- Video meme of a mom dancing with her kids goes viral—again Monday 7:26 PM
- ‘Due to personal reasons’ meme enables questionable behavior Monday 3:36 PM
- Why do white rappers write lyrics about being good hypothetical dads? Monday 3:29 PM
- Roger Stone posts, then deletes, Instagram of his judge with small crosshairs next to her Monday 2:32 PM
- People are Googling Rihanna and their birthday in a Twitter challenge Monday 2:13 PM
- Here are all of the Fortnite earthquake cracks thus far Monday 1:21 PM
- New Apex Legends characters leaked by data miners Monday 12:36 PM
- Ken Jeong falls back on crude humor and lazy stereotypes in ‘You Complete Me, Ho’ Monday 12:24 PM
- 14 artsy cartoon mugs that’ll help make your days more creative Monday 12:15 PM
- Netflix cancels ‘Jessica Jones’ and ‘The Punisher’ Monday 11:26 AM
- YouTube is fueling the rise in flat earth believers Monday 11:04 AM
- Review: Crackdown 3 is not a world worth saving Monday 11:00 AM
- Scathing privacy report calls Facebook a ‘digital gangster’ Monday 10:50 AM
- 21 Savage goes deep on 21 Savage memes Monday 10:49 AM
- Everyone is debating the number of towels you should own Monday 10:47 AM
The app’s founder says it’s for a planned feature.
Zachary Julian, a senior security analyst at Bishop Fox, discovered the intrusive behavior when he installed the social media app on his Samsung Galaxy S5 running Android 5.1.1. He used a monitoring software called Burp Suite to see what data was entering and leaving his phone.
“Once I logged in I noticed what I’ve come to expect—authentication requests to receive messages, profile info,” Julian told the Daily Dot. “Immediately after that—a couple seconds after logging in—it made two separate HTTP requests, one for all of your device’s phone contacts and all of your device’s emails.”
Sarahah App asked for contacts for a planned "find your friends" feature
— ZainAlabdin Tawfiq (@ZainAlabdin878) August 27, 2017
Sarahah CEO Zain al-Abidin Tawfiq responded to the allegations in a tweet, saying the contact lists were uploaded for an upcoming “find your friends” feature that was delayed due to technical issues. He claims the Sarahah servers do not currently host contacts and that the data request will be removed on the next update.
Like most social media apps, both iOS and Android versions of Sarahah explicitly ask for a host of permissions, including contact lists. But the app failed to notify users with older Android devices that their email and contacts were being instantly uploaded to a server upon initial login.
“The address book on my phone consists of 164 contacts,” Julian wrote in a blog post. “Extrapolating this by 10 to 50 million users on Android alone means it’s possible Sarahah has harvested hundreds of millions of names, phone numbers, and email addresses from their users.”
You can see the Bishop Fox security analyst testing the uploads in this video:
It should be noted that iPhones and newer Android devices (Android Marshmallow or later) first pull up a prompt to “access contacts” before shipping off people’s data. The iOS version of the app even includes a pop-up hinting at the proposed feature the CEO mentioned: “The app needs to access your contacts to show you who has an account in Sarahah.”
It’s worth noting Sarahah isn’t overstepping because it uploads user’s data to its servers—that’s a common practice, especially among social apps—the issue is the information wasn’t being used for any service within the app, and according to Julian, “the app wasn’t upfront enough about what was happening.”
There is no friends list in the app, you can’t search for people by their phone number, and there is no way to see which of your contacts are using the app. As it stands, there’s no reason the app needs to upload user’s private data for any of its current functions.
It now appears the data may not have been saved, and that it was meant for a future feature, but those claims are unverifiable. We can only rely on the word of the app’s founder.
We will, however, be able to see if the data request disappears when the app is updated. As of Tuesday, Aug. 29, the data uploading continues.
Phillip Tracy is a former technology staff writer at the Daily Dot. He's an expert on smartphones, social media trends, and gadgets. He previously reported on IoT and telecom for RCR Wireless News and contributed to NewBay Media magazine. He now writes for Laptop magazine.