Sarahah app exposed for quietly uploading users' contacts to company servers without proper permissions

The anonymous messaging app Sarahah has been uploading your phone’s contacts to the company’s servers without your knowledge or permission. The security loophole was first discovered by analyst Zachary Julian and The Intercept was the first publication to report the same. The harvesting of a user's contacts is a big setback for users of the Sarahah app and opens them up to multiple security risks. Sarahah's privacy policy states that it will not sell user data to third parties unless it is part of bulk data used for statistics and research.

The Sarahah app has recorded millions of downloads on the Google Play Store and the Apple App Store combined. According to Julian, the app that plays on getting users “honest feedback” from their friends, quietly harvests and uploads its user’s phone contacts to the company’s servers.These include all phone numbers and email addresses stored in your device’s address books.

While Sarahah does ask for permission to access a user’s contacts, it does not specify that the same are being uploaded and stored on its servers. Julian, a senior security analyst at Bishop Fox, installed the Sarahah app on a Galaxy S5 running Android 5.1.1. The device was running a security monitoring software called BURP Suite, which allowed him to see data from his phone being sent to remote servers. On installing and running Sarahah, Julian discovered that the app was sending his personal contacts data to the company’s servers without proper permissions.

The transfer of user contacts and emails to the Sarahah servers is not limited

to the Android OS and the same also occurs on iOS devices after the app procures permissions to “access contacts.” As per Julian’s testing the if users don’t access the Sarahah app for a few days, it pushes contacts data all over again when rebooted. When Julian tried rebooted the app after a gap on two days, all his contacts were pushed to the Sarahah servers again.

After this security flaw was discovered, Sarahah creator, Zain al-Abidin Tawfiq tweeted that the contact storing behaviour will be removed from the app in future updates and was put in place for a “find your friends feature.” He also told The Intercept that the feature was supposed to be removed by a partner who he has stopped working with, but the partner somehow “missed that.” Tawfiq went on to claim that the function of storing contacts was removed from the servers and that Sarahah servers no longer store any contacts, but his claim is unverified as security researchers cannot possibly know what happens at the server end of the app.

Twitter @ZainAlabdin878

“The privacy policy specifically states that if it plans to use your data, it’ll ask for your consent,” said Julian. While the app does specify it will access contacts, as per Julian, it is not “enough consent” to justify “sending all of those contacts over without any kind of specific notification.” On iOS, while the app claims it will show you who in your address book is using the Sarahah app, it does not do so.

“Sarahah has between 10 and 50 million installs on just the Play Store alone for Android, so if you extrapolate that number, it could easily get into hundreds of millions of phone numbers and email addresses that they’ve harvested,” Julian said.

You can view some of Julian’s tests of the Sarahah app in the video below

click Here: https://vimeo.com/231153024