Apple Finally Pulls ‘Tea’ Dating App After Privacy Scandal
Tea
Toggle Dark Mode
In late July, a popular “dating safety” app called Tea, which was billed as a safe space for women to share warnings about potential partners, turned out to be anything but.
Tea Dating Advice, or simply Tea, had jumped to the top of the App Store charts before someone discovered that the data was being stored so insecurely that amateur hackers had little problem “rifling through people’s personal data and selfies” that had been shared in the app, according to an investigative report by 404 Media.
The company behind Tea claimed that “the incident involved a legacy data storage system containing information from over two years ago,” but a second incident a few days later proved that this was only the tip of a much larger iceberg. The folks at 404 Media dug deeper to find that it was “trivial” to not only see private information but also find the real-world identities of some users, since some of the leaked data included photo IDs submitted for account verification, and users also frequently shared personal details in their private messages, thinking they were, well, private.
To paraphrase Hanlon’s razor, the issue here was much more likely one of incompetence than malice. Tea had little to gain from deliberately storing data in such a shoddy and insecure way; however, it’s also too easy for amateur developers to create an app and a back-end service without the skills required to make it secure. Even security experts can make mistakes, which is why third-party audits matter, but in this case, it looks like Tea’s developers weren’t even trying.
Apple’s Silence
There are an estimated 1.8 million or more apps on the App Store, and Apple can’t possibly vet and monitor every single one to the level that would detect these types of flaws. The App Store review team only looks at how apps work on Apple devices and ensures they’re not fraudulent or misleading — and they don’t always get a perfect score on that. They’re definitely not equipped to check out any back-end services those apps tie into.
It’s sobering to think that an app like Tea could have flown under the radar for years had it not gone viral, leading the rogues at 4chan to hack around with it, which in turn led to 404 Media’s investigation.
Still, once it came to Apple’s attention, you’d think the company would have done something about it. Yet Tea not only remained on the App Store, but two days after the scandal broke, John Gruber reported at Daring Fireball that it was still ranked at number 3 in the United States, behind ChatGPT and Wingstop, and ahead of Threads.
Perhaps the reports prompted curious onlookers to download Tea just to see what the fuss was about, but it was still pretty disturbing that the app not only rose in popularity but also remained in the App Store.
Of course, there’s room for debate as to whether it’s Apple’s responsibility to address this, but, as Gruber points out, Apple frequently claims that the App Store should be a trusted place for apps because they’re vetted by Apple. That gives it an ethical — or at least a reputational — responsibility to do something.
Apple Finally Ends Tea’s Party
The good news is that Apple has finally taken action. We’ll probably never know what took so long. Maybe Apple wrestled with where to draw the line, or perhaps it gave Tea’s developers a grace period to fix the issues. It’s even conceivable that Tea really did fly below Apple’s radar for ten weeks. Whatever the reason for the delay, Tea is now gone, along with a copycat app, TeaOnHer.
TechCrunch’s Sarah Perez shared the news after App Store intelligence provider Appfigures informed her that the two apps had disappeared from Apple’s storefront on Tuesday. Apple confirmed the removals to TechCrunch, citing violations of its content moderation and privacy rules:
Reached for comment, Apple confirmed the apps’ removal, saying it removed Tea Dating Advice and TeaOnHer from the App Store because they failed to meet Apple’s requirements around content moderation and user privacy. The company also said it saw an excessive number of user complaints and negative reviews, which included complaints of minors’ personal information being posted in these apps.
Sarah Perez, TechCrunch
The two apps were cited by Apple for violating three specific clauses of the App Review Guidelines, not all of which directly applied to the privacy breach. For instance, Section 1.2 requires apps with user-generated content to provide a way to report offensive content and block abusive users.
Apple also said Section 5.1.2 applies, which relates to sharing data without user consent — presumably even inadvertently in this case — and finally Section 5.6, a Developer Code of Conduct clause that’s effectively a catchall for Apple to ban apps based on bad behavior or poor quality, including “excessive customer reports about concerns with your app, such as negative customer reviews.”
An Apple spokesperson told TechCrunch that the developers had been made aware of these issues, but the complaints were not addressed, and there’s no word on the timeframe given to the developers. It’s possible Apple raised the alarm bells as soon as the issues were reported in late July, but under the circumstances, it still seems like it would have been more prudent to at least temporarily suspend the app until the leakages were fixed, much like we saw with the popular Neon call recording app last month.
Sadly, this serves as a cautionary tale to be careful which apps you trust; even in Apple’s curated ecosystem, your data is only as safe as the least competent developer behind the app you install.
