Just a couple of weeks back, Sarahah, an app that lets friend message you anonymously took the internet by storm. It was a rage everywhere you went and millions around the world fell for it. It gave people a platform to express their thoughts to the other person under the cloak of anonymity; anonymity being the key factor here. If you were one of the people who gave in to the temptation of this seemingly harmless app, there is some bad news for you. The anonymous messaging app is secretly uploading all the information on your computer and PC to its servers.
The Intercept reported that the app is taking all the contact details and email addresses on your phone and computers and storing them on its servers. In some cases, the app asks for permission prior to access but still, it hasn't disclosed that it is uploading them on its servers anywhere. As the app does not feature a friend list or a list that shows which of your friends are on Sarahah, there seems to be no plausible reason for access and storage of contacts.
The security breach was detected by Zachary Julian, a senior security analyst at Bishop Fox. He downloaded the app on his Android phone, a Galaxy S5 running Android 5.1.1. The phone was outfitted with a monitoring software called Burp Suite, which intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers.
Julian told The Intercept, "As soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system.” Though the app asks for permission on higher versions of Android, it is redundant given that most Android devices are slow in receiving latest updates. The same problem extends to iOS users. Julian performed tests on the app and noticed that if you haven’t used the application in a while, it’ll share all of your contacts again.
The app’s creator, Zain al-Abidin Tawfiq, tweeted that the contacts functionality would be removed in a future release and had been intended for a “‘find your friends feature.” There are no means to verify if Sarahah is actually storing our contacts despite its owner's claims. His reasoning is baseless as the whole point of the app is anonymity and there's no feature for making friends.
While some of us may not have a very big issue with the app accessing our contacts, but it's about an app not delivering what it has promised and putting user information in such a vulnerable position. The problem is that it was done without our consent and that it was not expected. Most users are unaware that data on their phone is with a third party and they have no control over it.
However, users can access Sarahah even from its website which does not use or store any of the private information of the user. Also, if you wish to delete your Sarahah account, you can do it only by logging into your computer as the feature is missing in the app.