Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hit App Sarahah Quietly Uploads Your Address Book (theintercept.com)

Posted by msmash on from the privacy-woes dept.

An anonymous reader shares a report: Sarahah, a new app that lets people sign up to receive anonymized, candid messages, has been surging in popularity; somewhere north of 18 million people are estimated to have downloaded it from Apple and Google's online stores, making it the No. 3 most downloaded free software title for iPhones and iPads. Sarahah bills itself as a way to "receive honest feedback" from friends and employees. But the app is collecting more than just feedback messages. When launched for the first time, it immediately harvests and uploads all phone numbers and email addresses in your address book. Although Sarahah does in some cases ask for permission to access contacts, it does not disclose that it uploads such data, nor does it seem to make any functional use of the information. Zachary Julian, a senior security analyst at Bishop Fox, discovered Sarahah is uploading of private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1. The phone was outfitted with monitoring software, known as Burp Suite, which intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers. When Julian launched Sarahah on the device, Burp Suite caught the app in the act of uploading his private data.

40 of 72 comments (clear)

  1. Remember, the Walled Garden is for you safety by Noishkel · · Score: 1

    Seems to me more and more the entire 'app store' concept is a failure from the stand point of just about everything but making money. At best you have a little simple program that can't do a whole lot of anything, but it's also always one TOS change away from completely destroying your data security. Not to mention that they seem to be just as susceptible to a lot of the common security problems that show up.

    1. Re:Remember, the Walled Garden is for you safety by Anonymous Coward · · Score: 1, Funny

      This is exactly why people should only use FOSS software or software that they write themselves. Otherwise, you just don't know.

    2. Re:Remember, the Walled Garden is for you safety by JaredOfEuropa · · Score: 5, Insightful

      Nope. At least on iOS the app cannot access your address book without you giving it explicit permission (apparently also the case on newer version of Android according to the article). Neither can it access anything else. There also seems to be much less worry about malware on iOS; most BYOD schemes I've seen require virus scanners, sandboxing and/or monitoring software on Android, but only require a strong PIN on iPhones (or the fingerprint scanner)

      By the way, accessing the address book in order to find out if any of your friends are making use of the service is a legitimate reason to access the address book. I suspect it's an important reason for WhatsApp to become as popular as it did, since you didn't need to ask your friends if they signed up and what their handle was. But for this very reason you would expect Apple and Google to come up with a way to match friends on your address list without giving them full access, for example by providing a function that gives you a unique (for your service) user ID for each contact, by hashing a phone nr after salting it with the App ID or some such. That way the app can poll the service to see who signed up without requiring access to the actual address book.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    3. Re:Remember, the Walled Garden is for you safety by Kkloe · · Score: 2

      lol

    4. Re:Remember, the Walled Garden is for you safety by vux984 · · Score: 4, Insightful

      . At least on iOS the app cannot access your address book without you giving it explicit permission (apparently also the case on newer version of Android according to the article). Neither can it access anything else

      The trouble remains that 'access' and 'upload the entire thing' is the same thing.

      I suspect it's an important reason for WhatsApp to become as popular as it did, since you didn't need to ask your friends if they signed up and what their handle was.

      Feature or bug? Maybe I don't WANT *everyone* to know I signed up. I signed up for telegram a while back to try it out with my wife. I was pretty appalled when a bunch of people at work started messaging me all over the place on it. We already have plenty of approved channels for them to reach me on; i was deliberately looking for something that I could leave running 24x7 on multiple devices... and not get messages from people at work.

      But for this very reason you would expect Apple and Google to come up with a way to match friends on your address list without giving them full access, for example by providing a function that gives you a unique (for your service) user ID for each contact, by hashing a phone nr after salting it with the App ID or some such. That way the app can poll the service to see who signed up without requiring access to the actual address book.

      This is a good idea. But even that is more sharing than I might want. They still get to build a social graph on graph on me that's bigger than letting me expose only the social graph I want to expose to them. They still know I am 'connectd' to all those people at work, even though i have no intention of connecting to them on the app, etc.

      Games are notably bad for this too. I might wish to play a game and associate and communicate and share only with my wife and kids... but the social shit brings my sister inlaw in, randos at work, the neighbors, vendors and clients, lawyers and accountants, etc... not everyone on my contacts list is my 'friend'; and I don't want to connect to the vast majority of people in my contacts with any given app.

