Friday, March 13, 2015

Reverse Engineering Tinder's API

The Setup

    What would possible posses someone  to spend a Friday night trying to learn the inner workings of the Tinder API?  Me that's who.  I was trying to think of  a project involving social media and I thought it would be fun to write a bot that sits on tinder.  The bot would spam accept every person it finds periodically moving location for maximum reach.  The idea from there is that when a spammers account get hit it will match with my bots account.  The spam account will then send me an automated message with a link to whatever site they are advertising for.   My bot would monitor for incoming messages and when they came in run a Bayesian algorithm on the message and report the account if it is detected as spam.  The first part of making this a reality was to find out how to call the Tinder API.  I am sure someone out there has already documented this but, I feel like doing a little tinkering so this feels like a perfect opportunity.

Few Tools Necessary


    - fiddler is a wonderful free http proxy built for debugging. 
    - During the install you will be prompted to add the fiddler SSL cert to your CA.  Make sure you           do this and select the "Download to Desktop" option as well.  You will need to transfer that to             your phone(for SSL decryption) 


    - Open your shell and type "man curl" if your not familiar with curl.  You will want to be.

   I fired up fiddler and started intercepting traffic from my phone.  You can then watch the requests to the tinder API go out and read the responses.  Here is the lowdown on the process for making API calls from your shell.  The first thing you need to do is make the call to the Facebook API to get your authentication.  The easiest way to get this info is to log out and log back in form your phone while you are running though fiddler.   In fiddler you will see a request go out of your phone to  The response to this request is a JSON object that contains the access_token key.  It is the value associated with this key that is important to us.  
    Next we will open up a shell and use curl from here.  Now we are going to call the auth section of the Tinder API and start our session.   Our next command is as follows:

curl  -H "Content-Type: application/json" -d '{"facebook_token":"<your access_token>"}'

    Note the addition of the content-type header.  You will need this for your commands to properly  be interpreted by the server.  This command will return you a JSON object with the key "token".  This token is going to be very important as it is what allows us to make authenticated calls to the API.  Anytime you see me refer to auth_token this is the token I am referring too.  From here on out we are going to be adding another header to our curl calls.  We will need to add the header for our authentication,  You will see this in the next example.  From here it was just a matter of playing with anything that made an API call on my phone and looking at the URL for the request and the object that was sent and mimicking this is curl with my authentication header.  I will now give a few examples of some of the API calls.  I encourage everyone to setup a lab and play with this yourself.  You can run the same process against any API.  Throw data at the functions and see what happens.  Happy tinkering.

  If you want to know more about me or you are looking for someone with my skill set my contact info can be found at

Pull info on 20 people in your area:
curl -H "Content-Type: application/json" -H "X-Auth-Token: <your auth_token>" -d '{"limit": 20}'

Change Your Current Location:
curl -H "Content-Type: application/json" -H "X-Auth-Token:<your auth_token>" -d '{"lon":12.8067812,"lat":69.0881643}'

Like A User
curl  -H "X-Auth-Token:<your auth_token>"<user's_id>

Pass On A User
curl -H "X-Auth-Token:<your auth_token>"<user's_id>

Pull New Activity(Matches Messages Etc)
curl -H "Content-Type: application/json" -H "X-Auth-Token: <your auth_token>" -d '{"last_activity_date":"<Last Date To Check From>"}'

*Last Date is in form "2015-03-14T03:48:29.002Z"

Pull Users Info
curl -H "X-Auth-Token:<your auth_token>"<user's_id>


  1. First time I commented in a blog! I really enjoy it. You have an awesome post. Please do more articles like this. I'm gonna come back surely. God bless.


  2. Is there a API to get history.Like to fetch likes, pass , super like etc.

  3. Am I right to say that if the client app uses HTTPS and doesn't trust Fiddler "forged" SSL cert, it won't work ? I just tried using fiddler with an app, and when it tries to establish a HTTPS CONNECT to their api server, the app says "no internet connection" (but traffic to https website through the browser works, since I installed the root cert on the phone)?

    1. This was written quite some time ago and they may have added something called SSL pinning to the app. SSL pinning is where an app will make a profile of its trusted cert the first time you connect and in the future if that cert changes it will kill the connection. I have not tested this myself but I would be willing to bet it is either you have the proxy misconfigured or they are pinning. If all other https sites work though fiddler it is more than likely pinning, if no https sites work through fiddler it is more likely it is something misconfigured in fiddler. Hope this helps!