Dating App Raw Exposed User Data and Precise Locations in Major Security Flaw
A significant security flaw in the dating app Raw led to the public exposure of users’ personal and location data, TechCrunch has discovered.
The compromised data included users’ display names, birth dates, and details about their dating and sexual preferences. Alarmingly, the leak also involved precise location coordinates that could potentially identify users down to their street-level whereabouts.
Launched in 2023, Raw markets itself as a more “authentic” dating platform, encouraging users to upload daily selfies to foster genuine connections. While the company hasn’t shared official user numbers, the app’s listing on the Google Play Store indicates it has been downloaded over 500,000 times on Android devices.
News of the data exposure comes just days after Raw announced a new hardware product, the Raw Ring—a wearable device that promises to track a partner’s heart rate and biometric data, using AI to generate insights aimed at detecting possible infidelity.
Despite the ethical concerns surrounding such intimate surveillance, Raw asserts on its website and in its privacy policy that both the app and the forthcoming device use end-to-end encryption, which theoretically would prevent even the company from accessing user data.
However, during a recent test and network traffic analysis, TechCrunch found no evidence of end-to-end encryption in the app. Instead, it discovered that user data was accessible to anyone with a web browser.
Following TechCrunch’s inquiry, Raw addressed the issue on Wednesday by securing the vulnerable endpoints.
“All previously exposed endpoints have been secured, and we’ve implemented additional safeguards to prevent similar issues in the future,” said co-founder Marina Anderson in an email response.
When asked whether the app had undergone an independent security audit, Anderson admitted it had not, stating the company is focused on delivering a quality product and building a strong community.
She also declined to confirm whether the company would notify users affected by the breach, though she noted that Raw would file a report with relevant data protection authorities, as required by law.
It remains unclear how long the data had been publicly exposed. Anderson said an internal investigation is still underway.
Regarding the encryption claim, Anderson clarified that the app uses encryption for data in transit and access controls for sensitive information, adding that further security measures will be evaluated as the investigation continues.
