This Popular Messaging App Could be Downloading Data from Your Address Book
Seems like Sarahah, the anonymous messaging app, is causing great mischief. Recent reports seem to suggest that it could be stealing all the contact details from your phone.
The Intercept reports: “Sarahah bills itself as a way to “receive honest feedback” from friends and employees. But the app is collecting more than just feedback messages. When launched for the first time, it immediately harvests and uploads all phone numbers and email addresses in your address book. Although Sarahah does in some cases ask for permission to access contacts, it does not disclose that it uploads such data, nor does it seem to make any functional use of the information.”
It was security analyst Zachary Julian who discovered and first reported the issue. The Intercept report says- “Zachary Julian, a senior security analyst at Bishop Fox, discovered Sarahah’s uploading of private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1. The phone was outfitted with monitoring software, known as Burp Suite, which intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers. When Julian launched Sarahah on the device, Burp Suite caught the app in the act of uploading his private data.”
While on Android 5 and below, the app gets access to the contacts silently, without user interaction,. From Android 6 onwards, it will prompt the user for access to the contacts with the message “Allow Sarahah to access your contacts?”, followed by the ‘Deny’ and ‘Allow’ buttons. Zachary Julian writes- “Upon pressing “Allow”, all phone and email contacts will be uploaded to Sarahah. The address book on my phone consists of 164 contacts. Extrapolating this by 10 to 50 million users on Android alone means it’s possible Sarahah has harvested hundreds of millions of names, phone numbers, and email addresses from their users. Overall, Sarahah does not provide enough information for users to make an informed decision whether using the application is worth sharing this sensitive data.”
Sarahah asks for access to contacts on iOS also and on being given access, transmits all contacts data. Zachary Julian points out that Sarahah “…does not provide users enough information on how their phone’s contact details will be used.”
Responding to the report on The Intercept, Sarahah’s founder, Zain al-Abidin Tawfiq tweeted saying that the Sarahah App had asked for contacts for a planned “find your friends” feature. He has explained further, in response to replies to his tweet, that the feature was delayed due to a technical issue.
Well, think twice before you start using any new app and give permissions to access contacts and such other things. You could end up being the victim of a data breach or you could prove instrumental in the execution of a data breach attempt.
Julia Sowells918 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.