‘Honesty app’ Sarahah is dishonest, as it uploads your phone contacts to the server
Sarahah, the anonymous feedback messaging app, is all over the place. Be it Facebook, Twitter, Instagram or Snapchat, everyone is talking about the app for the past couple of weeks.
For those unaware, ‘Sarahah’ – means ‘honesty’ in Arabic, is an app that allows the users to send anonymous messages to others registered with the app. Created by Saudi Arabian developer Zain al-Abidin Tawfiq, the app is aimed to help people identify their strengths and weaknesses. However, users have no way of knowing who sent the message or how to reply to them. The app is available in two languages, English and Arabic, for iOS and Android users.
“Sarahah helps you in discovering your strengths and areas for improvement by receiving honest feedback from your employees and your friends in a private manner”, the app description explains.
However, it now appears that the app is collecting more just than feedback messages. Apparently, the app is uploading users’ phone numbers and email addresses in the address book to the company’s servers, which was spotted by Zachary Julian, a senior security analyst at Bishop Fox when he installed the app on his Android smartphone, a Galaxy S5 running Android 5.1.1.
When this news was reported by The Intercept, Zain al-Abidin Tawfiq responded by tweeting that the contact lists were being uploaded “for a planned ‘find your friends’ feature.” However, the removal of the functionality was “delayed due to a technical issue.” He now claims that the functionality has removed from the server and the data request will be removed in a future release. He also tweeted that Sarahah currently stores no contacts in its databases, which is impossible to verify.
Sarahah uploading address book data from The Intercept on Vimeo.
Julian discovered the behaviour of Sarahah by using BURP Suite, a traffic analyzer, which intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers. When Julian launched Sarahah on the device, BURP Suite caught the app in the act of uploading his private data.
“As soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system,” he said. The same occurrence was later determined on Apple’s iOS too, although after a prompt to “access contacts,” which also appears in newer versions of Android.
The above occurrence clears that the app is somewhere interested in your contacts. For instance, on iOS, the app says “the app needs to access your contacts to show you who has an account in Sarahah,” and allows the user to select between “Okay” and “Don’t allow.” On the other hand, in some cases on Android, the app requests access to contacts without providing any explanation for needing such access, while in other cases it makes no such request. On both iOS and Android, there is no mention of data being uploaded to a server.
“The privacy policy specifically states that if it plans to use your data, it’ll ask for your consent,” Julian said. “While the app’s entry in Google’s Play Store does indicate the app will access contacts, that’s not “enough consent” to justify “sending all of those contacts over without any kind of specific notification,” he added. On the other hand, the app on iOS platform claims to use contact data in the user’s address book to show them their list of friends using Sarahah, which it actually does not do, reveals the testing done by Julian.
Even though the app’s privacy policy states that, “We will never sell the data you provide to any third party as part of personal marketing without your prior and written consent unless it was a part of bulk data used for statistics and research and it won’t contain any data to identify you,” it is not completely clear as to what Sarahah uses uploaded contact lists for.
For those who really want to use Sarahah and are concerned about their privacy can take comfort from the fact that they do not require to download the app to use the service. You can instead register yourself on Sarahah via a website after which you be allowed to send and receive messages. The site doesn’t ask for or require access to your contacts in the digital address books for you to use Sarahah.
