Sarahah is a new app that is gaining popularity among the masses lately with over 18 million downloads collectively on Apple and Google online stores. The app sends anonymized, blunt messages to its users and it has become the third most downloaded free software on iOS devices. The app claims to serve as a way to receive “honest feedback” from employees and folks, but according to Bishop Fox’s senior security analyst Zachary Julian, Sarahah is performing many other tasks apart from Honest Feedback.
Sarahah was developed in Saudi Arabia; it is the most recent one of a series of apps like the now defunct Secret that promises to ensure anonymity with disturbing privacy practices. Immediately after it is launched, the app extracts and uploads all the contact numbers and email addresses from the device’s phone book without informing or notifying the user. Though Sarahah asks permission to access contacts, it doesn’t reveal that the data will be uploaded or used in any way.
When Julian installed the app on his Galaxy S5 Android 5.1.1, he learned about the secret function of Sarahah that it uploads private information. Julian’s phone already had BURP Suite, which is a monitoring software installed for intercepting internet traffic that enters and leave the device. This allows the owner of the device to track the data being sent to remote servers. So, when Sarahah was launched on the device, BURP Suite identified the malicious activities of the app. This is how Julian identified that the app transmits all the email and phone contacts that are stored on the device. The method of data transfer is employed on both Android and iOS devices. The app prompts the user initially asking for permission to “access contacts.”
As per Julian’s findings, if the app hasn’t been used in a while, it will again share the contacts. This feature of Sarahah has been demonstrated by Julian in a video as well, which can be viewed here:
He tested the data sharing tactics of Sarahah by using the app on Friday night and then booting it on Sunday morning, realizing that the app again shared his contacts.
”If the app hasn’t been used in a while, it will again share the contacts.”
Zain al-Abidin Tawfiq, the developer of Sarahah, responded to the news by tweeting that this particular issue will be fixed in the next version of the app. While speaking with The Intercept, Tawfiq stated that the feature was developed as “find your friends” option, which got altered due to some technical issue. A partner, who no more works with Tawfiq and co., was supposed to fix the flaw but it apparently wasn’t dealt with. However, Tawfiq claims that the app does not store contacts on its databases.
Sarahah App asked for contacts for a planned “find your friends” feature
— ZainAlabdin Tawfiq (@ZainAlabdin878) August 27, 2017
According to security firm Red Mesa founder Drew Porter, with free apps like Sarahah, such issues are quite common. “It’s no longer that you have to worry about the data on your phone, it’s that you have to worry about the data on your phone that’s somewhere else that you have no control over being compromised,” he said. “It’s not just, ‘Oh, this company can see my information, and I’m okay with that.’ You now have to think about the security of that company,” says Porter.
Porter also said that what Sarahah does is concerning because of the critical nature of the information being retrieved and shared by the app. He added: “You don’t know the security of the company that is getting it. We’ve seen popular apps before, total information leakage comes out, and it’s devastating to those companies. I believe it’s even more devastating to the user whose information was compromised.”
Julian believes that it is not a technical flaw but a deliberately designed function of the app since it asks for permission to access contacts but never mentioned that the data will be uploaded to a server. On iOS devices, it asks for permission of accessing contacts “to show you who has an account in Sarahah” while on Android devices it does not give any reason for accessing contacts or never asks for permission in the first place.
“The privacy policy specifically states that if it plans to use your data, it’ll ask for your consent,” says Julian but this cannot justify sending the contacts on the server without any specific notification. Similarly, on iOS devices, the app never shows who else is using Sarahah as it claims to do while requesting for contacts access permission.
“Sarahah has between 10 and 50 million installs on just the Play Store alone for Android, so if you extrapolate that number, it could easily get into hundreds of millions of phone numbers and email addresses that they’ve harvested,” noted Julian.
Currently, it is unclear in what way the information uploaded by Sarahah is used, but it is mentioned in the privacy policy that none of the information will be sold to third parties without user’s consent. Therefore, if it does extracts and uploads contact information, then Julian asserts that it would be much better that the company comes clean and informs the user about where the data is going and why is it being stored.
Source: The Intercept