Period Tracking App Stardust Seems a Little Sketchy

Sarah Perez and Zack Whittaker, reporting for TechCrunch yesterday:

Others are abandoning their current period trackers and turning to apps like Stardust instead as a result of the company’s strong statement issued in light of the decision to overturn Roe. Stardust said it would implement end-to-end encryption so it would “not be able to hand over any of your period tracking data” to the government, helping to draw in hundreds of thousands of downloads over this weekend ahead of the release of the new, encryption-featured app version slated for release on Wednesday.

First strike: Stardust bills itself as an astrology-based period tracker: “Harness your inner cosmic energy with Stardust, an app that integrates science, astronomy and artificial intelligence to connect your hormonal cycle with the cycles of larger celestial bodies: the stars, planets, sun, and moon.” I wouldn’t take advice at the craps table from someone who believes in astrology, let alone trust them with my medical data.

(Sidenote: “minnow-clarinet-j6yf.squarespace.com” is an odd domain name for an ostensibly serious personal health company.)

Second strike: end-to-end encryption isn’t something you just add in a matter of days.

TechCrunch ran a network traffic analysis of Stardust’s iPhone app on Monday to understand what data was flowing in and out of the app. The network traffic showed that if a user logs into the app using their phone number (rather than through a login service provided by Apple or Google), Stardust will periodically share the user’s phone number with a third-party analytics service called Mixpanel. [...] During the network traffic analysis, TechCrunch saw no health data shared with Mixpanel. But sharing a phone number that’s tied to a specific user of a period-tracking app with a third party like Mixpanel could allow prosecutors to compel Mixpanel to turn over that data — even if Stardust claims that it can’t.

That does not sound like an app that takes user privacy seriously.

TechCrunch asked the founders for more information about how the app is implementing end-to-end encryption. Stardust founder Moranis told TechCrunch that “all traffic to our servers is through standard SSL (hosted on AWS) and subsequent data storage on AWS RDS utilizing their built-in AES-256 encryption implementation.” Although this describes the use of encryption to protect data while in transit and while it’s stored on Amazon’s servers, it’s not clear if this implementation would be considered true end-to-end encryption.

Given its complexity and the stakes involved, implementing end-to-end encryption is often a time- and resource-intensive effort, where a single coding flaw could undermine the protections of the users’ data. [...] When asked if the company had conducted a third-party security audit of the app’s code, Moranis said that the company intends to “fully publish our implementation along with a third-party audit once it is complete,” but a timeline was not given. [...]

After we heard from Stardust, the company quietly changed its privacy policy again to remove mentions of end-to-end encryption.

This doesn’t really make any sense. My best guess is that Stardust’s leadership saw an opportunity to appeal to privacy-concerned women after Friday’s Supreme Court decision overturning Roe v. Wade, struck gold by claiming to be secure and privacy-focused, but they didn’t actually know what “end-to-end encryption” really means.

Tuesday, 28 June 2022