The beloved Sarahah app steals users’ contacts

Sarahah silently uploads user’s contact list to company’s servers without asking permission

Sarahah app steals users’ contacts

Sarahah[1] is a phenomenon in the wide app world. Developed by Saudi Arabian in November 2017, it already has more than 18 million iPhone and Android users who love the idea of sharing opinions about their friends or colleagues anonymously.

Sarahah, also known as “honesty app,”[2] seems to be not so honest with its users. Nevertheless, developers encourage people all over to be honest with each other and tell things that might be hard to say in person; developers were not brutally honest with their 18 million users.

User’s data was silently harvested and stored in company’s servers for a while.[3] However, neither the Privacy Policy nor official App Stores haven’t stated about this activity.

Zain al-Abidin Tawfiq, the author of the app, admitted that app collected users contacts, including phone numbers and emails because the company was working on “find your friends” feature. [4] It seems that they were planning to introduce a new feature that allows finding friends or colleagues using a phone number.

This “future feature” is controversial because the whole anonymity idea might easily be blown away. Users might find the way how to identify people who sent their messages by using a phone number. However, it seems that this feature is not going to be introduced soon.

According to the creator of the app, this data collection scandal occurred due to some “technical issues” that should have been fixed by a former partner. Apparently, it hasn’t been done until these unpleasant news hit the headlines.

The big discovery

Zachary Julian, a senior security analyst at Bishop Fox,[5] was the one who discovered this shady Sarahah’s activity. The researcher installed the app on Android 5.1.1 and with the help of monitoring software Burp Suite observed app’s behavior.

According to Julian’s research, the app harvests private information as soon as user logins to Sarahah. The app collects phone contacts and email address stored on the Android device. Then it transfers data to company’s servers.

In some cases the app asked user’s permission to access contacts; however, the specific reason for such request is unknown. Though, most of the time users were not asked if they agree to give the access to their contacts. What is worse, no one has told them properly that these details are stored in company’s servers “for the future.”

Android 6.0 Marshmallow and newer versions of OS allow limiting app permissions manually. Therefore, users can block Sarahah from accessing their information via App permission settings (Settings > Personal > Apps > Configuration App > App permission).

Meanwhile, when iOS users install the app, they receive a prompt asking “The app needs to access your contacts to show you who has an account in Sarahah,” Therefore, if they click OK, the personal information will be transferred to the company. If they choose “Don’t allow” button, their contacts seem to be safe and sound.

Reading privacy policy does not always help

Nevertheless, the majority of computer users do not read privacy policies and have no clue with what data tracking and sharing activities their agreed; this time reading this important document would not have given any meaning.

According to the Sarahah’s privacy policy (that is not long and should be read by each of the 18 million users), the company always ask permission to use particular information about the user. However, collecting contact information seems shady.

Though, the developer of the Sarahah claimed that all tracked information is deleted from the company’s server. Thus, users should not worry about it. However, some people may have got trust issues with an “honesty” app.

However, if you are one of the users who became confused or concerned about the privacy, you should know that these privacy-related issues would never occur if you use a web version of the Sarahah.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions