Following the US Supreme Court’s decision to overturn Roe v. Wade, a lot of users in the US have been ditching their period tracking apps amidst fears of the data collected by these apps being used to prove an abortion was obtained illegally. 

Amidst all this chaos, one iOS app, Stardust, has reached the top of the US Apple App Store. Stardust promises to encrypt its user’s data to keep it out of the hands of the government. This led to a large influx of downloads last weekend following the Supreme Court’s decision on Friday. 

Thanks to its encryption announcement, Stardust saw 135,000 and 200,000 installs on June 24 and 25, respectively, dragging the app from rank 119 to the top spot in iOS App Store US rankings. The two days combined totalled 82% of the more than 400,000 installs the app currently has. 

In the News: Hangouts is shutting down; Google directs people to Chat

Is Stardust the solution?

Stardust is claiming that it’ll implement end-to-end encryption in its app in an update due to arrive Wednesday alongside its Android app. However, an investigation by TechCrunch reveals that the app has been handing out its users’ phone numbers to a third-party analytics company called Mixpanel.

However, network traffic analysis of the app reveals that when a user signs up using their phone number instead of using their Apple or Google account to sign in, Stardust periodically shares that phone number with Mixpanel — an analytics service used by app developers to track app usage, errors and other ways to improve their app. 

Mixpanel does this by tracking how someone uses a particular app and then sending that usage data back to its servers. Additionally, Stardust also shared other information, such as the details of the phone the app was installed on with Mixpanel. 

While no health data was shared with the analytics service, sharing a phone number associated with a particular app user gives prosecutors another way of obtaining information. Even if Stardust refuses to (or can’t) hand information over, they can strong-arm Mixdust into doing their bidding. 

Stardust did say that it is working on a new way for users to sign in anonymously. Founder Rachel Moranis also told TechCrunch that the Mixpanel data collection mechanisms used in the current version of Stardust had been removed in the new version, which also disables IP tracking. 

We are also working on an option for users to completely opt out of providing any personal identifiable information (no account generation) and use the app fully anonymously, as well as full local data storage. (7/8)

— Stardust (@Stardusttracker) June 26, 2022

Stardust’s problems, though, don’t finish with an update making the app more secure. As reported by Vice, the app’s privacy policy as of Monday clearly stated 

“We may disclose your anonymized, encrypted information to third parties in order to protect the legal rights, safety, and security of the Company and the users of our Services; enforce our Terms of Service; prevent fraud; and comply with or respond to law enforcement or a legal process or a request for cooperation by a government or other entity, whether or not legally required.”

Stardust has since updated its privacy policy to omit the “whether or not legally required” part. Instead, the app now claims that it’ll comply with law enforcement, a legal process, or a request for cooperation by a government or other entity when legally required. The app further claims that any health data it legally requires to share cannot be liked back to the users and remains anonymous. 

Stardust has claimed to secure its users using “an encrypted wall” between their users and what they do on the app, explaining that user activity is linked to them using a unique identifier that stays on their phones. It’s unclear at the moment whether this “encrypted wall” only refers to the end-to-end encryption the app is about to implement or anything else. 

When asked whether or not the company is conducting a third-party security audit of its code, Moranis said that the company intends to publish its implementation along with a third-party audit once complete. However, no timeline was given. In fact, Stardust has since changed its privacy policy to remove any mentions of end-to-end encryption. 

Are period tracking apps harmful to your privacy?

Apps working with health data or that collect and store health information haven’t had a good track record of keeping it safe. Additionally, digital health products aren’t covered by HIPAA, meaning companies have a lot of flexibility regarding what they want to do with the data. 

Even apps that claim they do not sell data, including Stardust, mention in their privacy policies that they will share data with law enforcement when receiving a subpoena or warrant. This data can be used to check if someone has been pregnant or if said pregnancy has ended, at least theoretically. 

In the News: Chinese hackers are attacking Asian building automation systems