Jump to content

Hit App Sarahah Quietly Uploads Your Address Book


humble3d

Recommended Posts

Hit App Sarahah Quietly Uploads Your Address Book


Sarahah, a new app that lets people sign up to receive anonymized, candid messages, has been surging in popularity; somewhere north of 18 million people are estimated to have downloaded it from Apple and Google’s online stores, making it the number three most downloaded free software title for iPhones and iPads.


Sarahah bills itself as a way to “receive honest feedback” from friends and employees. But the app is collecting more than feedback messages.


When launched for the first time, it immediately harvests and uploads all phone numbers and email addresses in your address book.


Although Sarahah does in some cases ask for permission to access contacts, it does not disclose that it uploads such data, nor does it seem to make any functional use of the information. Sarahah did not respond to requests for comment.­


Zachary Julian, a senior security analyst at Bishop Fox, discovered Sarahah’s uploading of private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1.


The phone was outfitted with monitoring software known as BURP Suite, which intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers. When Julian launched Sarahah on the device, BURP Suite caught the app in the act of uploading his private data.


“As soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system,” he said.


He later verified the same occurs on Apple’s iOS, albeit after a prompt to “access contacts,” which also appears in newer versions of Android. Julian also noticed that if you haven’t used the application in a while, it’ll share all of your contacts again.


He did some testing on the app on a Friday night, and when he booted the app on a Sunday morning, it pushed all of his contacts again.

 

Drew Porter, founder of security firm Red Mesa, said that this type of behavior is more common than most users would expect, especially when an app is free like Sarahah.


He said that even if users are willing to trust a piece of software with their address book data, there are reasons to avoid trusting the internet servers associated with the app.


“It’s no longer that you have to worry about the data on your phone, it’s that you have to worry about the data on your phone that’s somewhere else that you have no control over being compromised,” he said.


“It’s not just, ‘Oh, this company can see my information and I’m okay with that.’ You now have to think about the security of that company.”


Asked about Sarahah, Porter added, “I do find it concerning, mostly because the information that the company may be getting could be what other people consider very private, and you don’t know the security of the company that is getting it.


We’ve seen popular apps before, total information leakage comes out, and it’s devastating to those companies.


I believe it’s even more devastating to the user whose information was compromised.”


Will Strafach, president of Sudo Security Group, Inc., pointed out that security researchers and app reviewers can only see what is happening on the device itself, rather than server side, making it impossible for everyone but the developer to know if the data is being stored or just used, and if stored, how well it is protected.


“Even in an innocent use case, if the data is not being handled safely, a server breach could allow malicious parties access to this contacts data,” he said.


“Additionally, there is no silver bullet to solving this. My team wrote software to automatically detect this behavior in iOS apps in order to call out bad actors, but we found that the information was not as useful as anticipated, because so many apps are doing it and there is no reliable way to tell if the data is being handled safely on the server’s side, and that is the most important part.”


But Julian thinks that Sarahah uploading contacts is disconcerting, especially given the popularity of the app, and especially since most users don’t expect it to occur.


On iOS, the app says “the app needs to access your contacts to show you who has an account in Sarahah,” and allows the user to choose between “Okay” and “Don’t allow.”


On Android, the app in some cases requests access to contacts without giving any need for needing such access, and in other cases makes no such request.


On neither operating system does it mention uploading data to a server.


“The privacy policy specifically states that if it plans to use your data, it’ll ask for your consent,” Julian said. While the app’s entry in Google’s Play Store does indicate the app will access contacts, that’s not “enough consent” to justify “sending all of those contacts over without any kind of specific notification,” he added.


Despite claiming on iOS to use contact data to show the user who in their address book is on Sarahah, the app does not actually do so, Julian said, judging from his testing.


If Sarahah did ever begin showing which of your contacts are on its network, as advertised, this would lead to a new problem—it would make it far easier to deduce who is sending messages. For now, it’s not clear how the data is being used.

