Sarahah, the popular anonymous messaging app, is reportedly sending your phone’s contacts to the company’s servers without your permission. The app had gone viral over the past few months and somewhere around 18 million people have downloaded it from Apple and Google’s app stores.
Now, according to a report published by The Intercept, the app that allows users to get “honest feedback” from their friends, quietly harvests and uploads the user’s contacts including all phone numbers and email addresses to its servers.
The report is quoting Zachary Julian, a senior security analyst at Bishop Fox. He first discovered that Sarahah is uploading private information when he installed the app on his Galaxy S5 running Android 5.1.1.
His device was having a security monitoring software called BURP Suite. The software allows seeing data from the device being sent to any remote servers. So, on installing and running Sarahah, Julian discovered that the app was sending his phone’s contact data to the company’s servers without proper permissions.
Moreover, as per Julian’s testing, if users don’t access the Sarahah app for a few days, it pushes contacts data all over again when the app is rebooted. Julian rebooted the app after a gap of two days, and all his contacts were sent to the Sarahah servers again.
Sarahah did not initially comment on the issue but later Zain al-Abidin Tawfiq, Sarahah founder replied that the contacts functionality had been intended for a ‘find your friends’ feature and the feature was delayed due to “technical issues”.
Sarahah App asked for contacts for a planned "find your friends" feature
— ZainAlabdin Tawfiq (@ZainAlabdin878) August 27, 2017
While the company says this is a technical issue, which was to be removed from the app, this does raise questions about the privacy of the users and how the app is using user’s data.
“Sarahah has between 10 and 50 million installs on just the Play Store alone for Android, so if you extrapolate that number, it could easily get into hundreds of millions of phone numbers and email addresses that they’ve harvested,” Julian said.
Julian says if the company intends to continue accessing the data, it should specifically inform the user about the data they are giving up and where it is going. It should also provide the users with a legitimate reason as to why the app actually needs it.