Sarahah, the popular anonymous messaging app, has been found to harvest and upload all email addresses and phone numbers in a user's address book. For those who love the app, this won't come as such good news.
 |
| Sarahah app is uploading your entire contacts book to their server and this is not good news for privacy |
Sarahah, the popular anonymous messaging app, is secretly upload all email addresses and phone numbers in the address book to their servers, according to a report on The Intercept. The report is quoting Zachary Julian, a senior security analyst at Bishop Fox, who made the discovery when he installed the Sarahah app on his smartphone. The app developer has also accepted this feature is true.
The app projects itself to be an “honest messaging service” where people can leave constructive feedback, and claims it does not collect user data, if you go by the privacy policy in the app. However, as the analyst revealed the app has been uploading entire contact books. According to the report Julian discovered this when he installed the app on the Galaxy S5 (running on Android 5.1.1 Lollipop).
Julian’s phone has something called BURP Suite, a software that “which intercepts internet traffic entering and leaving the device,” and this spotted that Sarahah was uploading his private data. According to the researcher, the app “transmits all of email and phone contacts stored on Android.” Interestingly Sarahah appears to be doing the same on iOS as well. The researcher has also shard video showcasing exactly how the app continues to violate user privacy. The video is available on Vimeo.
First Sarahah didn’t reply to this report. Later creator of the app, Zain al-Abidin Tawfiq said that this feature, where the app was uploading the entire contact detail to the servers would be removed in a later update. He also tweeted saying the feature was supposed to help in an upcoming update to the app, which would let users find their friends on the app. That’s hard to believe given the app is built around anonymity and finding friends on it would be counter-productive. Check out his tweets below
Sarahah App asked for contacts for a planned "find your friends" feature
— ZainAlabdin Tawfiq (@ZainAlabdin878) August 27, 2017While the developer insists this is a technical issue, which was to be removed from the app, it does raise questions around privacy and how the app is treating user data. Also the researcher has shown, if the app is not used for sometime, it again re-uploads the contact, so clearly this is a feature that was known by the developer.
The problem is that privacy policy specifically states that if it plans to use your data, Sarahah will ask for permission. As the researcher points out, Sarahah should have been upfront from the beginning about what data they are accessing, rather than taking it on the sly. For users who are worried about their privacy on Sarahah, you can go to the Sarahah website and remove your account from the app. This is only available on the website settings and not on the app version.
