The Sarahah app quietly entered the social networking scene earlier this year and has since gone viral, with users attracted by the anonymity it offers. The app’s creator says he developed it as a way for users to express their opinions honestly without fear of consequences, but it seems that the app might not be as open and honest with users as they are with each other.

sarahah app
geralt / Pixabay

Sarahah app captures 18 million users

The Sarahah app was launched early this year, but already, more than 18 million people may be using it. The app has attracted so many downloads that it became the third most-downloaded free app in Apple’s App Store.

The app’s appeal lies in what it offers users: the ability to honestly say whatever they want to others without having to reveal their identity when doing it. But using it also means that you’re opening yourself up to the same criticism you want to dish out to other people. The app became instantly popular with American teens as a way to swap gossip and even bully classmates, in some cases.

Are you sure you want to give permission for that?

Whenever the Sarahah app is launched on a device for the first time, one of the first things it does is upload all of the information from the user’s contacts. Sometimes it does ask the user for permission to access their contacts, but most people tend to just blindly tap “accept” on these user permissions. Besides, it seems perfectly obvious why the app needs to access the user’s address book because it may try to find the people they know on the social network, making it easier to hand out so-called “honest criticisms.”

However, one thing the Sarahah app doesn’t tell users about is that it’s uploading their address books and contact information for everyone they know to its servers, The Intercept claims. The website reports that Bishop Fox senior security analyst Zachary Julian was the first to discover that the app was uploading all the information of users’ contact to its servers.

Sarahah app collects info on users’ contacts

Julian told The Intercept that he noticed right away upon downloading and installing Sarahah onto his Galaxy S5 that it was uploading his address book to its server. His S5 was running Android 5.1.1 at the time, but with some added security: Burp Suite, the monitoring software he created. Burp Suite intercepts and any data that’s either being downloaded onto the device or uploaded from the device to another location. The software enables users to see what data their device is uploading to servers somewhere, and Julian said that it caught the Sarahah app uploading the private data of his contacts to its server.

The security analyst said that the upload happens the moment the user logs into it for the first time, transmitting “all of your email and phone contacts stored on the Android operating system.” Later, he was able to verify that the app does the same thing when used on iOS devices, although there it asks the users if it can access their contacts. This request for access now occurs on newer Android versions as well, The Intercept adds.

According to Julian, not only does the Sarahah app collect the user’s address book the first time they use it, but it also collects it again if the app hasn’t been used for a long time. He told The Intercept that he tested the app on a Friday night and then booted the app again on Sunday morning, and at that time, it collected his address book again.

“Free” apps aren’t really free

The app’s creator, Zain al-Abidin Tawfiq, didn’t respond to The Intercept’s initial request for a comment on what Julian found. However, he tweeted later that they will remove the functionality in a future version of the app. He explained that it was meant to help users find their friends on the social network. After that tweet, he told the media outlet that “technical issues” were affecting the functionality and that a partner he no longer works with was told to remove it but somehow “missed” it.

Now he claims that this functionality has been removed from Sarahah’s server and that it doesn’t store any contacts in its databases. However, The Intercept adds that there’s no way to verify this.

Security researcher Drew Porter of Red Mesa told the media outlet that Sarahah is certainly not unique in that it collects address book information from users, a behavior that’s particularly common among free apps. That’s right, those apps aren’t actually free; you’re just not paying in dollars, euros, pounds or any other monetary currency. But Porter says users should think long and hard before using apps that collect any of their data because there’s no way to know how safe that data is from hackers.

Tags: