# Raw Dating App’s “Genuine Interactions” Promise Undermined by Data Exposure

## Raw Dating App’s “Genuine Interactions” Promise Undermined by Data Exposure

Dating app Raw, which launched in 2023 with a pledge of fostering more “genuine interactions,” has been found to be publicly exposing its users’ personal data and location information, according to a TechCrunch exclusive. This revelation casts a shadow over the app’s claims of prioritizing user privacy and security, particularly given its recent announcement of the Raw Ring, a controversial wearable device intended to track a partner’s emotional state.

The exposed data included sensitive information such as display names, dates of birth, dating and sexual preferences, and, most alarmingly, precise location data. In some instances, the location coordinates were accurate enough to pinpoint users down to the street level. This level of detail, readily accessible without authentication, presented a significant privacy risk to Raw’s user base.

Raw distinguishes itself in the crowded dating app landscape by requiring users to upload daily selfie photos, purportedly to ensure authenticity. While the company hasn’t disclosed its precise user numbers, its Google Play Store listing indicates over 500,000 Android downloads.

The timing of the security lapse is particularly unfortunate for Raw. It coincides with the announcement of the Raw Ring, a wearable device touted as a means of tracking a partner’s heart rate and other sensor data to detect potential infidelity. This concept has already drawn criticism for its potential to facilitate emotional surveillance and raise ethical concerns.

Adding insult to injury, Raw claims on its website and in its privacy policy to employ end-to-end encryption for both its app and the unreleased device. However, TechCrunch’s analysis of the app’s network traffic found no evidence of this security measure. Instead, the investigation revealed that user data was being openly transmitted and accessible to anyone with a web browser.

Following TechCrunch’s notification, Raw quickly addressed the data exposure on Wednesday. Co-founder Marina Anderson stated that “All previously exposed endpoints have been secured, and we’ve implemented additional safeguards to prevent similar issues in the future.”

However, when questioned about whether Raw had undergone a third-party security audit, Anderson admitted that the company had not, stating that its “focus remains on building a high-quality product and engaging meaningfully with our growing community.” She also declined to commit to proactively notifying affected users, instead indicating that a report would be submitted to relevant data protection authorities.

The duration of the data exposure remains unknown, with Anderson stating that the company is still investigating the incident. Regarding the claim of end-to-end encryption, Anderson clarified that Raw “uses encryption in transit and enforces access controls for sensitive data within our infrastructure,” stopping short of confirming end-to-end encryption. She also did not respond when asked if the company planned to adjust its privacy policy.

**How the Data Exposure Was Found**

TechCrunch discovered the vulnerability during a brief test of the Raw app. Using a virtualized Android device, they created a test account with dummy data and set a virtual location. By monitoring network traffic, they quickly identified that the app was retrieving user profile information directly from the company’s servers without proper authentication.

This meant that anyone could access another user’s private information by visiting a specific web address and modifying an 11-digit user identifier. This type of vulnerability is known as an insecure direct object reference (IDOR), which allows unauthorized access to data due to insufficient security checks.

IDOR vulnerabilities are particularly dangerous because they can be easily exploited to access large quantities of sensitive data. U.S. cybersecurity agency CISA has repeatedly warned about the risks associated with IDOR bugs and emphasizes the importance of proper authentication and authorization controls.

While Raw has since fixed the vulnerability, the incident highlights the critical importance of robust security practices, especially for apps handling sensitive personal information. The breach raises serious questions about Raw’s commitment to user privacy and security, particularly as it ventures into the realm of emotionally-charged wearable technology.