 

“Sarahah has between 10 and 50 million installs on just the Play Store alone for Android, so if you extrapolate that number, it could easily get into hundreds of millions of phone numbers and email addresses that they’ve harvested,” Julian said.


Sarahah is among the top five most downloaded apps in Google’s Play Store for Android, according to analytics firm App Annie.


It’s not entirely clear what Sarahah uses uploaded contact lists for, although the app’s privacy policy states that it will not sell the information to third parties without prior and written consent, unless it’s part of bulk data used for statistics and research.


Newer Android operating systems, starting with Android 6.0 (“Marshmallow”) do allow for more granular permissions for apps, allowing users to modify controls so that apps do not gain access to contacts or other information. But all but the most expensive Android phones are notoriously slow to receive updates like Marshmallow, and around 54 percent of Android users are using older versions that don’t have these permissions, and users have to be savvy enough to know where to find the app permissions (Settings > Apps > Gear button > App permissions).


Other apps that send users’ contacts to external servers are more forthright in their privacy policies. For example, the so-called ephemeral messaging app Snapchat, which settled FTC charges in 2014 that its promises of disappearing messages were false, and which also transmitted user location and collected user address books without notice or consent, now has a robust privacy policy which states that the app “may—with your consent—collect information from your device’s phonebook,” and that if you allow this, and you’re in another user’s contacts, that it may combine information collected from their phone book with what they have collected about you. The prompt to add contacts states “Find your friends.


See which of your contacts are on Snapchat!” and the popup on iOS clearly says that the contacts will be uploaded to Snapchat’s servers “so you and others can find friends, and to improve your experience.”


Sarahah appears to be a much smaller operation than Snapchat.


It was created in Saudi Arabia by developer Zain al-Abidin Tawfiq, according to news accounts. It is just the latest in a series of apps pairing promises of anonymity with troubling privacy practices.


Another was Secret, now defunct, which was supposed to traffic in anonymized messages from friends and friends of friends.


In 2014, security researchers were able to decloak posters on the app by tricking the app’s contact-matching system.


A silver lining for Sarahah users concerned about privacy is that they don’t need to download the service’s app.


It’s possible to send messages on Sarahah, and register to receive messages on Sarahah, via a website. And that site doesn’t ask for or access contacts from any of your digital address books.


Still, if Sarahah intends to continue scooping up user’s contact data via mobile apps, Julian believes a more responsible path for the company would be to specifically inform the user about what data they are giving up and where it is going — and to provide them with a legitimate reason as to why the app actually needs it.

https://theintercept.com/2017/08/27/hit-app-sarahah-quietly-uploads-your-address-book/

 

Link to comment
Share on other sites


  • Replies 4
  • Views 620
  • Created
  • Last Reply

People are their own worst enemies.  There are so many idiots out there ready to give up all their personal data that they are flooding the system which makes it easier for the rest of us to feel safe and hidden. Even if a little piece of our data was scooped up somehow, it would be like finding a needle in a haystack.  The biggest oxymoron today is social apps. The epitome of which is watching two college students walking down the street together holding a conversation by sending text messages to one another.  I wouldn't have believed it if I hadn't seen it with my own eyes while I was hacking their phones while walking behind them.  It is something I will never forget.

Link to comment
Share on other sites


  • Administrator
On 9/6/2017 at 8:04 PM, straycat19 said:

People are their own worst enemies.  There are so many idiots out there ready to give up all their personal data that they are flooding the system which makes it easier for the rest of us to feel safe and hidden. Even if a little piece of our data was scooped up somehow, it would be like finding a needle in a haystack.  The biggest oxymoron today is social apps. The epitome of which is watching two college students walking down the street together holding a conversation by sending text messages to one another.  I wouldn't have believed it if I hadn't seen it with my own eyes while I was hacking their phones while walking behind them.  It is something I will never forget.

 

I wonder how did you manage to do it though. Is it through the commonly found wireless communications or is there something else in it.

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...