{"id":97948,"date":"2017-09-04T12:00:50","date_gmt":"2017-09-04T11:00:50","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=97948"},"modified":"2017-09-02T15:55:13","modified_gmt":"2017-09-02T14:55:13","slug":"hit-app-sarahah-quietly-uploads-your-address-book","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2017\/09\/hit-app-sarahah-quietly-uploads-your-address-book\/","title":{"rendered":"Hit App Sarahah Quietly Uploads Your Address Book"},"content":{"rendered":"
\n
\n
Leia em portugu\u00eas<\/span><\/span> <\/a><\/div>\n<\/div>\n<\/blockquote>\n
\"\"<\/a>

A photo of Sarahah, a new app that lets people anonymously critique one another. Photo: The Intercept<\/p><\/div>\n

27 Aug 2017 – <\/em>Sarahah, a new app that lets people sign up to receive anonymized, candid messages, has been surging in popularity; somewhere north of 18 million people are estimated to have downloaded it from Apple and Google\u2019s online stores<\/a>, making it the No. 3 most downloaded free software <\/a>title for iPhones and iPads.<\/p>\n

Sarahah bills itself as a way to \u201creceive honest feedback\u201d from friends and employees. But the app is collecting more than just feedback messages. When launched for the first time, it immediately harvests and uploads all phone numbers and email addresses in your address book.<\/a> Although Sarahah does in some cases ask for permission to access contacts, it does not disclose that it uploads such data, nor does it seem to make any functional use of the information.<\/p>\n

Zachary Julian, a senior security analyst at Bishop Fox, discovered Sarahah\u2019s uploading of private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1. The phone was outfitted with monitoring software, known as Burp Suite, which intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers. When Julian launched Sarahah on the device, Burp Suite caught the app in the act of uploading his private data.<\/p>\n

\u201cAs soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system,\u201d he said. He later verified the same occurs on Apple\u2019s iOS, albeit after a prompt to \u201caccess contacts,\u201d which also appears in newer versions of Android. Julian also noticed that if you haven\u2019t used the application in a while, it\u2019ll share all of your contacts again. He did some testing of the app on a Friday night, and when he booted the app on a Sunday morning, it pushed all of his contacts again. (You can see some of his testing in this video<\/a>.)<\/p>\n

Sarahah did not initially respond to requests for comment. After this piece was published, the app\u2019s creator, Zain al-Abidin Tawfiq, tweeted<\/a> that the contacts functionality would be removed in a future release and had been intended for a \u201c\u2018find your friends\u2019 feature.\u201d He later told The Intercept the feature was stymied by \u201ctechnical issues\u201d and that a partner, who he has since stopped working with, was supposed to remove it from the app but \u201cmissed that.\u201d He claims the functionality was, however, removed from the server and that Sarahah stores no contacts in its databases. This is impossible to verify.<\/p>\n

Drew Porter, founder of security firm Red Mesa, said that this type of behavior is more common than most users would expect, especially when apps, like Sarahah, are free. He said that even if users are willing to trust a piece of software with their address book data, there are reasons to avoid trusting the internet servers associated with the app. \u201cIt\u2019s no longer that you have to worry about the data on your phone, it\u2019s that you have to worry about the data on your phone that\u2019s somewhere else that you have no control over being compromised,\u201d he said. \u201cIt\u2019s not just, \u2018Oh, this company can see my information and I\u2019m OK\u00a0with that.\u2019 You now have to think about the security of that company.\u201d<\/p>\n

When asked about Sarahah, Porter added, \u201cI do find it concerning, mostly because the information that the company may be getting could be what other people consider very private, and you don\u2019t know the security of the company that is getting it. We\u2019ve seen popular apps before, total information leakage comes out, and it\u2019s devastating to those companies. I believe it\u2019s even more devastating to the user whose information was compromised.\u201d<\/p>\n

Will Strafach, president of Sudo Security Group Inc., pointed out that security researchers and app reviewers can only see what is happening on the device itself, rather than server side, making it impossible for anyone but the developer to know if the data is being stored or just used, and if stored, how well it is protected. \u201cEven in an innocent use case, if the data is not being handled safely, a server breach could allow malicious parties access to this contacts data,\u201d he said. \u201cAdditionally, there is no silver bullet to solving this. My team wrote software to automatically detect this behavior in iOS apps in order to call out bad actors, but we found that the information was not as useful as anticipated, because so many apps are doing it, and there is no reliable way to tell if the data is being handled safely on the server\u2019s side, and that is the most important part.\u201d<\/p>\n