    5. Re:Remember, the Walled Garden is for you safety by JaredOfEuropa · · Score: 1

      Agreed: the OS should prompt for user permission to use even that simple hash function. And iOS guidelines already state that an app should cope when it gets "no" for an answer when asking for access to system features or user data. Sadly most developers want to force you to use the "social shit" since that is what makes their service valuable and a nice candidate to be bought by FB or Google (or at least some idiot VC)

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    6. Re:Remember, the Walled Garden is for you safety by vux984 · · Score: 3, Insightful

      So I just ran into this sort of issue with an app... its a simple app.

      https://play.google.com/store/...

      It's a simple app... stick your phone on silent, and it pops up to ask you how long. The idea that you usually know how long your want your phone to be silent when you put it on silent, and often forget about afterwards.

      It requests permission to "take videos and pictures"

      WTF right? Why does it need that permission?

      "15.3: Fix for interference with video recording apps. To detect when the camera is in use, camera permission is needed. This is optional in Android 6+, but if you don't give permission, Shush! can't tell that you're using the camera, and may pop up during video recording."

      FFS ... seriously. And you see this sort of thing all the time. To 'play nice' with the phone and make sure it behaves nicely when you are on the phone, or taking a video, etc... the permission to determine simply whether you are using the camera or phone itself requires you to give the app permission to make calls and take videos. Those basic status APIs should be available without special permission or they should require a separate 'status permission' separate from the ability to make calls or take video.

      How are we at version 6 of android, and you still need to give an app permission to take pictures and video just to give it permission to avoid irritating you while you are taking videos with a different app?

    7. Re:Remember, the Walled Garden is for you safety by jbn-o · · Score: 1

      Nope. At least on iOS the app cannot access your address book without you giving it explicit permission (apparently also the case on newer version of Android according to the article). Neither can it access anything else.

      So long as the software is proprietary, technical users have no idea what the proprietary program is programmed to do (what it's capable of). And when that software is changed (patched or updated) programmers who can figure out what that program does have to re-learn what the program does. That's a lot of work to do every time a program is changed. This is why proprietors don't respect a user's freedom to run, share, inspect, and modify; proprietors use their power against the user. The consequence of this is that claims to the contrary (such as your assertions above) are not believable because they're either beyond the claimant's knowledge or the claims come from the untrustworthy proprietor.

      By the way, accessing the address book in order to find out if any of your friends are making use of the service is a legitimate reason to access the address book.

      Not without the explicit consent of the user, preferably in a form non-technical users can grant and rescind without having to go through a licensing agreement.

      --
      Digital Citizen
    8. Re:Remember, the Walled Garden is for you safety by vux984 · · Score: 1

      Like, say, a private e-mail account that supports IMAP

      Fuck No. Not like that. Please god, no, not like that. I'd rather DIAF. That sounds truly abominable for my average IM use cases.

      and can be read by a multitude of generic clients on most devices one can think of - even and especially devices that don't take a SIM card.

      Telegram also works on the desktop and laptops (mac, windows, and Linux). Yes it is tied to a phone number, and yes, I agree that is stupid, but it is not limited to working with devices that have a sim card once the account is setup. That was one of the reasons I like it. I don't want to type on my phone, when im sitting in front of a dual screen with a fantastic keyboard; which is why I prefer it to SMS,,, which is stuck on my phone.

    9. Re:Remember, the Walled Garden is for you safety by n329619 · · Score: 1

      I might wish to play a game and associate and communicate and share only with my wife and kids... but the social shit brings my sister inlaw in, randos at work, the neighbors, vendors and clients, lawyers and accountants, etc... not everyone on my contacts list is my 'friend'; and I don't want to connect to the vast majority of people in my contacts with any given app.

      You can get a separate email, phone number, and phone for those things you know. There are reasons for a separate work phone, personal phone and maybe home phone. If you like, you can also leave your work phone at work, separating your work with your personal life.

    10. Re:Remember, the Walled Garden is for you safety by vux984 · · Score: 1

      You can get a separate email, phone number, and phone for those things you know.

      Your suggestion is to pay twice as much per month, to create exactly one group partition? And my neighbors and extended family would still be on the 'personal' one... thanks. but no thanks.

      And no, I can't create separate emails etc for each one unless they explicitly support it. If they tie to the phone number, or android or itunes account etc then I'm pretty much stuck. And creating a new itunes or android/play account for each app is all kinds of headaches of its own. You know what would be better than that: not that. :)

      If you like, you can also leave your work phone at work

      Ok... so here's what I actually do. I have a VOIP service (in my current case I'm actually using jive service). And that is my work number. I have a physical voip deskphone in my home office tied to that service. I have it set to ring my cell during business hours in addition to the deskphone, and to go to voicemail outside office hours. I could get away with a cheaper voip service, but the jive option has unlimited canada/USA calling, good international rates, conference calling bridges, and some autoattendent and call tree features, and internet fax capabilities that I use. I can also use the voip app on my phone to make outgoing calls from my 'work number' from my cell (sometimes that matters); although i mostly just need to be able to take calls.

