Viral “Honesty App” Sarahah Discovered Stealing User Data

Rafia Shaikh
sarahah privacy security
Wants Researchers to Chase It for Flaws to Be Fixed... | Image Source: The Quint

Sarahah is designed to collect "honest feedback" from friends and employees. But, Zachary Julian, a senior security analyst at Bishop Fox, discovered that the app's been collecting more than that.

The new viral app that allows people to receive anonymous messages has already gained a lot of attention due to cyberbullying. However, its 18+ million users are in for another surprise. The no 3 most downloaded free app in the App Store has apparently been stealing your entire contact list. When using his Samsung Galaxy S5 running Android 5.1.1 Lollipop, Julian saw the app uploading his private data to a remote server. When launched for the first time, the app uploads your contact list, including phone numbers and email addresses.

Related StoryRafia Shaikh
Popular Anonymous Honesty App Sarahah Is Riddled with Security Issues

"As soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system."

Julian added that the app does this all over again if you use it after a break. For example, he tested the app on Friday night and when he booted it up again on Sunday morning, it uploaded all his contacts once again. The security researcher confirmed that the app is doing the same on both the Android and iOS devices.

However, on the latest Android versions and iPhones, it is asking for a prompt to "access contacts," but without any justification of why it's doing so.

Sarahah developer says the app's doing so for a future feature

The app’s creator, Zain Al-Abidin Tawfiq, has said that the contact lists are being uploaded "for a planned 'find your friends' feature," which has been "delayed due to a technical issue." He claims that the database doesn't "host contacts" at the moment. Even if that's the case, Sarahah users might not be happy with this feature considering it could take the entire fun of anonymity out of the way with users being able to guess based on who uses the app in their contact list.

However, Julian doesn't seem impressed (video test). "The privacy policy specifically states that if it plans to use your data, it’ll ask for your consent," he told the Intercept. "Sarahah has between 10 and 50 million installs on just the Play Store alone for Android, so if you extrapolate that number, it could easily get into hundreds of millions of phone numbers and email addresses that they’ve harvested."

If you are a Sarahah user, you can check the permissions on iOS from Settings > Sarahah. On Android, if you are using Android 6.0 Marshmallow or later, you can go to Settings > Personal > Apps > App Permission to stop the app from sending your contacts to a server.

Tawfiq has assured that "the data request will be removed on next update" sent to Sarahah.

Share this story

Deal of the Day