Slashdot Mirror
Hit App Sarahah Quietly Uploads Your Address Book (theintercept.com)
An anonymous reader shares a report: Sarahah, a new app that lets people sign up to receive anonymized, candid messages, has been surging in popularity; somewhere north of 18 million people are estimated to have downloaded it from Apple and Google's online stores, making it the No. 3 most downloaded free software title for iPhones and iPads. Sarahah bills itself as a way to "receive honest feedback" from friends and employees. But the app is collecting more than just feedback messages. When launched for the first time, it immediately harvests and uploads all phone numbers and email addresses in your address book. Although Sarahah does in some cases ask for permission to access contacts, it does not disclose that it uploads such data, nor does it seem to make any functional use of the information. Zachary Julian, a senior security analyst at Bishop Fox, discovered Sarahah is uploading of private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1. The phone was outfitted with monitoring software, known as Burp Suite, which intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers. When Julian launched Sarahah on the device, Burp Suite caught the app in the act of uploading his private data.
Big news! Something almost every other free app does.. shocker.
Seems to me more and more the entire 'app store' concept is a failure from the stand point of just about everything but making money. At best you have a little simple program that can't do a whole lot of anything, but it's also always one TOS change away from completely destroying your data security. Not to mention that they seem to be just as susceptible to a lot of the common security problems that show up.
Previously Sarahah would max out the speaker volume and read my address book aloud while making snarky comments as it read each entry. I'm much happier now that it no longer comments on how often I've called my mother.
Anons need not reply. Questions end with a question mark.
The US State Department extends this thanks to the millions of fans of our data collection programs. Being harvested from your contact information is not just the privilege of the political figures of the world anymore. Thank You again, citizens of the world.
Does it come with a quick-dial to the suicide hotline?
Joking aside, if you download an app and 'allow contacts' when it asks you, probably you should expect them to be grabbing your contacts and using them however they wish. The only surprise here is that people are surprised by this behavior.
Renting usually entails some sort of provision of rights to the renter...
There is no XUL, only WebExtensions...
I think the thing missing from most people's evaluation of such things is the integrity of the app author. The presumption that Apple or Google is looking out for you is incorrect, so you have to go back to the author, which has no known past history of integrity. So why would you trust them to anonymize anything, never mind having your contact list?
This is why I don't download apps, other than the ridiculously short app lifecycles necessitating constant updates. If I don't trust you in the first place, why would I want you updating my phone weekly (or less)?
This kind of thing is created to prey on the young and stupid, I suppose.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
This is totally preaching to the choir here, but sooner or later, everyone needs to come under the realization that your data is worth a TON of dollars. What's better with today's tech, than build you a whiz-bang service for 'free' and how do you think it remains 'free'? Situations exactly like this. It's a completely massive intangible but highly potent asset anyone starting any established or startup company wants to have.
As long as everyone keeps making a quick popular trend of these types of services wrapped around mobile app obfuscation, it won't ever end. At the end of the day with these companies, it matters very little what type of shit they are selling, it's all about what they are getting or can get to. The 'phone' these days is the most personal damn thing any one of us suckers use anymore, right?
Could be worse. Most Android apps still are on the old permission model where one either allows everything, or the app won't be installed. So, upon installing an app, you give the app free reign to everything and anything.
I personally hope this starts happening more often and gets even more creepy than it is now. We need something to blow up and draw attention to what happens when privacy doesn't exist, because apparently we're still in the denial phase.
I was wondering why the volume of spam was up dramatically.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
I was told that VCs will only invest in one of two things:
Apps that sling ads.
Apps that suck data in large quanitites.
This is why stuff like Meitu got so much funding and praise. The app did little to nothing except give a lot of data to its owners.
Similar with Sarahah. Some relatively shitty servers are up, and now some unknown people over in the Middle East now have a ton of connections of Americans and Europeans, as well as private, intimate things of their life. Perfect intel gathering for people who don't like Americans.
Um, your contact list is NOT private data on Android or IOS.
Well, apparently it IS private data on iOS: the article says that Sarahah uploads your contacts immediately and without permission when running on Android, but on iOS it has to ask your permission to access your contacts.
So, score one for iOS (and for more recent versions of Android, that incorporate that privacy feature from iOS).
Some apps I use on both Android and iOS - and some I don't. And it amazes me that the iOS version may need only access to the mic but the Android one needs access to contacts, camera, mic, location, photos, and everything else.
WTF?!
I will not down load such apps. Access to contacts is forbidden.
