Institute For Ethical Hacking Course and Ethical Hacking Training in Pune – India
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan
Credits: Insight
The anonymous feedback app, Sarahah, which has been going viral for the past few weeks, may not be as private as it may sound. According to a report from The Intercept, the app uploads users’ phone contacts to the company’s servers, for no good reason. The behaviour was spotted by security analyst Zachary Julian.
Sarahah founder, Zain al-Abidin Tawfiq, tweeted that the contact lists are being uploaded “for a planned ‘find your friends’ feature” which was “delayed because of a technical issue.” After Intercept pointed out the behaviour, he stated “the data request will be removed on next update” and that Sarahah’s servers currently don’t host contacts. He stated that the feature was obstructed by “technical issues” and that a partner, who he has stopped working with, was supposed to remove it from the server but “missed that.”
Sarahah portays itself as an app to let users “receive honest feedback” from friends and employees but the app is collects more than just feedback messages. When launched for the first time, it immediately harvests and uploads all contacts and email addresses in your address book. Although, Sarahah does ask for permission to access contacts, it does not disclose that it uploads such data, nor does it seem to make any functional use of the information.
The app’s partial interest in your contacts is not hidden though. In the privacy policy page, it has been stated specifically that if it plans to use your data, it will ask for consent. However this does not translate to justifying the uploading of contacts without user permission. On both iOS and Android platforms, Sarahah asks for permission to access each user’s phone contacts. Even if declined, users can continue to use the app.
However, users who permit access to their contacts list probably think it will add some functionality to the app which as of now is non-existent. There is no friends-list inside the app. Also, there is a search feature, but, you cannot look people up by phone number. Nor there is a section which shows which of your contacts are already using the service.
Security analyst Julian found out the behaviour by using a monitoring software (BURP Suite) to see what kind of data was Sarahah sending and receiving from his Android phone, a Galaxy S5 running on Android 5.1.1. The information consisted of “all of your email and phone contacts.” He later determined the same occurrence on the iOS platform as well.
Uploading of contact lists is not all that uncommon of a behaviour and is often used in legitimately helpful ways. But this is something that apps should not do unless users are getting something out of it. Either way, people tend to get unhappy when their personal data is used in ways they weren’t made aware of.
“As soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system,” he said. He later verified the same occurs on Apple’s iOS, albeit after a prompt to “access contacts,” which also appears in newer versions of Android. It also came to light that if you haven’t used the application in a while, it’ll share all of your contacts again.
However, most of the newer Android operating systems, starting with Android 6.0 (“Marshmallow”) do allow for more granular permissions for apps and also allows users to modify controls so that apps do not gain access to contacts or other information. But as we see, all but newer and expensive Android phones are super slow when it comes to getting updates for their OSes. Over 54 per cent of Android users are using older versions which do not have these permissions, and users need to be savvy enough to know where to find app permissions are (Settings > Apps > Gear button > App Permissions).
In conclusion, for Sarahah users concerned with privacy is that they do not need to download the service app but can use the features like sending messages, register and receiving messages on Sarahah, via a website. The site does not ask for permissions to access contacts from any of your address books.
www.extremehacking.org
Sadik Shaikh | Cyber Suraksha Abhiyan, Ethical Hacking Training Institute, CEHv9,CHFI,ECSAv9,CAST,ENSA, CCNA, CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v9 course in Pune-India, ceh certification in pune-India, ceh v9 training in Pune-India, Ethical Hacking Course in Pune-India