Skip to main content

Sarahah app is uploading your contacts to its servers without your permission

Sarahah, the popular anonymous messaging app, is reportedly sending your phone’s contacts to the company’s servers without your permission. The app had gone viral over the past few months and somewhere around 18 million people have downloaded it from Apple and Google’s app stores.
Now, according to a report published by The Intercept, the app that allows users to get “honest feedback” from their friends, quietly harvests and uploads the user’s contacts including all phone numbers and email addresses to its servers.
The report is quoting Zachary Julian, a senior security analyst at Bishop Fox. He first discovered that Sarahah is uploading private information when he installed the app on his Galaxy S5 running Android 5.1.1.
His device was having a security monitoring software called BURP Suite. The software allows seeing data from the device being sent to any remote servers. So, on installing and running Sarahah, Julian discovered that the app was sending his phone’s contact data to the company’s servers without proper permissions.
While Sarahah does ask for permission to access a user’s contacts while installing, it does not specify that the same are being uploaded on its servers. The report claims that if you go by the privacy policy in the app, it states that if it plans to use your data, Sarahah will ask for your permission. Also, the data transfer is not only limited to Android OS and the same also occurs on iOS devices as well after you give permissions to “access contacts.”
Moreover, as per Julian’s testing, if users don’t access the Sarahah app for a few days, it pushes contacts data all over again when the app is rebooted. Julian rebooted the app after a gap of two days, and all his contacts were sent to the Sarahah servers again.
Sarahah did not initially comment on the issue but later Zain al-Abidin Tawfiq, Sarahah founder replied that the contacts functionality had been intended for a ‘find your friends’ feature and the feature was delayed due to “technical issues”..
The Intercept   @theintercept
When first launched, this app harvests and uploads all phone numbers and email addresses in your address book. https://interc.pt/2xnrXrn 
ZainAlabdin Tawfiq @ZainAlabdin878
Sarahah App asked for contacts for a planned "find your friends" feature
7:22 AM - Aug 27, 2017
Twitter Ads info and privacy
While the company says this is a technical issue, which was to be removed from the app, this does raise questions about the privacy of the users and how the app is using user’s data.
“Sarahah has between 10 and 50 million installs on just the Play Store alone for Android, so if you extrapolate that number, it could easily get into hundreds of millions of phone numbers and email addresses that they’ve harvested,” Julian said.
Julian says if the company intends to continue accessing the data, it should specifically inform the user about the data they are giving up and where it is going. It should also provide the users with a legitimate reason as to why the app actually needs it.

Comments

Post a Comment

Popular posts from this blog

HTC Desire 20 Pro certified by Google Play, NCC

HTC’s glory days are well in the past, but the Taiwanese company is trying to stay relevant in the smartphone world. As spotted by a vigilant Twitter user, the Desire 20 Pro has been certified at NCC and Google Play Support. Previously the same phone appeared on Geekbench and in leaked schematics . The Google Play Support page mentions the same HTC 2Q9J1000 model number we saw earlier. Seeing how this is a Pro there is likely to be a vanilla version in the pipeline as well, but we haven't heard anything about it. HTC Desire 20 Pro certifications When the phones eventually arrive, they will be a follow-up of the Desire 19 lineup that brought us the Desire 19s and Desire 19+ . Both of them had unimpressive Helio chipsets (respectively P22 and P35) and the main camera was 13 MP f/1.9 with PDAF on both of them. Hopefully, this year’s Desire lineup will get in line with the current trends and introduce big batteries, fast charging, and better cameras if HTC w...
Post a Comment
Read more

Realme 7 Series India Launch: Specs, Price and Launch Date

  Realme is planning for the Realme 7 series India launch soon. The company’s main series in India will have two models like before – Realme 7 and Realme 7 Pro. The two smartphones have teased in various leaks. A recent leak shows the first look of the Realme 7 series via banners outside a retail store. The leak indicates that the series will have a 64MP Sony camera and will also support fast charging. Earlier, Realme India CEO took to Twitter to tease the launch of the new ‘7’ series. Realme 7, Realme 7 Pro Specs The design of the Realme 7 series remains a mystery at the moment. However, the leaked banner image shows a rectangular-shaped quad-camera setup on the back that hasn’t been seen on any Realme phone in India yet. As for the front, they may come with bezel-less displays with punch-hole design. Credit: Stufflistings/Twitter Now coming to the leaked specifications of the Realme 7 series smartphones. According to the recent source,...
Post a Comment
Read more