Sarahah, the popular anonymous feedback app has been secretly uploading user data on the company's server without your knowledge or permission. The behavior was spotted by security analyst Zachary Julian and first reported by The Intercept.
According to Julian, the Sarahah app plays on getting user's honest feedback from their friends, quietly harvests and upload its user's phone contacts and uploads to the company servers. These include all the phone numbers and email addresses stored in the device's address book. Julian discovered the behavior by using monitoring software to see what data Sarahah was sending and receiving from his Android phone. Among those was “all of your email and phone contacts;” the same, he later determined, occurs on iOS as well.
Zain al-Abidin Tawfiq, the app’s founder, said that contact lists are being uploaded “for a planned ‘find your friends’ feature” that was “delayed due to a technical issue.” After The Intercept pointed out the behavior, he tweeted “the data request will be removed on next update” and that Sarahah’s servers don’t “currently host contacts.”
Sarahah App asked for contacts for a planned "find your friends" feature
— ZainAlabdin Tawfiq (@ZainAlabdin878) August 27, 2017
“The privacy policy specifically states that if it plans to use your data, it’ll ask for your consent,” said Julian. While the app does specify it will access contacts, as per Julian, it is not “enough consent” to justify “sending all of those contacts over without any kind of specific notification.” On iOS, while the app claims it will show you who in your address book is using the Sarahah app, it does not do so.
“Sarahah has between 10 and 50 million installs on just the Play Store alone for Android, so if you extrapolate that number, it could easily get into hundreds of millions of phone numbers and email addresses that they’ve harvested,” Julian said.