The viral “honesty app” Sarahah, where you can send or receive anonymous messages, is not as anonymous as it appears as the app has been found uploading the user’s phone contacts on to the company’s servers. That’s biggest privacy problem according to Zachary Julian.

Zachary Julian a senior security analyst who works for IT security consulting firm Bishop Fox was the first to discover Sarahah uploading private information, using a monitoring software BURP Suite.

The app projects itself to be an “honest messaging service” where people can leave constructive feedback and claims it does not collect user data if you go by the privacy policy in the app. However, as the analyst revealed the app has been uploading entire contact books. According to the report, Julian discovered this when he installed the app on the Galaxy S5 (running on Android 5.1.1 Lollipop).

Julian’s phone has something called BURP Suite, a software that “which intercepts internet traffic entering and leaving the device,” and this spotted that Sarahah was uploading his private data. According to the researcher, the app “transmits all of email and phone contacts stored on Android.” Interestingly Sarahah appears to be doing the same on iOS as well. The researcher has also shared video showcasing exactly how the app continues to violate user privacy.

Though the app asks for user’s permission to access contacts, there is no such feature in the app where these contacts would be required or even a search feature where users can look up for a friend using a contact number.

First Sarahah didn’t reply to this report. Later creator of the app, Zain al-Abidin Tawfiq said that this feature was supposed to help in an upcoming update to the app, which would let users find their friends on the app. That’s hard to believe given the app is built around anonymity and finding friends on it would be counter-productive. Check this tweets

Sarahah App asked for contacts for a planned "find your friends" feature

— ZainAlabdin Tawfiq (@ZainAlabdin878) August 27, 2017

While the developer insists this is a technical issue, which was to be removed from the app, it does raise questions around privacy and how the app is treating user data. Also, the researcher has shown, if the app is not used for some time, it again re-uploads the contact, so clearly this is a feature that was known by the developer.

It often seems suspicious if users do not get anything out of granting access to apps to their contact lists. For example, earlier in 2017, the newsletter unsubscription service Unroll.me drew a lot of criticism following allegations that it sold user data to cab-hailing service Uber.

The problem starts from when the question asked by Nayla Salibi (Journalist @ France Media Monde) about the privacy issue, the reply of creator of the app, Zain al-Abidin Tawfiq is very shocking, his reply is “The Sarahah database doesn’t currently hold a single contact.” Check this tweets

The Sarahah database doesn't currently hold a single contact.

— ZainAlabdin Tawfiq (@ZainAlabdin878) August 28, 2017

The problem is that privacy policy specifically states that if it plans to use your data, Sarahah will ask for permission. As the researcher points out, Sarahah should have been upfront from the beginning about what data they are accessing, rather than taking it on the sly. For users who are worried about their privacy on Sarahah, you can go to the Sarahah website and remove your account from the app. This is only available in the website settings and not on the app version.