The viral “honesty app” Sarahah, where you can send or receive anonymous messages, is not as anonymous as it appears as the app has been found uploading the user’s phone contacts on to the company’s servers. That’s biggest privacy problem according to Zachary Julian.
Zachary Julian a senior security analyst who works for IT security consulting firm Bishop Fox was the first to discover Sarahah uploading private information, using a monitoring software BURP Suite.
Julian’s phone has something called BURP Suite, a software that “which intercepts internet traffic entering and leaving the device,” and this spotted that Sarahah was uploading his private data. According to the researcher, the app “transmits all of email and phone contacts stored on Android.” Interestingly Sarahah appears to be doing the same on iOS as well. The researcher has also shared video showcasing exactly how the app continues to violate user privacy.
Though the app asks for user’s permission to access contacts, there is no such feature in the app where these contacts would be required or even a search feature where users can look up for a friend using a contact number.
First Sarahah didn’t reply to this report. Later creator of the app, Zain al-Abidin Tawfiq said that this feature was supposed to help in an upcoming update to the app, which would let users find their friends on the app. That’s hard to believe given the app is built around anonymity and finding friends on it would be counter-productive. Check this tweets
Sarahah App asked for contacts for a planned "find your friends" feature
— ZainAlabdin Tawfiq (@ZainAlabdin878) August 27, 2017
While the developer insists this is a technical issue, which was to be removed from the app, it does raise questions around privacy and how the app is treating user data. Also, the researcher has shown, if the app is not used for some time, it again re-uploads the contact, so clearly this is a feature that was known by the developer.
It often seems suspicious if users do not get anything out of granting access to apps to their contact lists. For example, earlier in 2017, the newsletter unsubscription service Unroll.me drew a lot of criticism following allegations that it sold user data to cab-hailing service Uber.
The problem starts from when the question asked by Nayla Salibi (Journalist @ France Media Monde) about the privacy issue, the reply of creator of the app, Zain al-Abidin Tawfiq is very shocking, his reply is “The Sarahah database doesn’t currently hold a single contact.” Check this tweets
The Sarahah database doesn't currently hold a single contact.
— ZainAlabdin Tawfiq (@ZainAlabdin878) August 28, 2017