes silent on each other). The company’s app shares user locations and asks them to post daily photos of themselves to create a more authentic matching experience.
The service collects customer data including what you’d expect for a dating app, such as name, birth date, gender identity, and photos, along with your geolocation and IP address. It stores at least some of its data on servers in the US.
Its privacy policy tells people that it uses end-to-end encryption, or, according to its GenZ-speak on its consumer FAQ:
“Your information is cloaked in encryption and guarded like a princess in a castle by our devs. We don’t sell or share your info in any way – your privacy is a promise we don’t break.”
That text is in all caps on the site so the company’s intentions must be deadly serious, but unfortunately it didn’t follow through according to TechCrunch, which did some impressive sleuthing. The news site ran a copy of the app on a virtualized Android device, which is a copy of the Android operating system running in software. It created a new user account on the app, and watched what happened when another copy of the app requested that user’s profile data. The publication saw the server return the profile data without requiring any authentication.
Like most online services, Raw answers requests for data via an application programming interface (API). This is a service designed for software (in this case, its smartphone app) to request user profile data from its servers. The app does that by sending an 11-digit user ID to an online address.
TechCrunch worked out that anyone could grab information from a profile by accessing the API in a browser, and all they need is the 11-digit user ID. They could also vacuum lots of peoples’ data en masse by just changing the user ID numbers.
