SARAHAH, A NEW APP that lets people sign up to receive anonymized, candid messages, has been surging in popularity; somewhere north of 18 million people are estimated to have downloaded it from Apple and Google’s online stores, making it the number three most downloaded free software title for iPhones and iPads.
Sarahah bills itself as a way to “receive honest feedback” from friends and employees. But the app is collecting more than feedback messages. When launched for the first time, it immediately harvests and uploads all phone numbers and email addresses in your address book.
Although Sarahah does in some cases ask for permission to access contacts, it does not disclose that it uploads such data, nor does it seem to make any functional use of the information.
Zachary Julian, a senior security analyst at Bishop Fox, discovered Sarahah’s uploading of private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1.
The phone was outfitted with monitoring software known as BURP Suite, which intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers. When Julian launched Sarahah on the device, BURP Suite caught the app in the act of uploading his private data.
“As soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system,” he said.
He later verified the same occurs on Apple’s iOS, albeit after a prompt to “access contacts,” which also appears in newer versions of Android.
Julian also noticed that if you haven’t used the application in a while, it’ll share all of your contacts again. He did some testing on the app on a Friday night, and when he booted the app on a Sunday morning, it pushed all of his contacts again. (You can see some of his testing in this video.)
Sarahah did not initially respond to requests for comment. After this piece was published, the app’s creator, Zain al-Abidin Tawfiq, tweeted that the contacts functionality would be removed in a future release and had been intended for a “‘find your friends’ feature.” He later told The Intercept the feature was stymied by “technical issues” and that a partner, who he has since stopped working with, was supposed to remove it from the app but “missed that.”
He claims the functionality was, however, removed from the server and that Sarahah stores no contacts in its databases. This is impossible to verify.
Drew Porter, founder of security firm Red Mesa, said that this type of behavior is more common than most users would expect, especially when an app is free like Sarahah.
He said that even if users are willing to trust a piece of software with their address book data, there are reasons to avoid trusting the internet servers associated with the app.
“It’s no longer that you have to worry about the data on your phone, it’s that you have to worry about the data on your phone that’s somewhere else that you have no control over being compromised,” he said. “It’s not just, ‘Oh, this company can see my information and I’m okay with that.’ You now have to think about the security of that company.”
Asked about Sarahah, Porter added, “I do find it concerning, mostly because the information that the company may be getting could be what other people consider very private, and you don’t know the security of the company that is getting it. We’ve seen popular apps before, total information leakage comes out, and it’s devastating to those companies. I believe it’s even more devastating to the user whose information was compromised.”
Cyber crime have penetrated so much into our society that it becomes difficult to ascertain it. Usually, apps that are found on social websites that suggest and generate fake results about who might possibly be, “stalking you, loving you” etc are all traps. Hence in this very age one has to be extra careful in dealing with supposed scams that can leak our private data, and manipulate it for other purposes.