The Sarahah app sends all contacts and email addresses stored on a user’s phone to the company’s servers without seeking proper permissions
The Sarahah app has recorded millions of downloads on the Google Play Store and the Apple App Store combined. According to Julian, the app that plays on getting users “honest feedback” from their friends, quietly harvests and uploads its user’s phone contacts to the company’s servers.These include all phone numbers and email addresses stored in your device’s address books.
While Sarahah does ask for permission to access a user’s contacts, it does not specify that the same are being uploaded and stored on its servers. Julian, a senior security analyst at Bishop Fox, installed the Sarahah app on a Galaxy S5 running Android 5.1.1. The device was running a security monitoring software called BURP Suite, which allowed him to see data from his phone being sent to remote servers. On installing and running Sarahah, Julian discovered that the app was sending his personal contacts data to the company’s servers without proper permissions.
After this security flaw was discovered, Sarahah creator, Zain al-Abidin Tawfiq tweeted that the contact storing behaviour will be removed from the app in future updates and was put in place for a “find your friends feature.” He also told The Intercept that the feature was supposed to be removed by a partner who he has stopped working with, but the partner somehow “missed that.” Tawfiq went on to claim that the function of storing contacts was removed from the servers and that Sarahah servers no longer store any contacts, but his claim is unverified as security researchers cannot possibly know what happens at the server end of the app.