Now, according to a report published by The Intercept, the app that allows users to get “honest feedback” from their friends, quietly harvests and uploads the user’s contacts including all phone numbers and email addresses to its servers. The report is quoting Zachary Julian, a senior security analyst at Bishop Fox. He first discovered that Sarahah is uploading private information when he installed the app on his Galaxy S5 running Android 5.1.1. His device was having a security monitoring software called BURP Suite. The software allows seeing data from the device being sent to any remote servers. So, on installing and running Sarahah, Julian discovered that the app was sending his phone’s contact data to the company’s servers without proper permissions. While Sarahah does ask for permission to access a user’s contacts while installing, it does not specify that the same are being uploaded on its servers. The report claims that if you go by the privacy policy in the app, it states that if it plans to use your data, Sarahah will ask for your permission. Also, the data transfer is not only limited to Android OS and the same also occurs on iOS devices as well after you give permissions to “access contacts.” Moreover, as per Julian’s testing, if users don’t access the Sarahah app for a few days, it pushes contacts data all over again when the app is rebooted. Julian rebooted the app after a gap of two days, and all his contacts were sent to the Sarahah servers again. Sarahah did not initially comment on the issue but later Zain al-Abidin Tawfiq, Sarahah founder replied that the contacts functionality had been intended for a ‘find your friends’ feature and the feature was delayed due to “technical issues”.
— زين العابدين توفيق (@ZainAlabdin878) August 27, 2017 While the company says this is a technical issue, which was to be removed from the app, this does raise questions about the privacy of the users and how the app is using user’s data. “Sarahah has between 10 and 50 million installs on just the Play Store alone for Android, so if you extrapolate that number, it could easily get into hundreds of millions of phone numbers and email addresses that they’ve harvested,” Julian said. Julian says if the company intends to continue accessing the data, it should specifically inform the user about the data they are giving up and where it is going. It should also provide the users with a legitimate reason as to why the app actually needs it.
