Sarahah, a new app that lets people sign up to receive anonymized, candid messages, has been surging in popularity; somewhere north of 18 million people are estimated to have downloaded it from Apple and Google’s online stores, making it the number three most downloaded free software title for iPhones and iPads.
Sarahah bills itself as a way to “receive honest feedback” from friends and employees. But the app is collecting more than feedback messages. When launched for the first time, it immediately harvests and uploads all phone numbers and email addresses in your address book. Although Sarahah does in some cases ask for permission to access contacts, it does not disclose that it uploads such data, nor does it seem to make any functional use of the information. Sarahah did not respond to requests for comment.
"Zachary Julian, a senior security analyst at Bishop Fox, discovered Sarahah's uploading of private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1. The phone was outfitted with monitoring software known as BURP Suite, which intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers. When Julian launched Sarahah on the device, BURP Suite caught the app in the act of uploading his private data.
"As soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system," he said. He later verified the same occurs on Apple's iOS, albeit after a prompt to "access contacts," which also appears in newer versions of Android. Julian also noticed that if you haven't used the application in a while, it'll share all of your contacts again. He did some testing on the app on a Friday night, and when he booted the app on a Sunday morning, it pushed all of his contacts again."
Related Stories
After bans from Apple and Google, Sarahah debuts Enoff, an iOS app for anonymous feedback at work
Sarahah, the anonymous messaging app founded in Saudi Arabia that became an unexpected viral sensation with teens, clocking up over 300 million registered users before getting banned by Apple and Google over bullying, is making a return to the App Store — but not as you might think.
The startup has launched a new, free iOS app called Enoff (pronounced "enough") aimed at organizations, tapping into the wave of employee activism and speaking out about unfair practices to provide a way for people in a team to give anonymous, one-way feedback to bosses and human resources reps. An Android version of Enoff is coming "very soon," according to CEO and founder Zain al-Alabdin Tawfiq.
Available also on the web, the aim is to provide a way to give feedback in cases of harassment, corruption and other tricky workplace situations where employees might fear repercussions for speaking out.
Easy way to monetize app: allow bosses to pay to unmask users.
Also at Wired.
Previously: Hit App Sarahah Quietly Uploads Your Address Book
Related: Anonymous Social App Raises Controversy on College Campuses
Square Hires Yik Yak's Engineers, Leaving Fewer Than 10 Employees Behind
Japan's Recruit Holdings Co. Acquires Glassdoor for $1.2 Billion
(Score: 4, Informative) by Anonymous Coward on Monday August 28 2017, @12:08PM (2 children)
Non-free software:
You're the product!
(Score: 2) by bob_super on Monday August 28 2017, @06:59PM (1 child)
Usual nitpick: You're the consumer.
(Score: 1) by Goghit on Tuesday August 29 2017, @05:53PM
Is this not what Facebook does (or did)?
It was a long time ago, but I remember being shocked when I figured out that when I joined Facebook had slurped my email contacts. Probably another case of mumble, mumble, Read the EULA, mumble...
(Score: 3, Insightful) by metarox on Monday August 28 2017, @12:33PM (2 children)
I wonder why they can't automate this at the app store/approval level. Google/Apple can surely have versions of the OS in some device emulator, load the app with full analytics and catch 90% of these apps requesting permissions up front and monitor what they upload to servers. Then they could either reject that app because it doesn't disclose what data it sends and/or add a big fat red warning text on the app page warning of which permissions and data the app makes use of and uploads from the device warning users before they install the app what will happen with their data.
Why do these things need to be caught by folks after the fact...
(Score: 0) by Anonymous Coward on Monday August 28 2017, @12:49PM
See, you're wrong about this:
The app does disclose what it sends, after all, it requests permissions to your contacts and those are listed. So it does 'declare' that it has access to them. And once it has access to it, you should assume it harvests the data. The user made an 'informed' decision and out of their own volition, granted this app permissions to harvest the data. I mean it (the user) was told it was going to access this data. What difference is there if we access it on their phone or, in absence of their phone, on our servers?
Regarding scaring 'consumers' away with your fancy warnings, that is bad for business. And business is about extracting the very last drop out of every single one of your lemons^Wcustomers^Wproducts. So you squeeze as hard as you fucking can, then squeeze some more, and a third time even more just for good measure; and then you use everything you've squeezed out of your lemon and use that against that lemon for the rest of that lemon's existence. Because after all, you can legitimately fuck that lemon over now since you *know* they won't be your customer anymore. You've extracted everything from them that there is to extract.
(Score: 2, Interesting) by Anonymous Coward on Monday August 28 2017, @12:58PM
Well, let's say they test the app for one week. Then soon the malicious apps will simply wait a week before starting their malicious behaviour. So all this will give is a false sense of security.
No, the correct solution would be if those apps could never upload the data in the first place. After all, a legitimate app doesn't need to see the data, it only needs to be able to act on it (like, initiating a call). So it should be possible to insulate the actual data from the app. Inside the app it would be represented by a handle, and when acting on it, the operating system would look up the actual data for presentation, making a call, or similar.
(Score: 2, Insightful) by Anonymous Coward on Monday August 28 2017, @12:39PM (2 children)
Is anyone surprised that apps who ask access to your contacts do this?
