Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.

Hit App Sarahah Quietly Uploads Your Address Book

posted by Fnord666 on Monday August 28 2017, @11:41AM   Printer-friendly
from the questionable-behavior dept.

An Anonymous Coward writes in with a story from The Intercept:

Sarahah, a new app that lets people sign up to receive anonymized, candid messages, has been surging in popularity; somewhere north of 18 million people are estimated to have downloaded it from Apple and Google’s online stores, making it the number three most downloaded free software title for iPhones and iPads.

Sarahah bills itself as a way to “receive honest feedback” from friends and employees. But the app is collecting more than feedback messages. When launched for the first time, it immediately harvests and uploads all phone numbers and email addresses in your address book. Although Sarahah does in some cases ask for permission to access contacts, it does not disclose that it uploads such data, nor does it seem to make any functional use of the information. Sarahah did not respond to requests for comment.­

"Zachary Julian, a senior security analyst at Bishop Fox, discovered Sarahah's uploading of private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1. The phone was outfitted with monitoring software known as BURP Suite, which intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers. When Julian launched Sarahah on the device, BURP Suite caught the app in the act of uploading his private data.

"As soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system," he said. He later verified the same occurs on Apple's iOS, albeit after a prompt to "access contacts," which also appears in newer versions of Android. Julian also noticed that if you haven't used the application in a while, it'll share all of your contacts again. He did some testing on the app on a Friday night, and when he booted the app on a Sunday morning, it pushed all of his contacts again."

Original Submission

 
This discussion has been archived. No new comments can be posted.
Hit App Sarahah Quietly Uploads Your Address Book | Log In/Create an Account | Top | 17 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Insightful) by metarox on Monday August 28 2017, @12:33PM (2 children)

    by metarox (788) on Monday August 28 2017, @12:33PM (#560190) Homepage

    I wonder why they can't automate this at the app store/approval level. Google/Apple can surely have versions of the OS in some device emulator, load the app with full analytics and catch 90% of these apps requesting permissions up front and monitor what they upload to servers. Then they could either reject that app because it doesn't disclose what data it sends and/or add a big fat red warning text on the app page warning of which permissions and data the app makes use of and uploads from the device warning users before they install the app what will happen with their data.

    Why do these things need to be caught by folks after the fact...

    Starting Score:    1  point
    Moderation   +2  
       Insightful=2, Total=2
    Extra 'Insightful' Modifier   0  
    Total Score:   3  

  • (Score: 0) by Anonymous Coward on Monday August 28 2017, @12:49PM

    by Anonymous Coward on Monday August 28 2017, @12:49PM (#560199)

    Then they could either reject that app because it doesn't disclose what data it sends and/or add a big fat red warning text on the app page warning of which permissions and data the app makes use of and uploads from the device warning users before they install the app what will happen with their data.

    See, you're wrong about this:
    The app does disclose what it sends, after all, it requests permissions to your contacts and those are listed. So it does 'declare' that it has access to them. And once it has access to it, you should assume it harvests the data. The user made an 'informed' decision and out of their own volition, granted this app permissions to harvest the data. I mean it (the user) was told it was going to access this data. What difference is there if we access it on their phone or, in absence of their phone, on our servers?
    Regarding scaring 'consumers' away with your fancy warnings, that is bad for business. And business is about extracting the very last drop out of every single one of your lemons^Wcustomers^Wproducts. So you squeeze as hard as you fucking can, then squeeze some more, and a third time even more just for good measure; and then you use everything you've squeezed out of your lemon and use that against that lemon for the rest of that lemon's existence. Because after all, you can legitimately fuck that lemon over now since you *know* they won't be your customer anymore. You've extracted everything from them that there is to extract.

  • (Score: 2, Interesting) by Anonymous Coward on Monday August 28 2017, @12:58PM

    by Anonymous Coward on Monday August 28 2017, @12:58PM (#560207)

    Well, let's say they test the app for one week. Then soon the malicious apps will simply wait a week before starting their malicious behaviour. So all this will give is a false sense of security.

    No, the correct solution would be if those apps could never upload the data in the first place. After all, a legitimate app doesn't need to see the data, it only needs to be able to act on it (like, initiating a call). So it should be possible to insulate the actual data from the app. Inside the app it would be represented by a handle, and when acting on it, the operating system would look up the actual data for presentation, making a call, or similar.