Dating app Raw exposed users’ location data and personal information

A security lapse at dating app Raw publicly exposed the personal data and private location data of its users, TechCrunch has found.

The exposed data included users’ display names, dates of birth, dating and sexual preferences associated with the Raw app, as well as users’ locations. Some of the location data included coordinates that were specific enough to locate Raw app users with street-level accuracy.

Raw, which launched in 2023, is a dating app that claims to offer more genuine interactions with others in part by asking users to upload daily selfie photos. The company does not disclose how many users it has, but its app listing on the Google Play Store notes more than 500,000 Android downloads to date.

News of the security lapse comes in the same week that the startup announced a hardware extension of its dating app, the Raw Ring, an unreleased wearable device that it claims will allow app users to track their partner’s heart rate and other sensor data to receive AI-generated insights, ostensibly to detect infidelity.

Notwithstanding the moral and ethical issues of tracking romantic partners and the risks of emotional surveillance, Raw claims on its website and in its privacy policy that its app, and its unreleased device, both use end-to-end encryption, a security feature that prevents anyone other than the user — including the company — from accessing the data.

When we tried the app this week, which included an analysis of the app’s network traffic, TechCrunch found no evidence that the app uses end-to-end encryption. Instead, we found that the app was publicly spilling data about its users to anyone with a web browser.

Raw fixed the data exposure on Wednesday, shortly after TechCrunch contacted the company with details of the bug.

“All previously exposed endpoints have been secured, and we’ve implemented additional safeguards to prevent similar issues in the future,” Marina Anderson, the co-founder of Raw dating app, told TechCrunch by email. 

When asked by TechCrunch, Anderson confirmed that the company had not performed a third-party security audit of its app, adding that its “focus remains on building a high-quality product and engaging meaningfully with our growing community.”

Anderson would not commit to proactively notifying affected users that their information was exposed, but said the company would “submit a detailed report to the relevant data protection authorities under applicable regulations.”