Sarahah app is uploading your address book to their servers!
Sarahah app has emerged as one of the five most-downloaded apps on Apple and Google app-stores. Sarahah is a platform for receiving anonymous feedback from others. However, it looks like the app collects more than just anonymous messages. A security analyst claims Sarahah app "uploads" the entire phone-book on a user's device to its servers. But why is Sarahah collecting such private user data?
What exactly is Sarahah?
Sararah was initially launched as an anonymous messaging platform; it used to exist as a website built by Zain al-Abidin Tawfiq, a Saudi Arabian developer. Registered users get a link, which can be sent to others in order to receive anonymous messages from them. The user can neither know the sender's name nor respond to the anonymous message in any manner.
Analyst finds Sarahah app transmitting private information without permissions
Bishop Fox's Senior Security Analyst, Zachary Julian, discovered Sarahah app starts transmitting contacts/email-ids stored on the device (both iOS and Android platforms) as soon as the user logs into the app on either platforms. Though on some devices, the app asks for permission to access contacts, it doesn't inform the users anything about the uploading of their private data.
Sarahah uploading contacts is disconcerting: Julian
Julian says uploading of private data by the popular Sarahah app is "disconcerting". On iOS platform, the app says it needs to access the contacts to show who has a Sarahah account; iOS users can even choose to deny the permission. However, most Android users don't even get a message requesting permission; in some cases, it just asks for permission without stating a reason.
Zachary Julian's statement
Julian stated: "Sarahah has between 10 and 50 million installs on just the Play Store alone for Android, so if you extrapolate that number, it could easily get into hundreds of millions of phone numbers and email addresses that they've harvested."
Sarahah creator reveals why they're collecting data
Zain al-Abidin Tawfiq tweeted the collection of contact data was intended for a "find your friends" feature, which apparently was "stymied by technical issues". He added a former "partner" was supposed to remove the functionality but "missed that". However, users feel it isn't a "good justification" for collecting their private information. Tawfiq, however, assured that Sarahah saves no contacts in its databases.
Zain Alabdin Tawfiq's tweet
Collecting contacts defeats the purpose of anonymity
If Sarahah is collecting contacts to display which contacts are on its platform, it will make it easier for people to know who is sending the anonymous messages. Sarahah's privacy policy states it will not sell information to third parties without prior written consent. Concerned app users can, however, uninstall the app and send/receive messages on Sarahah.com which doesn't need permissions or collect data.
