Sarahah, an anonymous feedback app that has recently exploded in popularity across the globe, is now coming under fire for privacy violations. The app stands accused of uploading emails and phone numbers from user address books to its servers. More intriguingly, there doesn’t seem to be a reason for why the company would need to take such an ill-advised action in the app's current form.
The developers of Sarahah describe the app, stating, “Sarahah helps you in discovering your strengths and areas for improvement by receiving honest feedback from your employees and your friends in a private manner”.
That’s all well and good, but Bishop Fox security analyst Zachary Julian discovered that the app was harvesting all email addresses and phone numbers from his smartphone’s address book. In this case, Julian installed the app on a Samsung Galaxy S5 running Android 5.1.1. He also had the BURP Suite running in the background on the smartphone, which is an app that monitors incoming and outgoing internet traffic. That’s when he discovered that Sarahah was sending private user information to its own servers.
You can see this in real-time in a video that Julian posted to Vimeo:
Like most iOS and Android apps that want access to your personal information (including contacts), Sarahah prompts you to accept this request (although the app will still function if you decline). However, at no time does Sarahah explain that it will upload your address book to use for its own purposes. Interestingly enough, the Sarahah app in no way makes use of a friends list and you can’t search for people by looking up their phone number. So, there isn’t even really a reason for Sarahah to have access to your email address or phone numbers, let alone upload this information in secret to its servers.
Faced with backlash from the discover, the app’s developer, Zain al-Abidin Tawfiq, took to Twitter:
It was delayed due to a technical issue. The database doesn't currently host contacts and the data request will be removed on next update.— ZainAlabdin Tawfiq (@ZainAlabdin878) August 27, 2017
He claims that this behavior is a result of a “find your friends” feature that has not yet been released. However, some users aren’t buying that excuse:
Probably should have waited till the feature was ready. Also, doesn't "find your friend" defeat the purpose of an anonymous platform?— Farai Gandiya (@fgandiya) August 28, 2017
With that being said, users should tread lightly with regards to Sarahah until the commotion surrounding this privacy gaffe dies down.