      This already works better than 2 physical cellphones ever would; and is substantially cheaper. I don't have to 'leave the phone at work' or carry around two phones during the day because the work number automatically cuts over to voicemail.

    11. Re:Remember, the Walled Garden is for you safety by LordWabbit2 · · Score: 1

      This is what got annoying on Blackberry as well, a torch app that needs access to your address book, I'm like wtf? Find another one, asks for the same thing, eventually I got off my ass and went and found a flashlight.

      --
      There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
  2. I large improvement! by Gravis+Zero · · Score: 3, Funny

    Previously Sarahah would max out the speaker volume and read my address book aloud while making snarky comments as it read each entry. I'm much happier now that it no longer comments on how often I've called my mother.

    --
    Anons need not reply. Questions end with a question mark.
  3. Give people anonymous ways to criticize each other by asylumx · · Score: 2

    Does it come with a quick-dial to the suicide hotline?

    Joking aside, if you download an app and 'allow contacts' when it asks you, probably you should expect them to be grabbing your contacts and using them however they wish. The only surprise here is that people are surprised by this behavior.

  4. Re:Private data? by thegreatbob · · Score: 1

    Renting usually entails some sort of provision of rights to the renter...

    --
    There is no XUL, only WebExtensions...
  5. Integrity by HBI · · Score: 2

    I think the thing missing from most people's evaluation of such things is the integrity of the app author. The presumption that Apple or Google is looking out for you is incorrect, so you have to go back to the author, which has no known past history of integrity. So why would you trust them to anonymize anything, never mind having your contact list?

    This is why I don't download apps, other than the ridiculously short app lifecycles necessitating constant updates. If I don't trust you in the first place, why would I want you updating my phone weekly (or less)?

    This kind of thing is created to prey on the young and stupid, I suppose.

    --
    HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
  6. Hard to change the 'free app' as-a-service culture by adosch · · Score: 1

    This is totally preaching to the choir here, but sooner or later, everyone needs to come under the realization that your data is worth a TON of dollars. What's better with today's tech, than build you a whiz-bang service for 'free' and how do you think it remains 'free'? Situations exactly like this. It's a completely massive intangible but highly potent asset anyone starting any established or startup company wants to have.

    As long as everyone keeps making a quick popular trend of these types of services wrapped around mobile app obfuscation, it won't ever end. At the end of the day with these companies, it matters very little what type of shit they are selling, it's all about what they are getting or can get to. The 'phone' these days is the most personal damn thing any one of us suckers use anymore, right?

  7. That would explain it by roc97007 · · Score: 1

    I was wondering why the volume of spam was up dramatically.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
  8. It is the only thing VCs invest in... by Anonymous Coward · · Score: 2, Interesting

    I was told that VCs will only invest in one of two things:

    Apps that sling ads.
    Apps that suck data in large quanitites.

    This is why stuff like Meitu got so much funding and praise. The app did little to nothing except give a lot of data to its owners.

    Similar with Sarahah. Some relatively shitty servers are up, and now some unknown people over in the Middle East now have a ton of connections of Americans and Europeans, as well as private, intimate things of their life. Perfect intel gathering for people who don't like Americans.

  9. I don't trust anyone. by Anonymous Coward · · Score: 1

    Some apps I use on both Android and iOS - and some I don't. And it amazes me that the iOS version may need only access to the mic but the Android one needs access to contacts, camera, mic, location, photos, and everything else.

    WTF?!

    I will not down load such apps. Access to contacts is forbidden.

    I don't care what the reason/excuse is. And you know what? I don't miss them in the slighest.

    Android apps are the worst offenders.

  10. Android has made this worse by Headw1nd · · Score: 1

    I feel android has made this worse recently, with the move to broad "categories" of permissions. Originally it seemed pretty easy to determine when an app was asking for something it didn't need, now it seems every permission has at least one area that could lead to something malicious, and the user is left wondering what the app is actually going to do.

  11. Hit app? Why would anyone use this? by acvh · · Score: 1

    Seriously. An app that allows people to send you anonymous messages? I read their justification: to get candid feedback from coworkers and such. I suppose if that is something you welcome, then letting the app have access to your contacts so it would know who can send you messages, is expected.

    But really, who would do this? If I know you, and you want to offer me candid feedback, do it.

