Period Tracking App Stardust Seems a Little Sketchy
Sarah Perez and Zack Whittaker, reporting for TechCrunch yesterday:
Others are abandoning their current period trackers and turning to
apps like Stardust instead as a result of the company’s strong
statement issued in light of the decision to overturn Roe.
Stardust said it would implement end-to-end encryption so it would
“not be able to hand over any of your period tracking data” to the
government, helping to draw in hundreds of thousands of downloads
over this weekend ahead of the release of the new,
encryption-featured app version slated for release on Wednesday.
First strike: Stardust bills itself as an astrology-based period tracker: “Harness your inner cosmic energy with Stardust, an app that integrates science, astronomy and artificial intelligence to connect your hormonal cycle with the cycles of larger celestial bodies: the stars, planets, sun, and moon.” I wouldn’t take advice at the craps table from someone who believes in astrology, let alone trust them with my medical data.
(Sidenote: “minnow-clarinet-j6yf.squarespace.com” is an odd domain name for an ostensibly serious personal health company.)
Second strike: end-to-end encryption isn’t something you just add in a matter of days.
TechCrunch ran a network traffic analysis of Stardust’s iPhone
app on Monday to understand what data was flowing in and out of
the app. The network traffic showed that if a user logs into the
app using their phone number (rather than through a login service
provided by Apple or Google), Stardust will periodically share
the user’s phone number with a third-party analytics service
called Mixpanel. […] During the network traffic analysis,
TechCrunch saw no health data shared with Mixpanel. But sharing a
phone number that’s tied to a specific user of a period-tracking
app with a third party like Mixpanel could allow prosecutors to
compel Mixpanel to turn over that data — even if Stardust claims
that it can’t.
That does not sound like an app that takes user privacy seriously.
TechCrunch asked the founders for more information about how the
app is implementing end-to-end encryption. Stardust founder
Moranis told TechCrunch that “all traffic to our servers is
through standard SSL (hosted on AWS) and subsequent data storage
on AWS RDS utilizing their built-in AES-256 encryption
implementation.” Although this describes the use of encryption to
protect data while in transit and while it’s stored on Amazon’s
servers, it’s not clear if this implementation would be considered
true end-to-end encryption.Given its complexity and the stakes involved, implementing
end-to-end encryption is often a time- and resource-intensive
effort, where a single coding flaw could undermine the protections
of the users’ data. […] When asked if the company had
conducted a third-party security audit of the app’s code, Moranis
said that the company intends to “fully publish our implementation
along with a third-party audit once it is complete,” but a
timeline was not given. […]After we heard from Stardust, the company quietly changed its
privacy policy again to remove mentions of end-to-end encryption.
This doesn’t really make any sense. My best guess is that Stardust’s leadership saw an opportunity to appeal to privacy-concerned women after Friday’s Supreme Court decision overturning Roe v. Wade, struck gold by claiming to be secure and privacy-focused, but they didn’t actually know what “end-to-end encryption” actually means.
