- Organize your life with the 10 best free calendar apps 1 Year Ago
- How many devices can you stream YouTube TV with at once? 1 Year Ago
- Watch Tiffany Pollard sell the sh*t out of Fenty Beauty makeup Monday 8:05 PM
- Speech pathologist sues Texas school district for right to boycott Israel Monday 5:25 PM
- ‘Fresh Prince’ actor sues Fortnite developer for using the Carlton dance Monday 4:40 PM
- 3D-printed head fools Android facial recognition Monday 3:01 PM
- FCC finally releases emails on Ajit Pai’s ‘Harlem Shake’ video Monday 2:33 PM
- Wall Street Journal website hacked with ‘apology’ to PewDiePie Monday 1:26 PM
- YouTube star James Charles feels ‘unsafe’ after home address leaks Monday 12:28 PM
- Jordan Peterson claims he’s building an alternative to Patreon Monday 12:19 PM
- We might finally see a same-sex Barbie set, thanks to this couple’s Instagram post Monday 12:16 PM
- Tumblr’s porn ban is here—and Twitter’s mourning it with memes Monday 11:58 AM
- Facebook blocks article on Yemeni crisis over photo of starving child Monday 11:55 AM
- Netflix reveals all-star voice cast for ‘Dark Crystal’ prequel Monday 11:51 AM
- Netflix warns users to be cautious of new phishing scam Monday 11:04 AM
The app’s founder says it’s for a planned feature.
Zachary Julian, a senior security analyst at Bishop Fox, discovered the intrusive behavior when he installed the social media app on his Samsung Galaxy S5 running Android 5.1.1. He used a monitoring software called Burp Suite to see what data was entering and leaving his phone.
“Once I logged in I noticed what I’ve come to expect—authentication requests to receive messages, profile info,” Julian told the Daily Dot. “Immediately after that—a couple seconds after logging in—it made two separate HTTP requests, one for all of your device’s phone contacts and all of your device’s emails.”
Sarahah App asked for contacts for a planned "find your friends" feature
— ZainAlabdin Tawfiq (@ZainAlabdin878) August 27, 2017
Sarahah CEO Zain al-Abidin Tawfiq responded to the allegations in a tweet, saying the contact lists were uploaded for an upcoming “find your friends” feature that was delayed due to technical issues. He claims the Sarahah servers do not currently host contacts and that the data request will be removed on the next update.
Like most social media apps, both iOS and Android versions of Sarahah explicitly ask for a host of permissions, including contact lists. But the app failed to notify users with older Android devices that their email and contacts were being instantly uploaded to a server upon initial login.
“The address book on my phone consists of 164 contacts,” Julian wrote in a blog post. “Extrapolating this by 10 to 50 million users on Android alone means it’s possible Sarahah has harvested hundreds of millions of names, phone numbers, and email addresses from their users.”
You can see the Bishop Fox security analyst testing the uploads in this video:
It should be noted that iPhones and newer Android devices (Android Marshmallow or later) first pull up a prompt to “access contacts” before shipping off people’s data. The iOS version of the app even includes a pop-up hinting at the proposed feature the CEO mentioned: “The app needs to access your contacts to show you who has an account in Sarahah.”
It’s worth noting Sarahah isn’t overstepping because it uploads user’s data to its servers—that’s a common practice, especially among social apps—the issue is the information wasn’t being used for any service within the app, and according to Julian, “the app wasn’t upfront enough about what was happening.”
There is no friends list in the app, you can’t search for people by their phone number, and there is no way to see which of your contacts are using the app. As it stands, there’s no reason the app needs to upload user’s private data for any of its current functions.
It now appears the data may not have been saved, and that it was meant for a future feature, but those claims are unverifiable. We can only rely on the word of the app’s founder.
We will, however, be able to see if the data request disappears when the app is updated. As of Tuesday, Aug. 29, the data uploading continues.
Phillip Tracy is a former technology staff writer at the Daily Dot. He's an expert on smartphones, social media trends, and gadgets. He previously reported on IoT and telecom for RCR Wireless News and contributed to NewBay Media magazine. He now writes for Laptop magazine.