Sarahah, the anonymous feedback app, became viral in a very short time. Even if the app was to receive honest feedback from friends, people used it to abuse and bully other people.
Researchers also noted their doubt for app permission. This app asked permission to access contacts but for nothing. App also didn’t make it clear why it asks for such permissions.
Now Zachary Julian, a senior security analyst at Bishop Fox, discovered something serious about Sarahah. The app is uploading private information from the phone to its server. Zachary tested the app on his Galaxy S5 running Android 5.1.1 and used BURP Suite to intercept traffic. He found that the app is uploading his private data.
He confirmed that the app transmits all of your email and phone contacts stored o Android phone. He also verified the same with iOS and found the same thing.
When this news broke out, the developer of the app tweeted to confirm why this behavior was added. He said that contact was accessed for upcoming feature “find your friends” but the feature was delayed due to technical issues.
Sarahah App asked for contacts for a planned “find your friends” feature
— ZainAlabdin Tawfiq (@ZainAlabdin878) August 27, 2017
I am personally not happy with this response. If they had something like this in the plan, there should be proper disclosure about this. We have seen several apps leaking or selling our personal data. The Recent case of Unroll.me was also similar.
The privacy policy of the app itself says that it will ask for your consent if it plans to use your data. It also claims that the data will not be sold to any third party without prior and written consent. Sending contact to the server without notifying users is not acceptable.
If you are one of the Sarahah users, you need to be more careful next time before trusting any random app.
