Sarahah App quietly uploading your entire Phone Contacts to their Server

For those who love Sarahah app, this won’t come as such good news.

Sarahah, the popular anonymous messaging app, has been found to harvest and upload all email addresses and phone numbers in a user’s address book.

Sarahah, the popular anonymous messaging app, is secretly upload all email addresses and phone numbers in the address book to their servers, according to a report on The Intercept. The report is quoting Zachary Julian, a senior security analyst at Bishop Fox,  who made the discovery when he installed the Sarahah app on his smartphone. The app developer has also accepted this feature is true.

The app projects itself to be an “honest messaging service” where people can leave constructive feedback, and claims it does not collect user data, if you go by the privacy policy in the app. However, as the analyst revealed the app has been uploading entire contact books. According to the report Julian discovered this when he installed the app on the Galaxy S5 (running on Android 5.1.1 Lollipop).

Julian’s phone has something called BURP Suite, a software that “which intercepts internet traffic entering and leaving the device,” and this spotted that Sarahah was uploading his private data. According to the researcher, the app “transmits all of email and phone contacts stored on Android.”  Interestingly Sarahah appears to be doing the same on iOS as well. The researcher has also shard video showcasing exactly how the app continues to violate user privacy.

 

First Sarahah didn’t reply to this report. Later creator of the app, Zain al-Abidin Tawfiq said that this feature, where the app was uploading the entire contact detail to the servers would be removed in a later update. He also tweeted saying the feature was supposed to help in an upcoming update to the app, which would let users find their friends on the app. That’s hard to believe given the app is built around anonymity and finding friends on it would be counter-productive.

While the developer insists this is a technical issue, which was to be removed from the app, it does raise questions around privacy and how the app is treating user data. Also the researcher has shown, if the app is not used for sometime, it again re-uploads the contact, so clearly this is a feature that was known by the developer.

   Sarahah apps’ privacy policy states it will ask for consent when it needs data from users

The problem is that privacy policy specifically states that if it plans to use your data, Sarahah will ask for permission. As the researcher points out, Sarahah should have been upfront from the beginning about what data they are accessing, rather than taking it on the sly. For users who are worried about their privacy on Sarahah, you can go to the Sarahah website and remove your account from the app. This is only available on the website settings and not on the app version.

While such acts of uploading contacts by applications aren’t uncommon, it’s concerning if that app isn’t making any use of the information. Apart from worrying about the security of data on your device, you also need to worry about the integrity of the company who has your data.

Credit: Fossbytes, IndianExpress

 

Jai Prajapati

Ethical Hacker, IT Security Consultant, Security Blogger, Technical Writer

Leave a Reply

Your email address will not be published. Required fields are marked *