Does this thing also ask for other permissions? If it asks for permissions to your calendar, I guarantee you that it uploads the stuff as well.
One of the problems is that there is a lacking in granular permissions granting. How about these:
1) Granted: you get the real data
2) Denied: you don't get any data and I want you to know you get none
3) Faked: you are told you get permission 1) but in reality you get faked data. The data is either made up every time you ask for it (and may or may not change after every request) or you always are told "Here's the list of data, what do you mean, it's empty?"
But no, there's no money in that for companies like google who want everything.
Oh, and don't get me started on resetting permissions when you install an update.
Mobile platforms are incredibly broken. It's almost at a point where you'd have to throw it all away and start over again! Where's Purism [puri.sm] or FirefoxOS or Jolla or whatever. Something that gives me control over my devices instead of saying "if you want to use this, you have no choice but to let us repeatedly fuck you up the arse with this 9inch diameter Arizona-desert cactus and you will like it and ask for more".
For fuck's sake... It's only Monday and I feel grumpy already! :(
(Score: 0) by Anonymous Coward on Monday August 28 2017, @01:08PM (1 child)
Firefox OS is abandoned, and since then, the browser has been crawling back from the brink, FINALLY getting some attention after having been left to rot for awhile.
The others, well...Jolla's around. Not widely used, but it's around. First I've heard of Purism though.
(Score: 3, Informative) by pTamok on Monday August 28 2017, @01:19PM
Jolla Sailfish OS is around, and Jolla has just announced it will be available for the Sony Xperia X phone, so lots of people who have been waiting to be able to replace their old Jolla phone hardware now have something they can move to. You have to source the Sony phone yourself, then download the Jolla Sailfish OS to it, but it is still available....just.
Official Jolla blog entry announcing it here: https://blog.jolla.com/sailfishx/ [jolla.com]
Jolla (the company) have been through some pretty tough times, and are not out of the woods yet. I use an original Jolla phone, but have no other connection to the company. Some people are less than happy about Jolla's handling of the non-production of a tablet running Sailfish OS.
There is an Indiegogo project to independently produce a tablet running Sailfish OS ( Youyota Sailfish OS 2-in-1 Tablet ). It looks interesting, but I have not committed funds to it. If you fell like doing so, do extensive research beforehand.
Link here: https://www.indiegogo.com/projects/youyota-sailfish-os-2-in-1-tablet#/ [indiegogo.com]
I have no connection with this project either.
(Score: 5, Insightful) by RS3 on Monday August 28 2017, @02:53PM (7 children)
How is it that if I digitally transfer a copy of a song or movie file, it's theft. But somehow it's not theft if the app steals my addressbook?
Oh, I installed the app, it's OK because TOS?
OK, so if someone invites me into their home, I'm allowed to eat and drink anything I want, because TOV (Terms of my Visit).
(Score: 5, Interesting) by Virindi on Monday August 28 2017, @04:05PM (5 children)
More like you are invited into the home and respond with a large book of papers that you want the homeowner to agree to. You say, "meh it's just boilerplate" and they happily sign it without even glancing at it.
The problem is not that people are permitted to make stupid agreements. The problem is that: 1) people are too lazy to act in their own interest, 2) people value free stuff over their privacy, and 3) people expect that even if they voluntarily make a stupid agreement, someone else will protect them from their own choice. In short, the problem is cultural.
If we want to solve it we should start by teaching our kids to read every word of every contract they agree to.
(Score: 4, Insightful) by Nuke on Monday August 28 2017, @04:49PM (4 children)
Then they make the contract so fucking tedious, like as long as War and Peace that it is impractical to read it. Some software contracts are already like that.
(Score: 2, Interesting) by noneof_theabove on Monday August 28 2017, @05:44PM
ALWAYS start from the end and read back.
Analogy:
You MUST use an ink pen to answer questions.
Read ALL of the questions first.
1).......
# last on page 2-3) Sign your name in the upper right corner and turn in.
So you start read T/C and get bored because all looks ok.
On the last section they reverse everything stated in the beginning.
This IS CONTRACT LAW - and legal.
(Score: 0) by Anonymous Coward on Monday August 28 2017, @06:39PM
If we educate properly then these asshole companies will be boycotted as it violates what *will be* common sense. Yes I am being optimistic.
(Score: 0) by Anonymous Coward on Monday August 28 2017, @08:49PM
then we need to start gettign the contracts enforced very hard, very visibly, and to much pain and embarassment for everyone involved with it.
until it becomes too mentally challenging to click next to continue or whatever the phrase is used now to tap your privacy away to some cloud monetizer, it will continue. it is the default. the android OS was built to deliver ads and no one would buy it for that purpose, so it got given away for free and has allowed people to branch off of it and do things besides make calls and receive ads.
its so ubiquitous to expect the info to be out there it's like every business can buy info on a person but no person can buy the same info for themselves. this has to stop, or someone with deep pockets needs to start exposing this stuff in a very public way.
(Score: 2) by TheRaven on Tuesday August 29 2017, @08:08AM
sudo mod me up
(Score: 0) by Anonymous Coward on Monday August 28 2017, @07:28PM
Because data wants to be free?