Sarahah, the anonymous feedback app which has been going viral for the past few weeks, may not be as private as it may sound.
According to a report, the app uploads users phone contacts to the company’s servers, for no good reason. The behaviour was spotted by security analyst Zachary Julian.
Sarahah founder, Zain al-Abidin Tawfiq, tweeted that the contact lists are being uploaded “for a planned ‘find your friends’ feature” which was “delayed because of a technical issue.”
After Intercept pointed out the behaviour, he stated “the data request will be removed on next update” and that Sarahah’s servers currently don’t host contacts. He stated that the feature was obstructed by “technical issues” and that a partner, who he has stopped working with, was supposed to remove it from the server but “missed that.”
Sarahah portrays itself as an app to let users “receive honest feedback” from friends and employees but the app collects more than just feedback messages. When launched for the first time, it immediately harvests and uploads all contacts and email addresses in your address book.
Sarahah asks for permission to access each user’s phone contacts. Even if declined, users can continue to use the app. However, users who permit access to their contacts list probably think it will add some functionality to the app which as of now is non-existent. There is no friends-list inside the app. Also, there is a search feature, but, you cannot look people up by phone number. Nor there is a section which shows which of your contacts are already using the service.
Security analyst Julian found out the behaviour by using a monitoring software (BURP Suite) to see what kind of data was Sarahah sending and receiving from his Android phone, a Galaxy S5 running on Android 5.1.1. The information consisted of “all of your email and phone contacts.” He later determined the same occurrence on the iOS platform as well.
Uploading of contact lists is not all that uncommon of a behaviour and is often used in legitimately helpful ways. But this is something that apps should not do unless users are getting something out of it. Either way, people tend to get unhappy when their personal data is used in ways they weren’t made aware of.
“As soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system,” he said. He later verified the same occurs on Apple’s iOS, albeit after a prompt to “access contacts,” which also appears in newer versions of Android. It also came to light that if you haven’t used the application in a while, it’ll share all of your contacts again.
However, most of the newer Android operating systems, starting with Android 6.0 (“Marshmallow”) do allow for more granular permissions for apps and also allows users to modify controls so that apps do not gain access to contacts or other information. But as we see, all but newer and expensive Android phones are super slow when it comes to getting updates for their OSes. Over 54 per cent of Android users are using older versions which do not have these permissions, and users need to be savvy enough to know where to find app permissions are (Settings > Apps > Gear button > App Permissions).
In conclusion, for Sarahah users concerned with privacy is that they do not need to download the service app but can use the features like sending messages, register and receiving messages on Sarahah, via a website. The site does not ask for permissions to access contacts from any of your address books.