Sarahah app uploading users’ contacts to company’s servers
28 Aug 2017
Sarahah, a new app that allows people to sign up to receive anonymised, candid messages, is uploading users' details.
The app, which is fast gaining popularity has been downloaded by over 18 million people from Apple and Google's online stores, according to estimates, making it the number three most downloaded free software title for iPhones and iPads.
Sarahah touts itself as a way to ''receive honest feedback'' from friends and employees. The app is however, collecting more than feedback messages. When launched for the first time, it immediately harvests and uploads all phone numbers and email addresses in users' address book. Although in certain cases it asks for permission to access contacts, it does not disclose that it uploads such data. It also does not seem to make any functional use of the information.
Zachary Julian, a senior security analyst at IT security firm, Bishop Fox, discovered that the app was uploading private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1. The phone comes equipped with monitoring software known as BURP Suite, which intercepts internet traffic entering and leaving the device. This allows the owner to see what data is sent to remote servers. Julian was able to catch the app in the act of uploading his private data thank to BURP Suite.
According to Julian, the app, quietly harvests and uploads its user's phone contacts to the company's servers including all phone numbers and email addresses stored in one's device's address books.
While Sarahah does ask for permission to access a user's contacts, it does not specify that the same are being uploaded and stored on its servers. Julian, a senior security analyst at Bishop Fox, installed the Sarahah app on a Galaxy S5 running Android 5.1.1.
According to Julian's testing, if users were not to access the Sarahah app for a few days, it pushes contacts data all over again when rebooted. When Julian tried rebooted the app after a gap on two days, all his contacts were pushed to the Sarahah servers again.
After the security flaw was uncovered, Sarahah creator, Zain al-Abidin Tawfiq tweeted that the contact storing behaviour will be removed from the app in future updates and was put in place for a ''find your friends feature.''