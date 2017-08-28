Hit App Sarahah Quietly Uploads Your Address Book (theintercept.com) 29
An anonymous reader shares a report: Sarahah, a new app that lets people sign up to receive anonymized, candid messages, has been surging in popularity; somewhere north of 18 million people are estimated to have downloaded it from Apple and Google's online stores, making it the No. 3 most downloaded free software title for iPhones and iPads. Sarahah bills itself as a way to "receive honest feedback" from friends and employees. But the app is collecting more than just feedback messages. When launched for the first time, it immediately harvests and uploads all phone numbers and email addresses in your address book. Although Sarahah does in some cases ask for permission to access contacts, it does not disclose that it uploads such data, nor does it seem to make any functional use of the information. Zachary Julian, a senior security analyst at Bishop Fox, discovered Sarahah is uploading of private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1. The phone was outfitted with monitoring software, known as Burp Suite, which intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers. When Julian launched Sarahah on the device, Burp Suite caught the app in the act of uploading his private data.
I large improvement! (Score:4, Funny)
Previously Sarahah would max out the speaker volume and read my address book aloud while making snarky comments as it read each entry. I'm much happier now that it no longer comments on how often I've called my mother.
Give people anonymous ways to criticize each other (Score:3)
Joking aside, if you download an app and 'allow contacts' when it asks you, probably you should expect them to be grabbing your contacts and using them however they wish. The only surprise here is that people are surprised by this behavior.
The surprise here is that the data left the app unencrypted.
And I would have gotten away with it, too, if it wasn't for those pesky kids I hired for $5/hr to code my app not using a TLS certificate and strong trust validation!
I think the thing missing from most people's evaluation of such things is the integrity of the app author. The presumption that Apple or Google is looking out for you is incorrect, so you have to go back to the author, which has no known past history of integrity. So why would you trust them to anonymize anything, never mind having your contact list?
Hard to change the 'free app' as-a-service culture (Score:2)
This is totally preaching to the choir here, but sooner or later, everyone needs to come under the realization that your data is worth a TON of dollars. What's better with today's tech, than build you a whiz-bang service for 'free' and how do you think it remains 'free'? Situations exactly like this. It's a completely massive intangible but highly potent asset anyone starting any established or startup company wants to have.
That would explain it (Score:2)
I was wondering why the volume of spam was up dramatically.
Seriously. An app that allows people to send you anonymous messages? I read their justification: to get candid feedback from coworkers and such. I suppose if that is something you welcome, then letting the app have access to your contacts so it would know who can send you messages, is expected.
But really, who would do this? If I know you, and you want to offer me candid feedback, do it.