Zachary Julian, a senior security analyst at Bishop Fox, discovered the intrusive behavior when he installed the social media app on his Samsung Galaxy S5 running Android 5.1.1. He used a monitoring software called Burp Suite to see what data was entering and leaving his phone.
“Once I logged in I noticed what I’ve come to expect—authentication requests to receive messages, profile info,” Julian told the Daily Dot. “Immediately after that—a couple seconds after logging in—it made two separate HTTP requests, one for all of your device’s phone contacts and all of your device’s emails.”
Sarahah App asked for contacts for a planned "find your friends" feature
— Zain-Alabdin Tawfiq (@ZainAlabdin878) August 27, 2017
Sarahah CEO Zain al-Abidin Tawfiq responded to the allegations in a tweet, saying the contact lists were uploaded for an upcoming “find your friends” feature that was delayed due to technical issues. He claims the Sarahah servers do not currently host contacts and that the data request will be removed on the next update.
Like most social media apps, both iOS and Android versions of Sarahah explicitly ask for a host of permissions, including contact lists. But the app failed to notify users with older Android devices that their email and contacts were being instantly uploaded to a server upon initial login.
“The address book on my phone consists of 164 contacts,” Julian wrote in a blog post. “Extrapolating this by 10 to 50 million users on Android alone means it’s possible Sarahah has harvested hundreds of millions of names, phone numbers, and email addresses from their users.”
You can see the Bishop Fox security analyst testing the uploads in this video:
It should be noted that iPhones and newer Android devices (Android Marshmallow or later) first pull up a prompt to “access contacts” before shipping off people’s data. The iOS version of the app even includes a pop-up hinting at the proposed feature the CEO mentioned: “The app needs to access your contacts to show you who has an account in Sarahah.”
It’s worth noting Sarahah isn’t overstepping because it uploads user’s data to its servers—that’s a common practice, especially among social apps—the issue is the information wasn’t being used for any service within the app, and according to Julian, “the app wasn’t upfront enough about what was happening.”
There is no friends list in the app, you can’t search for people by their phone number, and there is no way to see which of your contacts are using the app. As it stands, there’s no reason the app needs to upload user’s private data for any of its current functions.
It now appears the data may not have been saved, and that it was meant for a future feature, but those claims are unverifiable. We can only rely on the word of the app’s founder.
We will, however, be able to see if the data request disappears when the app is updated. As of Tuesday, Aug. 29, the data uploading continues.