App Analysis: Bumble

Bumble is a dating application which implements a similar swiping mechanic as Tinder where users are matched based on whether they mutually liked each other's profile. Founded in 2014 Bumble has a user base of ~55 million and is valued at more than $1 billion.

Bumble takes their users "membership and experience seriously" and have implemented detection methods for fake accounts. Similar to many other apps, Bumble does device-level verification to detect suspicious accounts. In theory, devices which have strange configurations would indicate that the device is associated with a fake account.

Bumble Driving: Finding dates and access points

A device check that Bumble implements is collecting all WiFi access points which are accessible from the user's device. As Bumble is a location-based service this collection of access points would be correlated to the users location and thus is a form of war driving.

With approximately 55 million users, Bumble would theoretically have a large amount of access point data and would rival services such as WiGLE the Wireless Geographic Logging Engine.

Bumble retrieves all available WiFi access points and uploads them to their server.

When compared to other methods for detecting whether a device is suspicious, such as the availability of root and the presence of root management apps, this method seems to provide little to no value. For example if a user were in an area without any WiFi access points their device would not upload any access point data, would this be enough for Bumble to see this device as suspicious?

There doesn't appear to be a great case for collecting access point data for the purpose of detecting fake accounts. It would be interesting to know why Bumble collects this data and where it ends up once it's uploaded to Bumble servers.

Java code which does the capturing of access point data, entire code found here.

From the decompiled APK the WiFi scanning code was found. This code shows that Bumble is capturing the SSID, BSSID (MAC address), and the strength of the signal of each available WiFi access point. In order to get this WiFi information the App is required to ask for the ACCESS_FINE_LOCATION permission and with that is able to determine as precise a GPS location as possible. This results in Bumble having highly precise geographic access point data.

Conclusions

Bumble is practicing a form of distributed war driving via their Android Application. This is potentially to detect fraudulent accounts as any device which has strange network configurations may indicate suspicious activity. The amount of access point data which they collect from their approximately 55 million users would rival that of similar large scale WiFi access point mapping services such as WiGLE.

It's interesting that this would be implemented in Bumbles Android application for what is assumed to be detecting suspicious devices. There doesn't seem to be a benefit this method provides over other more common fraudulent device detection methods. This collection of data does less to detect suspicious accounts and more to highlight Bumble as a suspicious app.

What do you think? Tweet @theappanalyst1 with your thoughts. Thanks for reading!