Reverse Engineering Tinder's API

Tinder is the new cool kid in town that everyone is talking about. I heard about the dating app from a friend of mine a few months ago. The concept behind Tinder is pretty simple. It shows you people nearby and lets you anonymously like or pass on them. If someone you like happens to like you back, Tinder makes an introduction and lets you chat with them. What makes Tinder addictive is the instant gratification people get from swiping and judging prospects.

I played around with Tinder one lazy Sunday afternoon and recalled my friend telling me how he would spend hours swiping right on Tinder just to accumulate as many matches as possible. This had me thinking, why can't I reverse engineer Tinder and automate the swipes? After all, I'm pretty darn good at taking things apart!

Tinder like most internet connected mobile apps, uses an HTTP based API under the hood. To reverse engineer the network traffic, we need to capture it and understand it. My tool of preference for capturing HTTP traffic is Fiddler. One of Fiddler's cooler features is its ability to decrypt secure traffic over HTTPS. It does this using a "man-in-the-middle" approach to intercept the secure packets. To the client (the mobile app) Fiddler impersonates the API web server. And, to the API web server, Fiddler impersonates the client (the mobile app).

However, to impersonate the secure web server, Fiddler needs a SSL certificate. Fiddler dynamically generates a SSL certificate for this purpose. However, since this certificate is not signed by a Trusted Root Certification Authority, it won't be trusted by the client (the mobile app). If the mobile app does not trust the web server, it will not talk to it. This can be easily fixed by installing Fiddler's cert on the mobile device. Fiddler's cert can be exported by pulling up Fiddler Options from the Tools menu.

Now that we have installed Fiddler's cert on the mobile device, we need to route all traffic from the mobile phone to Fiddler. There are multiple ways to do this. One easy way is to proxy the traffic to the computer running Fiddler. Fiddler's proxy server listens on port 8888 by default.

Let's assume the local IP address of the computer is (You can get your machine's IP address by invoking ipconfig on Windows). On an Android device, proxy settings can be set along with the WiFi settings by checking "Show advanced options" as below.

Now that everything has been setup, it's time to have some fun. Launch Tinder on your mobile device and watch the requests flow in real time!

Looking at the requests, we see that Tinder assigns an authenticated user with a token which is passed back in the header of each web request. This custom HTTP header is "X-Auth-Token". Using this token, we can execute any valid request against Tinder's API server.

To automate Tinder likes, we care about two specific API requests. The request that returns a list of prospective matches and the request that triggers a like on a specific profile. Let's look at these requests a little closer.

The RECS Request

The RECS POST request returns prospective matches and looks something like this.

Its response is a JSON object with a collection of profiles.

The LIKE Request

The LIKE request is a simple GET request invoked against the ID of the user’s Tinder profile.

Its response is a JSON object with a boolean value indicating whether a two way match exists between you and the liked user.

Now that we know what the requests look like, let's re-create them with some C# code. Since prospects are returned in batches, we need to invoke a single RECS request, parse out each individual Tinder ID and invoke LIKE requests against each ID.

The above method constructs a RECS request, invokes it and extracts the Tinder IDs. Json.NET is a popular JSON manipulation library for .NET and we use it above to parse the JSON response. We return a list of IDs when done.

Now that we have collected a handful of Tinder IDs, we can invoke a LIKE request against each of them.

Now that we have the code to request matches and like profiles, let's put it all together with some nifty ol' PLINQ for parallel execution.


Voila! Just invoke the above line as many times as you like in a loop and watch the matches pour in.

If you are looking to meet new people on Tinder, check out CamMi Pham's Tinder optimization hacks to make your profile look more appealing to prospective matches. If you are a software developer, you can use the techniques explained in this post of reverse engineer other apps.

Follow the discussion on Hacker News.