Slashdot Mirror
Hit App Sarahah Quietly Uploads Your Address Book (theintercept.com)
An anonymous reader shares a report: Sarahah, a new app that lets people sign up to receive anonymized, candid messages, has been surging in popularity; somewhere north of 18 million people are estimated to have downloaded it from Apple and Google's online stores, making it the No. 3 most downloaded free software title for iPhones and iPads. Sarahah bills itself as a way to "receive honest feedback" from friends and employees. But the app is collecting more than just feedback messages. When launched for the first time, it immediately harvests and uploads all phone numbers and email addresses in your address book. Although Sarahah does in some cases ask for permission to access contacts, it does not disclose that it uploads such data, nor does it seem to make any functional use of the information. Zachary Julian, a senior security analyst at Bishop Fox, discovered Sarahah is uploading of private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1. The phone was outfitted with monitoring software, known as Burp Suite, which intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers. When Julian launched Sarahah on the device, Burp Suite caught the app in the act of uploading his private data.
Previously Sarahah would max out the speaker volume and read my address book aloud while making snarky comments as it read each entry. I'm much happier now that it no longer comments on how often I've called my mother.
Anons need not reply. Questions end with a question mark.
Does it come with a quick-dial to the suicide hotline?
Joking aside, if you download an app and 'allow contacts' when it asks you, probably you should expect them to be grabbing your contacts and using them however they wish. The only surprise here is that people are surprised by this behavior.
Nope. At least on iOS the app cannot access your address book without you giving it explicit permission (apparently also the case on newer version of Android according to the article). Neither can it access anything else. There also seems to be much less worry about malware on iOS; most BYOD schemes I've seen require virus scanners, sandboxing and/or monitoring software on Android, but only require a strong PIN on iPhones (or the fingerprint scanner)
By the way, accessing the address book in order to find out if any of your friends are making use of the service is a legitimate reason to access the address book. I suspect it's an important reason for WhatsApp to become as popular as it did, since you didn't need to ask your friends if they signed up and what their handle was. But for this very reason you would expect Apple and Google to come up with a way to match friends on your address list without giving them full access, for example by providing a function that gives you a unique (for your service) user ID for each contact, by hashing a phone nr after salting it with the App ID or some such. That way the app can poll the service to see who signed up without requiring access to the actual address book.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
I think the thing missing from most people's evaluation of such things is the integrity of the app author. The presumption that Apple or Google is looking out for you is incorrect, so you have to go back to the author, which has no known past history of integrity. So why would you trust them to anonymize anything, never mind having your contact list?
This is why I don't download apps, other than the ridiculously short app lifecycles necessitating constant updates. If I don't trust you in the first place, why would I want you updating my phone weekly (or less)?
This kind of thing is created to prey on the young and stupid, I suppose.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
lol
I was told that VCs will only invest in one of two things:
Apps that sling ads.
Apps that suck data in large quanitites.
This is why stuff like Meitu got so much funding and praise. The app did little to nothing except give a lot of data to its owners.
Similar with Sarahah. Some relatively shitty servers are up, and now some unknown people over in the Middle East now have a ton of connections of Americans and Europeans, as well as private, intimate things of their life. Perfect intel gathering for people who don't like Americans.
. At least on iOS the app cannot access your address book without you giving it explicit permission (apparently also the case on newer version of Android according to the article). Neither can it access anything else
The trouble remains that 'access' and 'upload the entire thing' is the same thing.
I suspect it's an important reason for WhatsApp to become as popular as it did, since you didn't need to ask your friends if they signed up and what their handle was.
Feature or bug? Maybe I don't WANT *everyone* to know I signed up. I signed up for telegram a while back to try it out with my wife. I was pretty appalled when a bunch of people at work started messaging me all over the place on it. We already have plenty of approved channels for them to reach me on; i was deliberately looking for something that I could leave running 24x7 on multiple devices... and not get messages from people at work.
But for this very reason you would expect Apple and Google to come up with a way to match friends on your address list without giving them full access, for example by providing a function that gives you a unique (for your service) user ID for each contact, by hashing a phone nr after salting it with the App ID or some such. That way the app can poll the service to see who signed up without requiring access to the actual address book.
This is a good idea. But even that is more sharing than I might want. They still get to build a social graph on graph on me that's bigger than letting me expose only the social graph I want to expose to them. They still know I am 'connectd' to all those people at work, even though i have no intention of connecting to them on the app, etc.
Games are notably bad for this too. I might wish to play a game and associate and communicate and share only with my wife and kids... but the social shit brings my sister inlaw in, randos at work, the neighbors, vendors and clients, lawyers and accountants, etc... not everyone on my contacts list is my 'friend'; and I don't want to connect to the vast majority of people in my contacts with any given app.
So I just ran into this sort of issue with an app... its a simple app.
https://play.google.com/store/...
It's a simple app... stick your phone on silent, and it pops up to ask you how long. The idea that you usually know how long your want your phone to be silent when you put it on silent, and often forget about afterwards.
It requests permission to "take videos and pictures"
WTF right? Why does it need that permission?
"15.3: Fix for interference with video recording apps. To detect when the camera is in use, camera permission is needed. This is optional in Android 6+, but if you don't give permission, Shush! can't tell that you're using the camera, and may pop up during video recording."
FFS ... seriously. And you see this sort of thing all the time. To 'play nice' with the phone and make sure it behaves nicely when you are on the phone, or taking a video, etc... the permission to determine simply whether you are using the camera or phone itself requires you to give the app permission to make calls and take videos. Those basic status APIs should be available without special permission or they should require a separate 'status permission' separate from the ability to make calls or take video.
How are we at version 6 of android, and you still need to give an app permission to take pictures and video just to give it permission to avoid irritating you while you are taking videos with a different app?