It's really sad to see so many findings, especially the ones that are exactly the same as issues that tinder had _years_ ago. Did they do no research? Did they just not care?
Example, the exact same triangulation issue that allows tracking users happened 6 years ago:
This also worked until recently on telegram, it's so novel to me, what was a huge deal with the cell phone AMPS/TDMA days and how Kevin Mitnick was caught, is possible now, with someone bored and a day to kill with a waymark and working backwards to try to isolate.
I just find it so fascinating, what was only possible by telecom/nation states now the average poweruser can do if they really pleased. Then again, API walk, race attacks and such, aren't the average power user, right?
But not caring implies some kind of tradeoff. If you don't care, just don't add the feature! Obviously they do care if they knew that their almost identical competitor did it and put was an issue, but decided to add the feature anyway.
Out of curiosity, what would be the best way of displaying a rough distance for location on these style apps? (Round to nearest mile? Show a town name?)
One approach I've been thinking about in the past (at least as a rough concept) is for the back-end to round both users' location to an "area" (probably city level or similar), then compute the distance between the centroids of those areas. That way moving around your own city wouldn't change the returned distance, nor would the other person's moving around their own city. Even spoofing API requests wouldn't help much, as you'd only be able to triangulate which particular area centroid the distance is being measured to, and that is probably something the user is already disclosing on their profile anyway.
This could even be done in a relatively private way by only reporting the area level location to the server (not that I imagine many services would want to give up valuable raw location data!), as the server wouldn't need anything more granular.
Obviously there's challenges in more rural areas where population and premises density are lower - how big is the "area" in that case, and is the distance reported that meaningful in these situations?
The way tinder dealt with it, as I understand, is by dividing the world into a coarse grid. Users were placed in the grid, then distances calculated from the centers of the grid squares. Basically rounding of position, not rounding of distance. They tried rounding distance (calculated from exact positions) but one can exploit that by exploring for the boundary where the distance changes from one integer to another.
The Bumble issues feels so much worse, IMHO. All of the "hacks" clearly demonstrate that little of the security, limits, etc. are enforced by the server.
How many of you have built very robust and secure restful api's, and had no traction? Makes you wonder if craftsmanship even matters for many startups.
Most of the things described in this post are easy to mitigate without much additional development effort. Rate limiting, role based access etc are commodities now.
Implementing server-side validations is, in my opinion, mandatory. This is even more important for any API with more than 1 client - Android, iOS, Web etc. Not only does it prevent basic security breaches, but also it prevents hard to track bugs. More importantly, why would you not centralise business logic as much as possible instead of having to duplicate it on every client.
Depending on what you mean by "start-up", those are all unfortunately still nice-to-haves, not mandatory, for a functioning app. Having just finished a stint as the main dev at a startup, even commodities still take a reasonable amount of effort for a top tier group of 1-5 people to manage, let alone the team you happen to have at the time (meaning not top tier, looking at myself here heh). Roll that into "we got funding and it's growth time, no space for architecture changes", it's not hard to see the path to skipping out on some things that are considered basic for a new project at a medium-large scale company. So not really against what you say, just a note that the ideal doesn't always match the reality
I understand how it ends up like this as I myself run a startup with a small tech team. Typically the issue is that we are always looking to add new features versus trying to fix issues from past. But I still believe that with good principles from the beginning, we will be able to build better software without costing us time
the ability to sell more shares matters, and recurring revenue is the most major component of being able to do that
nothing else does
its a dating app made to address issues women have had in other dating apps, founded/made/led by a woman, with the solution being the oxymoron of women messaging male matches first
thats it
thats the whole story
theyre publicly traded now, with a traditional IPO (no SPAC), that is called success
Author keeps referring to “the REST APIs” but it’s clear from the examples that there is nothing RESTful about the APIs - it’s all some form of RPC over HTTP.
REST is popular and everyone knows what it is generally. The differences between what is happening in the post (JSON RPC over HTTP) are fairly subtle to a casual reader when compared to REST.
For the majority of the target audience (I assume some level of technologist), it’s probably more confusing than not to go through and talk about RPCs. The “rest” of us (haha) know what they mean when they say REST and show RPC.
I don’t think this is a hill to die on, or even a big deal whatsoever.
Download the Charles app on your iPhone, turn it on, use the app you’re interested in, then look at Charles to see what network calls the app made while you were using it.
Or install MITMProxy on your laptop, install your newly-generated root CA cert on your phone, and point your phone’s http proxy to your MITMproxy port. I prefer this to installing an app on my phone.
All the device knows is that it trusts some root CAs and not others. You add your personal root CA to the trusted list; so it's trusted.
Unless the site uses some kind of certificate pinning (c.f. HPKP), one trusted root is as good as another.
This is how TLS inspection is done on corporate networks. IT will apply a group policy that puts a company-owned root certificate into the trusted roots on your Windows machine - maybe the same one that's used for the rest of your internal PKI.
You then issue a subordinate CA from that root, and your web proxy infrastructure (Bluecoat or whatever) then uses that CA to do just-in-time provisioning of certs for whatever domains you're intercepting.
Apps are built in a client-server configuration where the app is the user facing client and the API is the server. If you listen and manipulate the data sent back and forth to the server you can often do a lot more then what the user interface allows. Whether that’s gathering and analyzing more data or completing actions the server developers never anticipated the client would attempt.
Simply put backend developers assume the client will only do what they configure it to do and won’t be tampered with, except with enough effort it can trivially be tampered with.
> backend developers assume the client will only do what they configure
... if they lack the time (or inclination) to validate the requests properly. Client side validation is important for good UX, but not strictly essential, whereas server side validation ought to be mandatory.
Put more generously there are limitations to the apple development ecosystem and frameworks, and limitations to web frameworks. Combined you combine both sets of limitations - which encourage the developers to throw their hands up.
Release engineering mobile apps is a PITA. Backend engineering at a mobile first company is often second fiddle.
I'm not sure how Apple's ecosystem or web frameworks limit the validation on a backend, which is pretty much platform agnostic. The limitations are bound by what a HTTP response can provide, and the error states the front-end devs are willing to handle. During my time as a mobile/web dev, the back-end devs were always compliant with providing the error information where relevant, and would enforce business requirements (e.g., paid users are only authorized to do 'x') on the back-end. Once again, it's more expedient to not care, but I think Bumble has the budget and self-interest to care for the examples in the article.
I found many of these things too, there's also a direct link to the careers page of badoo. I did not know before the IPO and such that badoo owned bumble as I explored the API.
Example, the exact same triangulation issue that allows tracking users happened 6 years ago:
https://www.google.com/amp/s/time.com/8604/tinder-app-user-l...