New website Swipebuster is using Tinder’s private API to allow anyone to spy on Tinder users. This is not the first time the private Tinder API has been reverse engineered and used to build an unofficial application. Last year, a developer in Vancouver, Canada used Tinder’s private API to create an application to automate his online dating. The following month, the private Tinder API was hacked and used to create fake female Tinder profiles, prompting Bros to swipe Bros.
Tinder is not the only well-known application to have a private API reverse engineered. Leading tech companies such as Uber, SnapChat, and Tesla have also had their private APIs reversed engineered. There have been a number of developers in recent years that have not only reversed engineered the Tinder API, but have also built bots that sit on Tinder and interact with the service. Most of these "Tinder bots" are designed to generate spam, while some of the bots are designed primarily to interact with Tinder users.
Tinder has taken steps to help solve the spam problem including a partnership with TeleSign, a mobile identity solution provider, which has allowed Tinder to implement a two-step verification system and real-time risk analysis of phone numbers. According to TeleSign, this system has helped reduce Tinder spam traffic by 90%. It is unclear if Tinder has taken any additional steps to better secure the private Tinder API.
Swipebuster is a new website that allows users to find out if a specific person is using Tinder. The website can also provide the most recent date and the location of the person using the Tinder app. Swipebuster is using the private Tinder API to find specific Tinder user data. While much of the information Swipebuster is accessing is public information from Tinder, there are some Tinder users that are concerned about Swipebuster being used for malicious purposes such as stalking an ex-girlfriend/ex-boyfriend.
The bottom line is that companies should secure private APIs just as they would public APIs. Just because an API is a private API, does not mean that it is impervious to hacking or reverse engineering.