Zack Whittaker

New: Period tracker Stardust rocketed to the top of Apple's app store over the weekend after Roe v. Wade was overturned. But the app shares the phone number of users (who give it when signing up) to a third-party analytics firm Mixpanel. w/ @sarahintampa

Stardust said it would roll out end-to-end encryption so it would “not be able to hand over any of your period tracking data” to the government. After we reached out, Stardust quietly removed any mention of end-to-end encryption from its privacy policy.

Stardust's new app came out today with its new encryption feature (it's a sign-in option, sign in by email and phone number still exists). I ran Stardust's new app through Burp and used the new data encryption option, and saw the encryption key sent back to Stardust via its API.

I'm not clear on why Stardust implemented this feature this way, or even what it's trying to achieve. But the fact that the encryption key is even sent — and presumably stored somewhere — means whatever data it is ostensibly protecting can be obtained using that key.

Thu Jun 30 00:03:26 +0000 2022