Sarahah, is the newest app that has become the craze over social media. Its claim to fame? Letting you get anonymous messages and feedback from your friends and everyone else.
It got so popular that it currently sits with more than 18 million downloads already. It has also become the third most downloaded free application on iTunes and is also among the top 5 downloaded apps in Play Store.
But now, some recent developments have put a damper on its popularity.
Cause for Alarm
Well, the surprising news is that the hit app does more than just getting you honest feedback – it uploads your private data including your email and phone contacts when you first launch the app, without informing the users. Talk about a privacy nightmare, especially for an app that’s supposed to be all about your privacy!
Although the newer Android versions and the iOS app asks for permission to access the contacts, it is not disclosed how this information is used and where it is uploaded, says Bishop Fox’s senior security analyst Zachary Julian.
How it Was Discovered
Julian discovered that the app was uploading his address book when he first launched it on his Android-powered Galaxy S5. Through a monitoring software called BURP Suite, he saw whether the data was sent to any remote server.
He found that if the app is used after a while, the app uploads your contacts again, and the same happens if you boot your app.
The Founder of Sarahah, Zain Alabdin Tawfiq responded by saying that the contacts were uploaded with an intention of introducing ‘Find your Friends’ feature and that it will be removed in the next version of the app.
He also said that they were facing technical issues in removing the feature and that his app is not storing any contacts in the databases.
Drew Porter, a researcher at security firm Red Mesa, raised concerns over the app saying,
“It’s no longer that you have to worry about the data on your phone, it’s that you have to worry about the data on your phone that’s somewhere else that you have no control over being compromised.
The app asks for a request on iOS devices by saying that ‘the app needs to access your contacts to show you who has an account in Sarahah’ without doing so, while in some cases, in Android, it doesn’t even specifically mention any reason.”