But Julian thinks that Sarahah uploading contacts is disconcerting, especially given the app\u2019s popularity, and especially since most users don\u2019t expect it to occur. On iOS, the app says, \u201cThe app needs to access your contacts to show you who has an account in Sarahah,\u201d and allows the user to choose between \u201cOK\u201d and \u201cDon\u2019t Allow.\u201d On Android, the app in some cases requests access to contacts without giving any reason for needing such access, and in other cases makes no such request. On neither operating system does it mention uploading data to a server. \u201cThe privacy policy<\/a> specifically states that if it plans to use your data, it\u2019ll ask for your consent,\u201d Julian said. While the app\u2019s entry in Google\u2019s Play Store does indicate the app will access contacts, that\u2019s not \u201cenough consent\u201d to justify \u201csending all of those contacts over without any kind of specific notification,\u201d he added.<\/p>\n

Despite claiming on iOS to use contact data to show the user who in their address book is on Sarahah, the app does not actually do so, Julian said, judging from his testing. If Sarahah did ever begin showing which of your contacts are on its network, as advertised, this would lead to a new problem: It would make it far easier to deduce who is sending messages. For now, it\u2019s not clear how the data is being used.<\/p>\n

\u201cSarahah has between 10 and 50 million installs on just the Play Store alone for Android<\/a>, so if you extrapolate that number, it could easily get into hundreds of millions of phone numbers and email addresses that they\u2019ve harvested,\u201d Julian said. Sarahah is among the top five most downloaded apps in Google\u2019s Play Store for Android, according to analytics firm App Annie.<\/p>\n

It\u2019s not entirely clear what Sarahah uses uploaded contact lists for, although the app\u2019s privacy policy states that it will not sell the information to third parties without prior and written consent, unless it\u2019s part of bulk data used for statistics and research<\/a>.<\/p>\n

Newer Android operating systems, starting with Android 6.0 (\u201cMarshmallow\u201d) do allow for more granular permissions for apps, allowing users to modify controls so that apps do not gain access to contacts or other information. However, all but the most expensive Android phones are notoriously slow to receive updates<\/a> like Marshmallow, and around 54 percent of Android users are using older versions<\/a> that don\u2019t have these permissions, and users have to be savvy enough to know where to find the app permissions (Settings > Apps > Gear button > App permissions).<\/p>\n

Other apps that send users\u2019 contacts to external servers are more forthright in their privacy policies. For example, the so-called ephemeral messaging app, Snapchat, which settled FTC charges in 2014<\/a> that its promises of disappearing messages were false, and which also transmitted user location and collected user address books without notice or consent, now has a robust privacy policy which states that the app \u201cmay \u2014 with your consent \u2014 collect information from your device\u2019s phonebook,\u201d and that if you allow this, and you\u2019re in another user\u2019s contacts, that it may combine information collected from their phone book with what they have collected about you. The prompt to add contacts states: \u201cFind your friends. See which of your contacts are on Snapchat!\u201d and the popup on iOS clearly says that the contacts will be uploaded to Snapchat\u2019s servers \u201cso you and others can find friends, and to improve your experience.\u201d<\/p>\n

Sarahah appears to be a much smaller operation than Snapchat. It was created in Saudi Arabia by Tawfiq, according to<\/a> news accounts<\/a>. It is just the latest in a series of apps pairing promises of anonymity with troubling privacy practices. Another was Secret, now defunct, which was supposed to traffic in anonymized messages from friends and mutual friends. In 2014, security researchers were able to decloak posters<\/a> on the app by tricking the app\u2019s contact-matching system.<\/p>\n

A silver lining for Sarahah users concerned about privacy is that they don\u2019t need to download the service\u2019s app. It\u2019s possible to send messages on Sarahah and register to receive messages on Sarahah, via a website. And that site doesn\u2019t ask for or access contacts from any of your digital address books.<\/p>\n

Still, if Sarahah intends to continue scooping up user\u2019s contact data via mobile apps, Julian believes a more responsible path for the company would be to specifically inform the user about what data they are giving up and where it is going \u2014 and to provide them with a legitimate reason as to why the app actually needs it.<\/a><\/p>\n

Update: Aug. 27, 2017, 1:35 p.m. <\/strong><\/p>\n

This piece was updated to include a new estimate of Android Sarahah installs from Julian. <\/em><\/p>\n

Update: Aug. 27, 2017, 9:45 p.m. <\/strong><\/p>\n

This piece was updated to include a response from the creator of Sarahah. <\/em><\/p>\n

_____________________________________________<\/em><\/p>\n

Yael Grauer<\/a><\/em> – <\/em>yael@\u200byaelwrites.com<\/a><\/em><\/p>\n

Go to Original \u2013 theintercept.com<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

27 Aug 2017 – Sarahah, a new app that lets people sign up to receive anonymized, candid messages, has been surging in popularity; somewhere north of 18 million people are estimated to have downloaded it, making it the No. 3 most downloaded free software title for iPhones and iPads. A security researcher with the firm Bishop Fox caught the app uploading emails and phone numbers right after it is first launched.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[216],"tags":[],"class_list":["post-97948","post","type-post","status-publish","format-standard","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/97948","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/comments?post=97948"}],"version-history":[{"count":0,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/97948\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media?parent=97948"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/categories?post=97948"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/tags?post=97948"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}