I don't care what the reason/excuse is. And you know what? I don't miss them in the slighest.
Android apps are the worst offenders.
I feel android has made this worse recently, with the move to broad "categories" of permissions. Originally it seemed pretty easy to determine when an app was asking for something it didn't need, now it seems every permission has at least one area that could lead to something malicious, and the user is left wondering what the app is actually going to do.
Seriously. An app that allows people to send you anonymous messages? I read their justification: to get candid feedback from coworkers and such. I suppose if that is something you welcome, then letting the app have access to your contacts so it would know who can send you messages, is expected.
But really, who would do this? If I know you, and you want to offer me candid feedback, do it.
That's not true at all. If an app still had the old permission model then it wouldn't even show up in a Play Store search on newer* devices.
*2013+.
The surprise here is that the data left the app unencrypted.
And I would have gotten away with it, too, if it wasn't for those pesky kids I hired for $5/hr to code my app not using a TLS certificate and strong trust validation!
Support my political activism on Patreon.
The teen suicide rate from bullying already proves this.
In the US, rentals have a lot of restrictions on privacy. For example, in my state, if I, as the landlord, wish to inspect a property I'm renting to someone else, I'm required to give them at least 48 hours notice of the visit.
... those fuckers would steal this idea in a heartbeat.
Suppose you were an idiot and suppose you were a member of Congress
Airbnb asks for a few things to verify your identity, including login to Google or Facebook... However, Google warns you that "Airbnb wants access to your address book" ...
Slashdot, fix the reply notifications... You won't get away with it...
People are stupid.
Furthermore, Sarahah is not free software (which is claimed in the abstract).
I have seen more and more apps from google play with permissions that have nothing to do with their functionality so how do we disallow this? I thought that you could do this with an app if you rooted your phone but is rooting required because once you root some apps arent even available anymore such as netflix. I mean why does a compass app need my contacts?
Almost entirely just like Whatsapp, Facebook, Telegram, etc. etc. etc.
In fact, I do have something to hide: my contacts' privacy.
Is there any address book alternative out there that hides data to apps that request access and want to suck it, but makes contacts available to apps with a legitimate need?
Free, as in your money being freed from the confines of your account.
What kind of nonsense is this? Ever since iPhone 4/4S, you can restrict apps from touching your Contacts.
I suspect the GP is referring to the privacy topic, not the suicide hotline topic.
I owned phones with IOS, Android, and Blackberry 10. Android and IOS (at least the versions I had) would only allow you to accept *all* of the permissions the application wants (all or nothing). At least Blackberry 10 would let you refuse individual permissions while accepting others. It rarely works, though. On Blackberry, the apps will double-check that they are getting whatever permissions they want and will refuse to start if you selectively disallow a few.
Today I use an early Symbian phone (Phillips Xenium) that won't even run apps at all.
I think you meant "Score one for early roms of Android that had this feature long before it was a twinkle in iOS's eye" :)
I remember revoking permissions on Gingerbread. Fun times...
Permissions need settings: No, Yes, Lie (No but tell the App Yes so I can use the App).
iOS hasn't worked that way in a long time.
You don't have to give them any notice if it is an emergency or an issue that threatens the material value, inhabitability, or occupancy permit.
Are there any good open-source contacts and email apps for android that are reasonably good?
I am tired of turning off contacts access as a ritual after every other app install. I just want the OS level contact list to be empty or be a dummy list.
I want a phone app that maintains its own contacts internally... or a separate contacts app that can launch the phone. I really don't need the convenience of invoking contacts from third party apps and find their propensity to download my entire address book creepy.
I would like an open source email client I can trust, which does not "integrate" my address book again. This whole personal data interoperability and integration functionality is unnecessary for me and is more of an annoyance than a convenience.
Either have users confirm every instance and be allowed to see what data is being accessed or allow the user to create separate contacts "wallets". I don't know the solution, but this is happening frequently enough that the OS needs to give the user more control than "yeah, have at my black book."
On iOS you can't even send a text without a user confirmation, but someone wants to dump your entire phonebook and that's OK???
I swear to God...I swear to God! That is NOT how you treat your human!
Please have someone pull your bowels out through your ass and strangle you with them. You retarded shit.
You are an ignorant and stupid shit. Please stop breathing.
Tou sounded a bit culpable there son. You know theres this app for that that lets you say those things anonymously.
It seems like XPrivacy (http://repo.xposed.info/module/biz.bokhorst.xprivacy) would stop this crap.
Google deliberately does not allow you to deny net access for apps (because ads), the platform will never be safe.