Skip to main content

Sarahah app is uploading your contacts to its servers without your permission

Sarahah, the popular anonymous messaging app, is reportedly sending your phone’s contacts to the company’s servers without your permission. The app had gone viral over the past few months and somewhere around 18 million people have downloaded it from Apple and Google’s app stores.
Now, according to a report published by The Intercept, the app that allows users to get “honest feedback” from their friends, quietly harvests and uploads the user’s contacts including all phone numbers and email addresses to its servers.
The report is quoting Zachary Julian, a senior security analyst at Bishop Fox. He first discovered that Sarahah is uploading private information when he installed the app on his Galaxy S5 running Android 5.1.1.
His device was having a security monitoring software called BURP Suite. The software allows seeing data from the device being sent to any remote servers. So, on installing and running Sarahah, Julian discovered that the app was sending his phone’s contact data to the company’s servers without proper permissions.
While Sarahah does ask for permission to access a user’s contacts while installing, it does not specify that the same are being uploaded on its servers. The report claims that if you go by the privacy policy in the app, it states that if it plans to use your data, Sarahah will ask for your permission. Also, the data transfer is not only limited to Android OS and the same also occurs on iOS devices as well after you give permissions to “access contacts.”
Moreover, as per Julian’s testing, if users don’t access the Sarahah app for a few days, it pushes contacts data all over again when the app is rebooted. Julian rebooted the app after a gap of two days, and all his contacts were sent to the Sarahah servers again.
Sarahah did not initially comment on the issue but later Zain al-Abidin Tawfiq, Sarahah founder replied that the contacts functionality had been intended for a ‘find your friends’ feature and the feature was delayed due to “technical issues”..
The Intercept   @theintercept
When first launched, this app harvests and uploads all phone numbers and email addresses in your address book. https://interc.pt/2xnrXrn 
ZainAlabdin Tawfiq @ZainAlabdin878
Sarahah App asked for contacts for a planned "find your friends" feature
7:22 AM - Aug 27, 2017
Twitter Ads info and privacy
While the company says this is a technical issue, which was to be removed from the app, this does raise questions about the privacy of the users and how the app is using user’s data.
“Sarahah has between 10 and 50 million installs on just the Play Store alone for Android, so if you extrapolate that number, it could easily get into hundreds of millions of phone numbers and email addresses that they’ve harvested,” Julian said.
Julian says if the company intends to continue accessing the data, it should specifically inform the user about the data they are giving up and where it is going. It should also provide the users with a legitimate reason as to why the app actually needs it.

Comments

Post a Comment

Popular posts from this blog

Google removes 300 Android apps that secretly hijacked phones for DDoS attacks

Around  300 apps have been withdrawn  from Google’s Play Store after they were found to be secretly hijacking Android devices to supply traffic for wide-scale distributed denial of service (DDoS) attacks, as noted by  Gizmodo . Google removed apps that offered services like ringtones and storage managers after security researchers uncovered the “WireX” botnet was behind the ploy. Malware was hidden inside the affected apps, and as long as the device remained switched on it was used in DDoS attacks. Researchers at cloud services provider Akamai discovered WireX after a hospitality company suffered from a DDoS attack involving hundreds of thousands of IP addresses. DDoS attacks work by overwhelming a target with large amounts of data from multiple IP addresses, and they’re effective at taking down websites and services that can’t cope with a data influx. Google said in a statement it’s currently in the process of removing the malicious apps from affected devices, an...
Post a Comment
Read more

HTC Desire 20 Pro certified by Google Play, NCC

HTC’s glory days are well in the past, but the Taiwanese company is trying to stay relevant in the smartphone world. As spotted by a vigilant Twitter user, the Desire 20 Pro has been certified at NCC and Google Play Support. Previously the same phone appeared on Geekbench and in leaked schematics . The Google Play Support page mentions the same HTC 2Q9J1000 model number we saw earlier. Seeing how this is a Pro there is likely to be a vanilla version in the pipeline as well, but we haven't heard anything about it. HTC Desire 20 Pro certifications When the phones eventually arrive, they will be a follow-up of the Desire 19 lineup that brought us the Desire 19s and Desire 19+ . Both of them had unimpressive Helio chipsets (respectively P22 and P35) and the main camera was 13 MP f/1.9 with PDAF on both of them. Hopefully, this year’s Desire lineup will get in line with the current trends and introduce big batteries, fast charging, and better cameras if HTC w...
Post a Comment
Read more