SoylentNews is people
SoylentNews
Sarahah, a new app that lets people sign up to receive anonymized, candid messages, has been surging in popularity; somewhere north of 18 million people are estimated to have downloaded it from Apple and Google’s online stores, making it the number three most downloaded free software title for iPhones and iPads.
Sarahah bills itself as a way to “receive honest feedback” from friends and employees. But the app is collecting more than feedback messages. When launched for the first time, it immediately harvests and uploads all phone numbers and email addresses in your address book. Although Sarahah does in some cases ask for permission to access contacts, it does not disclose that it uploads such data, nor does it seem to make any functional use of the information. Sarahah did not respond to requests for comment.
"Zachary Julian, a senior security analyst at Bishop Fox, discovered Sarahah's uploading of private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1. The phone was outfitted with monitoring software known as BURP Suite, which intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers. When Julian launched Sarahah on the device, BURP Suite caught the app in the act of uploading his private data.
"As soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system," he said. He later verified the same occurs on Apple's iOS, albeit after a prompt to "access contacts," which also appears in newer versions of Android. Julian also noticed that if you haven't used the application in a while, it'll share all of your contacts again. He did some testing on the app on a Friday night, and when he booted the app on a Sunday morning, it pushed all of his contacts again."
(Score: 0) by Anonymous Coward on Monday August 28 2017, @12:49PM
See, you're wrong about this:
The app does disclose what it sends, after all, it requests permissions to your contacts and those are listed. So it does 'declare' that it has access to them. And once it has access to it, you should assume it harvests the data. The user made an 'informed' decision and out of their own volition, granted this app permissions to harvest the data. I mean it (the user) was told it was going to access this data. What difference is there if we access it on their phone or, in absence of their phone, on our servers?
Regarding scaring 'consumers' away with your fancy warnings, that is bad for business. And business is about extracting the very last drop out of every single one of your lemons^Wcustomers^Wproducts. So you squeeze as hard as you fucking can, then squeeze some more, and a third time even more just for good measure; and then you use everything you've squeezed out of your lemon and use that against that lemon for the rest of that lemon's existence. Because after all, you can legitimately fuck that lemon over now since you *know* they won't be your customer anymore. You've extracted everything from them that there is to extract.