    1. Re:Hit app? Why would anyone use this? by Stan92057 · · Score: 1

      Its easy, look at the comments made by the cowards on this site. Its a prefect program for anon cowards,ass hats,ex wifes,ex anyone IMO

      --
      Jack of all trades,master of none
  12. Re:Give people anonymous ways to criticize each ot by bluefoxlucid · · Score: 1

    The surprise here is that the data left the app unencrypted.

    And I would have gotten away with it, too, if it wasn't for those pesky kids I hired for $5/hr to code my app not using a TLS certificate and strong trust validation!

    --
    Support my political activism on Patreon.
  13. Don't tell LinkedIn ... by gander666 · · Score: 1

    ... those fuckers would steal this idea in a heartbeat.

    --
    Suppose you were an idiot and suppose you were a member of Congress ... but I repeat myself. - Mark T
  14. Airbnb also by hcs_$reboot · · Score: 1

    Airbnb asks for a few things to verify your identity, including login to Google or Facebook... However, Google warns you that "Airbnb wants access to your address book" ...

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  15. people are stupid by pD-brane · · Score: 1

    People are stupid.

    Furthermore, Sarahah is not free software (which is claimed in the abstract).

  16. Re: So does almost every other app... by Anonymous Coward · · Score: 1

    To be expected. Bastards anyway...

  17. Surprise surprise by codeButcher · · Score: 1

    Almost entirely just like Whatsapp, Facebook, Telegram, etc. etc. etc.

    In fact, I do have something to hide: my contacts' privacy.

    Is there any address book alternative out there that hides data to apps that request access and want to suck it, but makes contacts available to apps with a legitimate need?

    --
    Free, as in your money being freed from the confines of your account.
    1. Re:Surprise surprise by nasch · · Score: 1

      How could it know which ones are legitimate or not? You already have to give permission to the app to read your address book.

    2. Re:Surprise surprise by codeButcher · · Score: 1

      You already have to give permission to the app to read your address book.

      Would be better if you could give permission for it ("it" being probably through settings or ad-hoc permissions in you address book app) to only read certain addresses, or groups of addresses, and not even be aware that others exist.

      --
      Free, as in your money being freed from the confines of your account.
  18. Re:Private data? by the_B0fh · · Score: 1

    What kind of nonsense is this? Ever since iPhone 4/4S, you can restrict apps from touching your Contacts.

  19. Re:Give people anonymous ways to criticize each ot by asylumx · · Score: 1

    I suspect the GP is referring to the privacy topic, not the suicide hotline topic.

  20. IOS vs Android vs Blackberry 10 vs Symbian: perms by Seven+Spirals · · Score: 1

    I owned phones with IOS, Android, and Blackberry 10. Android and IOS (at least the versions I had) would only allow you to accept *all* of the permissions the application wants (all or nothing). At least Blackberry 10 would let you refuse individual permissions while accepting others. It rarely works, though. On Blackberry, the apps will double-check that they are getting whatever permissions they want and will refuse to start if you selectively disallow a few.

    Today I use an early Symbian phone (Phillips Xenium) that won't even run apps at all.

  21. Re:Give people anonymous ways to criticize each ot by currently_awake · · Score: 1

    Permissions need settings: No, Yes, Lie (No but tell the App Yes so I can use the App).

  22. Re: IOS vs Android vs Blackberry 10 vs Symbian: pe by Anonymous Coward · · Score: 1

    iOS hasn't worked that way in a long time.

  23. Any open source alternative? by jma05 · · Score: 1

    Are there any good open-source contacts and email apps for android that are reasonably good?
    I am tired of turning off contacts access as a ritual after every other app install. I just want the OS level contact list to be empty or be a dummy list.
    I want a phone app that maintains its own contacts internally... or a separate contacts app that can launch the phone. I really don't need the convenience of invoking contacts from third party apps and find their propensity to download my entire address book creepy.
    I would like an open source email client I can trust, which does not "integrate" my address book again. This whole personal data interoperability and integration functionality is unnecessary for me and is more of an annoyance than a convenience.

  24. Operating systems need more granular control by GodfatherofSoul · · Score: 1

    Either have users confirm every instance and be allowed to see what data is being accessed or allow the user to create separate contacts "wallets". I don't know the solution, but this is happening frequently enough that the OS needs to give the user more control than "yeah, have at my black book."

    On iOS you can't even send a text without a user confirmation, but someone wants to dump your entire phonebook and that's OK???

    --
    I swear to God...I swear to God! That is NOT how you treat your human!
  25. Re:Private data? by Dog-Cow · · Score: 1

    Please have someone pull your bowels out through your ass and strangle you with them. You retarded shit.

  26. Re: Private data? by Anonymous Coward · · Score: 1

    Tou sounded a bit culpable there son. You know theres this app for that that lets you say those things anonymously.