Sarahah is designed to collect "honest feedback" from friends and employees. But, Zachary Julian, a senior security analyst at Bishop Fox, discovered that the app's been collecting more than that.
The new viral app that allows people to receive anonymous messages has already gained a lot of attention due to cyberbullying. However, its 18+ million users are in for another surprise. The no 3 most downloaded free app in the App Store has apparently been stealing your entire contact list. When using his Samsung Galaxy S5 running Android 5.1.1 Lollipop, Julian saw the app uploading his private data to a remote server. When launched for the first time, the app uploads your contact list, including phone numbers and email addresses.
"As soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system."
Julian added that the app does this all over again if you use it after a break. For example, he tested the app on Friday night and when he booted it up again on Sunday morning, it uploaded all his contacts once again. The security researcher confirmed that the app is doing the same on both the Android and iOS devices.
However, on the latest Android versions and iPhones, it is asking for a prompt to "access contacts," but without any justification of why it's doing so.
Sarahah developer says the app's doing so for a future feature
The app’s creator, Zain Al-Abidin Tawfiq, has said that the contact lists are being uploaded "for a planned 'find your friends' feature," which has been "delayed due to a technical issue." He claims that the database doesn't "host contacts" at the moment. Even if that's the case, Sarahah users might not be happy with this feature considering it could take the entire fun of anonymity out of the way with users being able to guess based on who uses the app in their contact list.
It was delayed due to a technical issue. The database doesn't currently host contacts and the data request will be removed on next update.
— ZainAlabdin Tawfiq (@ZainAlabdin878) August 27, 2017
If you are a Sarahah user, you can check the permissions on iOS from Settings > Sarahah. On Android, if you are using Android 6.0 Marshmallow or later, you can go to Settings > Personal > Apps > App Permission to stop the app from sending your contacts to a server.
Tawfiq has assured that "the data request will be removed on next update" sent to Sarahah.