Note: This was written back in 2014, there is no way any of the tinder aspect of this post still works, however you can apply the method detailed here to many other things 🔑

Tinder is pretty cool, so let's see how it works xoxo. Before we start, I should say that beyond a little sniffin' I've never looked into the Tinder API, so we're all learning something here. Anyway, let's do this! 😍 Over the next few days, I'm going to take a look at the entire flow of Tinder's API. And each day - or maybe a couple of times a day, depending on #progress - I'm going to post an entry about that section of the API. In this entry, we'll go over setting up our environment and and how Tinder sets up Authentication.

Parts:
  • Authentication (Currently On)
  • Profile and Geolocation - (I lost this post sadly 😞)

Setting up, yo

The most important part of this entire thing is monitoring the traffic going through your phone. This can be done many ways:

  • Fiddler - super awesome, but doesn't work too well on iOS.
  • Wireshark - monitors all traffic! but a little over the top for something like this.
  • MITM proxy - cool, but a little too hackr for me.

For this, we'll be using Charles Proxy, it's not free, but has a trial that keeps it alive in 30 minute bursts. If that annoys you, pay, it's totally worth it. For real, this shit will change your life. Once you've downloaded this crazy thing, grab your iPhone (you can do this on Android, Windows Phone.. and the rest, just adapt what I say) and jump into that Safari and navigate to www.charlesproxy.com/charles.crt and allow it to be installed onto your device. What this does is sign all that supersecret https content with our own certificate, allowing Charles on our super hacker laptop to see whats inside.

Yo, this certificate is the same for everyone. So the second you're done hacking, remove it from your phone. Don't leave it on there to have someone steal your instagram session token in Starbucks.

Cool, now open Charles and go to Proxy -> Proxy Settings. Change the Port under HTTP Proxy to something that's free. I always change it to 8889 - remember this number. Now get your computers local IP address - for me it's 192.168.1.117 - also remember this.While we're in here, also go over to the SSL tab, and tick Enable SSL proxying, then click the Add button under Locations. Set the host as *, and port as 443. This just tells it what SSL traffic listen for.On your iPhone, connect to the same Wifi network as your laptop, go into wifi options and scroll down to HTTP PROXY, select the manual option and put your laptops local ip address in as the server and the port you picked in Charles in the port option. Back out and we're done. Every packet your iPhone transmits will go though Charles. Fun stuff.

Gettin' that Facebook Access Token

Tinder uses the built in facebook account thats built into iOS to load you in. If you want to start from scratch, remove your facebook from it, create a new one and add that. If you don't, this next part might look a little weird.Install Tinder from the app store, and load her up. You'll be greeted by a lovely woman with her dog and a blue Log In with Facebook. Tap it. It'll as you for permission to use your facebook account, just hit OK. You'll be taken to a SMS verification screen, but let's take a step back from that for now. This is where you'll notice requests in regard to Tinder start to show up. Specifically to the graph.facebook.com host.The only request we're interested in is the one to the path graph.facebook.com/v2.1, from what I can tell, the others are just analytics, and of no interest to us.

/v2.1

This endpoint takes in a multipart form:

  • batch_app_id | the app id that tinder is registered with.
  • batch | a list of commands to execute on the graph api. Facebook supports this awesome feature in graph search to execute more than 1 request at once by sending them in that format. and returns them in a nice JSON object.

All we really need from this, is to pull the access_token parameter out of the batch string, and store it. We'll need that for the /auth request on tinder later. This request just returns metadata about the authenticated facebook user and the permissions the api has granted the application.

Getting a "Tinder Token" - catchy name

Now tinder takes that access token, and the id of the facebook user (if you don't know this, it's in the metadata returned by the request to graph.facebook.com/v2.1. At this point, Tinder makes a POST request to api.gotinder.com/auth, with the following JSON body data:

{
    "facebook_token": "cool_token_bro",
    "facebook_id": "100008601910847"
}

Make sure you set the Content-Type header to application/json, otherwise the api won't know you're sending a JSON blob.

/auth

This endpoint returns the basis of what the app needs to setup. This includes some notable data entries, such as:

  • token - the token tinder will use from now on for authentication requests to its own api.
  • user.api_token - they send it twice for some reason. Probably backwards compatibility due to them not having a versioned api.
  • user.banned indicates if the user is allowed to use the api. This will be true until you validate via SMS.
  • version - this contains version numbers used to tell tinder what version of applications on the sever they'll be serving to the user. Probably for A/B testing.
  • globals - this contains global settings used by the app to control behaviour.

But the most important thing is that we now have a token. Now we can start using Tinder's api.From now on, all requests, unless specified, require these 2 headers:

  • Authorization: Token token="[token]"
  • X-Auth-Token: [token]

Verifying we own a phone

Now we have to prove to tinder we own a phone, and we're a real person. To do this they POST your phone number that you type in to api.gotinder.com/sendtoken in a JSON body:

{
    "phone_number": "+[internation-code][phone-number]"
}

(Again, don't forget the Content-Type and two authorization headers specified above)This returns a JSON string specifying a status code. If we get a 200, that means a verification code was sent to the phone number entered.When we have that token (a 6 digit numerical code) - we make one final POST request to api.gotinder.com/validate with the following JSON body:

{
    "token": "[numerical-code]"
}

That will return this (If it isn't true, try again):

{
    "validated": "true"
}

You could easily automate this step using Twilio.

And we're in

That's it for this entry. We now have authenticated access to Tinder's API. In the next entry I'm going to be looking at profiles and geolocation.