Skip to content

WanderingWithPride/romeo-audit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
reports
reports
 
 
README.md
README.md
 
 

Repository files navigation

ROMEO Android App — Security Audit

App: ROMEO Package: com.planetromeo.android.app Version: 3.36.2 (versionCode 1000000923) Operator: Planetromeo B.V., Amsterdam, Netherlands Jurisdiction: Dutch DPA (Autoriteit Persoonsgegevens) / GDPR Audit date: 2026-03-20 Auditor: WanderingWithPride Security Research

Part of the WanderingWithPride LGBTQ+ App Security Audit Series.

Overview

ROMEO is one of Europe's largest gay social platforms, headquartered in Amsterdam. This forensic reverse engineering audit analyzed the Android APK (v3.36.2) for security vulnerabilities, GDPR Article 9 data handling, third-party SDK integrations, and API security.

The app handles GDPR Art.9 special-category data including sexual orientation, HIV-adjacent health status (via safer_sex: TASP), gender identity, and sexual practice preferences across all user profiles and search functionality.

Finding Summary

ID Severity Finding
SEC-001 CRITICAL Hardcoded production API key in every HTTP request
SEC-002 CRITICAL Hardcoded Google API keys (Maps + Firebase) in resources
SEC-003 HIGH Conditional SSL/TLS bypass present in production binary
SEC-004 HIGH Session token and credentials stored in unencrypted SQLite
SEC-005 HIGH TestBedActivity shipped in production build
SEC-006 MEDIUM Sift Science SDK collects continuous GPS + device fingerprint
SEC-007 MEDIUM Compose PreviewActivity unintentionally exported
SEC-008 MEDIUM Firebase RT Database URL exposed
SEC-009 LOW GCP OAuth client ID exposed
SEC-010 LOW Internal testbed hostnames (26) enumerated in binary

Overall Risk: HIGH

Key Technical Findings

Hardcoded API Key (SEC-001 — CRITICAL)

Every HTTP request to https://pradn.net carries:

X-API-Key: wzGwF1UnPJ7EYxoa6TogPkgNHqRd20a2

This key is a static string literal in o3/C2821a.java (the Dagger Retrofit module), extractable by anyone who decompiles the APK.

SSL Bypass (SEC-003 — HIGH)

n3/C2769d.java contains a no-op X509TrustManager and an unconditional HostnameVerifier that returns true for any host. Activated when the KEY_TEST_BED preference is set via TestBedActivity (also present in this production build).

Unencrypted Session Storage (SEC-004 — HIGH)

accounts.db (SQLite, no encryption) stores __sessionid and credentials in plain columns. No Android Keystore, EncryptedSharedPreferences, or SQLCipher used in the credential storage path.

GDPR Art.9 Fields Confirmed Transmitted

  • orientation — sexual orientation (GAY, BISEXUAL, QUEER, STRAIGHT, OTHER)
  • safer_sex — includes TASP (de facto HIV+ disclosure), PREP (HIV- + PrEP)
  • anal_position, dick_size, fisting, fetish, sm, dirty_sex — sexual practice data
  • gender — includes TRANS_MAN, TRANS_WOMAN, NON_BINARY

What ROMEO Gets Right

Compared to peer apps in this series:

  • No Chinese SDKs (Baidu, Tencent, ByteDance, FaceUnity)
  • No Russian SDKs (Yandex)
  • No advertising data broker SDKs (Braze, AppsFlyer, Amplitude, LiveRamp)
  • ADB backup disabled (fullBackupContent=false)
  • No cleartext HTTP (usesCleartextTraffic not set)
  • EU-based operator under direct Dutch DPA jurisdiction

ROMEO has the cleanest third-party SDK profile of any app audited in this series.

Methodology

  1. APK acquisition via apkgk.com (CDN direct download)
  2. Identity verification: aapt dump badging — confirmed com.planetromeo.android.app / ROMEO v3.36.2
  3. Decompilation: jadx (Java source output, 249 source directories)
  4. Resource decode: apktool (AndroidManifest.xml, strings.xml, resource files)
  5. Secrets scan: apkleaks (API keys, endpoints, credentials)
  6. Manual code review: SSL handling, auth flow, data models, DI module

Note: A previous audit in this series (com.planetromeo) was a package squatter (a mobile game, not ROMEO). This audit targets the correct package com.planetromeo.android.app.

Files in This Repository

File Contents
reports/DIRECTOR-BRIEFING.md Non-technical executive summary
reports/INTEL-SECURITY.md Full security findings with technical detail
reports/INTEL-DATA.md GDPR Art.9 data fields, data flow, compliance analysis
reports/INTEL-API.md API endpoints, authentication, wire format
reports/INTEL-ARCHITECTURE.md App architecture, build metadata, component map
reports/INTEL-SDKS.md Third-party SDK inventory and risk ratings

App Technical Profile

Field Value
Primary API https://pradn.net (v4)
Firebase project api-project-4760212605
Travel API https://api.gayguide.travel (Spartacus)
Sift Science Account 5948e6fbe4b0b50e4943c1a6
AdMob App ID ca-app-pub-0030885515157287~7187724580
Language Kotlin + Java (JVM), Jetpack Compose
DI Dagger/Hilt
Network OkHttp 3 + Retrofit 2
Min SDK 26 (Android 8.0)

This research is published for public interest, security awareness, and GDPR compliance advocacy. WanderingWithPride does not endorse unauthorized access to any system. All findings were obtained through static analysis of a publicly available APK.

About

Forensic security audit of ROMEO Android app (com.planetromeo.android.app) — WanderingWithPride LGBTQ+ App Audit Series

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors