Technology 6 min read

Sarahah App Allegedly Stealing Contact List Info From Users

Sarahah App | Sarahah.com

Sarahah App | Sarahah.com

Sarahah app, the viral ‘honesty app’ that has become everyone’s favorite mobile application is now facing serious scrutiny from security experts after being found storing contact information without the knowledge of users.

What is the Sarahah app?

Zain al-Abidin Tawfiq - creator of the Sarahah app
Zain al-Abidin Tawfiq – creator of the Sarahah app | @ZainAlabdin878 | Twitter.com

The Sarahah app is a Social Networking Communication Site and App that was developed by Saudi Arabian developer Zain al-Abidin Tawfiq. It was originally launched in November 2016 as a simple social networking web site.

In Arabic, Sarahah means ‘honesty,’ the core value from which the application was said to be founded.

According to an article from Mashable, Tawfiq’s original vision for Sarahah was to create a tool that would help employees provide unfiltered feedback to their employers.

#Sarahahapp caught allegedly stealing contact information from its users!Click To Tweet

The Humble Beginnings of the Sarahah app

The ‘honesty app’ was built on the developer’s belief that anonymity can make people more honest with their messages. Tawfiq realized that the Sarahah app could potentially improve the process of providing constructive feedback to employees within the corporate setting. He said:

“There’s an issue in the workplace people need to communicate frankly to their bosses.”

However, the Arabian developer also believed that his program could help people share honest feedback with their friends without fear of causing conflicts or straining the relationship because of the anonymity provided by the app.

After sharing Sarahah with his so called ‘influencer friend,’ Tawfiq’s website which initially had around 70 users immediately gained momentum. The website went viral in different Arab countries and acquired thousands of users.

Because of its popularity, Tawfiq decided to launch the Sarahah app in the Google Play Store and Apple’s App Store on June 13th of this year. Shortly after its debut, people from around the world took notice of the ‘honest app’ and started downloading it.

By July, the Sarahah app was already on top of the most downloaded apps in over 30 countries worldwide and has more than 300 million users to date. However, things got shady for the viral app when a security analyst found out that the application was allegedly, quietly uploading phone contacts to the company’s server.

The Deal With Sarahah App Storing Contact Information

According to a report from the Intercept, Zachary Julian, a senior security analyst at the Bishop Fox allegedly installed the Sarahah app on his Samsung Galaxy S5 which runs on Android 5.1.1 Lollipop.

https://youtu.be/mDqkBBDt0h8

Julian’s phone was equipped with a BURP suite which monitors the traffic of everything that comes in and out of his mobile phone. The monitoring software can apparently track phone data that is being sent to remote servers.

Upon launching of the Sarahah app, the BURP suite immediately caught the app uploading his personal data onto Sarahah’s company server.

“As soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system,” Julian said.

Julian conducted further investigation and found out that the same thing happens for Apple mobile phones. However, in Apple smartphones and Android phones running newer versions of Android OS, an ‘access contacts’ prompt is being shown to the user.

The analyst also noticed that the Sarahah app re-uploads the contact information if you reboot the app or failed to use it for a while.

While apps requesting contact details and other information is nothing new, especially for applications requiring the use of such information, no such feature is available in Sarahah right now.

“The privacy policy specifically states that if it plans to use your data, it’ll ask for your consent, while the app’s entry in Google’s Play Store does indicate the app will access contacts, that’s not enough consent to justify sending all of those contacts over without any kind of specific notification.”

In his defense, Tawfiq responded to the report by saying that his app harvests and uploads contact information from the users’ phones to the company servers for an upcoming feature that will be implemented at a later time.

Tawfiq explained that a certain ‘find your friend’ feature is on the way but was delayed due to technical difficulties. He went on to say that the request for contact information will be removed on the next Sarahah app update.

What Other Experts Have to say About the Sarahah app

Drew Porter, the founder of security firm Red Mesa, said that this kind of behavior is common to free apps like Sarahah. While there are reasons to entrust address book data to an application program, Porter believes that people should still be vigilant.

“It’s no longer that you have to worry about the data on your phone, it’s that you have to worry about the data on your phone that’s somewhere else that you have no control over being compromised.

It’s not just, ‘Oh, this company can see my information and I’m OK with that.’ You now have to think about the security of that company,” Porter explained.

Porter further added that what the company did was concerning.

“I do find it concerning, mostly because the information that the company may be getting could be what other people consider very private, and you don’t know the security of the company that is getting it. We’ve seen popular apps before, total information leakage comes out, and it’s devastating to those companies. I believe it’s even more devastating to the user whose information was compromised.”

Will Strafach, president of Sudo Security Group Inc., shared the same sentiments, citing that since developers only have access to the servers and what is happening behind the user interface, no one can vouch for the security of the data. In a statement to the Intercept, he said:

“Even in an innocent use case, if the data is not being handled safely, a server breach could allow malicious parties access to this contacts data. Additionally, there is no silver bullet to solving this.

My team wrote software to automatically detect this behavior in iOS apps in order to call out bad actors, but we found that the information was not as useful as anticipated, because so many apps are doing it, and there is no reliable way to tell if the data is being handled safely on the server’s side, and that is the most important part.”

Right now, Sarahah app users are advised to review their mobile phone settings and limit the permission given to the app until the update Tawfiq promised has been rolled out.

Aside from the Sarahah app, are you comfortable sharing personal information to the application programs that you download on the Play Store and App store? Let us know in the comment section below!

First AI Web Content Optimization Platform Just for Writers

Found this article interesting?

Let Chelle Fuertes know how much you appreciate this article by clicking the heart icon and by sharing this article on social media.


Profile Image

Chelle Fuertes

Chelle is the Product Management Lead at INK. She's an experienced SEO professional as well as UX researcher and designer. She enjoys traveling and spending time anywhere near the sea with her family and friends.

Comments (0)
Most Recent most recent
You
share Scroll to top

Link Copied Successfully

Sign in

Sign in to access your personalized homepage, follow authors and topics you love, and clap for stories that matter to you.

Sign in with Google Sign in with Facebook

By using our site you agree to our privacy policy.